diff --git a/.gitignore b/.gitignore index a57b1721080..848e08e2e49 100644 --- a/.gitignore +++ b/.gitignore @@ -15,10 +15,11 @@ output/ reports/ attack-theme/templates/general/base.html -attack-theme/templates/contribute +attack-theme/templates/benefactors attack-theme/templates/datasources attack-theme/templates/groups attack-theme/templates/campaigns +attack-theme/templates/assets attack-theme/templates/matrices attack-theme/templates/mitigations attack-theme/templates/resources @@ -28,6 +29,7 @@ attack-theme/templates/techniques attack-theme/templates/website_build attack-theme/templates/versions attack-theme/static/scripts/settings.js +attack-theme/templates/general/sidebar-resources.html content/ data/pelican_settings.json diff --git a/.python-version b/.python-version new file mode 100644 index 00000000000..09dcc780875 --- /dev/null +++ b/.python-version @@ -0,0 +1 @@ +3.10.11 diff --git a/CHANGELOG.md b/CHANGELOG.md index 44e62547cdc..76c62bb3df6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ +# v4.0.6 (2023-10-31) - +## Features + +* Data sources table can now be sorted and filtered based on domains. [#454](https://github.com/mitre-attack/attack-website/issues/454) +* Release [ATT&CK content version 14.0](https://github.com/mitre/cti/releases/tag/ATT%26CK-v14.0). + See the release notes [here](https://attack.mitre.org/resources/updates/updates-october-2023/). # v4.0.5 (2023-09-01) diff --git a/attack-search/src/settings.js b/attack-search/src/settings.js index db171b6711a..a01ad11ff3e 100644 --- a/attack-search/src/settings.js +++ b/attack-search/src/settings.js @@ -2,6 +2,7 @@ const baseURL = ''; // TODO migrate from base_url (generated via Pelican) const searchFilePaths = [ "campaigns.json", + "assets.json", "datasources.json", "groups.json", "matrices.json", diff --git a/attack-theme/static/scripts/domain_table.js b/attack-theme/static/scripts/domain_table.js new file mode 100644 index 00000000000..a2c1d0d564d --- /dev/null +++ b/attack-theme/static/scripts/domain_table.js @@ -0,0 +1,105 @@ +// this function filters table rows based on the selection +function filter_row(selected) { + let col_index = 3 + const rows = document.querySelectorAll("#ds-table tbody tr"); + let count = 0; + rows.forEach((row) => { + let row_count = 0 + let row_visited = false; + let row_data = row.querySelector("td:nth-child(" + col_index + ")").innerHTML + for(let i = 0; i 0){ + count = count + 1; + } + }) + let filter_count = document.querySelector(".table-object-count") + filter_count.innerHTML = `Data Sources: ${count}` +} + +$(document).ready(function() { + let arrow_up = document.getElementById("arrow-up-0"); + let arrow_down = document.getElementById("arrow-down-0"); + arrow_down.style.display = "inline-block"; + arrow_up.style.display = "none"; + arrow_up = document.getElementById("arrow-up-1"); + arrow_down = document.getElementById("arrow-down-1"); + arrow_down.style.display = "inline-block"; + arrow_up.style.display = "none"; + showDomain(); +}); + +// this function determines which domain options were checked +function showDomain() { + let selected = []; + if($("#filterMenu input:checked").length <= 0){ + $('#filterMenu input:checkbox').each(function() { + selected.push($(this).attr('id')); + $(this).prop("checked", "true"); + }); + } + else{ + $('#filterMenu input:checked').each(function() { + selected.push($(this).attr('id')); + + }); + } + filter_row(selected); +} + +// this function sorts the table based on either ID or Name +function sortTable(col_no) { + let table = document.getElementById("ds-table"); + let direction = "asc"; + let table_switching = true; + let asc_direction = false; + let arrow_up = document.getElementById("arrow-up-"+col_no); + let arrow_down = document.getElementById("arrow-down-"+col_no); + arrow_down.style.display = "inline-block"; + arrow_up.style.display = "none"; + let rows = table.rows; + while (table_switching) { + table_switching = false; + if (direction == "desc"){ + for (let i = 1; i <= (rows.length - 1); i++) { + for (let j = 1; j <= (rows.length - i - 1); j++) { + let x = rows[j].getElementsByTagName("TD")[col_no]; + let y = rows[j + 1].getElementsByTagName("TD")[col_no]; + if(x.innerText.toLowerCase() < y.innerText.toLowerCase()){ + rows[j].parentNode.insertBefore(rows[j + 1], rows[j]); + } + } + } + arrow_up.style.display = "inline-block"; + arrow_down.style.display = "none"; + } + else{ + for (let i = 1; i <= (rows.length - 1); i++) { + for (let j = 1; j <= (rows.length - i - 1); j++) { + let x = rows[j].getElementsByTagName("TD")[col_no]; + let y = rows[j + 1].getElementsByTagName("TD")[col_no]; + if(x.innerText.toLowerCase() > y.innerText.toLowerCase()){ + rows[j].parentNode.insertBefore(rows[j + 1], rows[j]); + asc_direction = true; + } + } + } + } + if (direction == "asc" && !asc_direction) { + direction = "desc"; + table_switching = true; + } + } +} \ No newline at end of file diff --git a/attack-theme/static/scripts/mobileview-datasources.js b/attack-theme/static/scripts/mobileview-datasources.js new file mode 100644 index 00000000000..10020cae820 --- /dev/null +++ b/attack-theme/static/scripts/mobileview-datasources.js @@ -0,0 +1,16 @@ +// This code is for creating a collapsable sidebar for the mobile view +let mediaQuery = window.matchMedia('(max-width: 47.9875rem)') + +function mobileSidenav(e) { + if (e.matches) { + $('#sidebar-collapse').collapse('hide') + } + else{ + $('#sidebar-collapse').collapse('show') + } +} +$(document).ready(function() { + mobileSidenav(mediaQuery) +}); + +mediaQuery.addEventListener('change', mobileSidenav) \ No newline at end of file diff --git a/attack-theme/static/scripts/resizer.js b/attack-theme/static/scripts/resizer.js index eb6b3972bf1..da812317539 100644 --- a/attack-theme/static/scripts/resizer.js +++ b/attack-theme/static/scripts/resizer.js @@ -31,21 +31,4 @@ function resizeSidebar_mouseupHandler() { } resizer.addEventListener("mousedown", resizeSidebar_mousedownHandler); -} - -//This code is for creating a collapsable sidebar for the mobile view -const mediaQuery = window.matchMedia('(max-width: 47.9875rem)') - -function mobileSidenav(e) { - if (e.matches) { - $('#sidebar-collapse').collapse('hide') - } - else{ - $('#sidebar-collapse').collapse('show') - } -} -$(document).ready(function() { - mobileSidenav(mediaQuery) -}); - -mediaQuery.addEventListener('change', mobileSidenav) \ No newline at end of file +} \ No newline at end of file diff --git a/attack-theme/static/scripts/sidebar-load-all.js b/attack-theme/static/scripts/sidebar-load-all.js new file mode 100644 index 00000000000..e92a5e28a58 --- /dev/null +++ b/attack-theme/static/scripts/sidebar-load-all.js @@ -0,0 +1,52 @@ +let mod_name = window.location.pathname.split("/") +let mod_entry = "/" + mod_name[1] + "/sidebar-" + mod_name[1] +if (mod_name.includes('contact')){ + mod_entry = "/" + "resources/sidebar-resources" +} +$("#sidebars").load(mod_entry, function() { + let navElements = document.querySelectorAll('.sidenav-head > a'); + let winlocation; + navElements.forEach(function(element){ + if(!element.href.includes('changelog.html')){ + if(!window.location.href.endsWith("/")){ + winlocation = window.location.href + "/"; + } + else{ + winlocation = window.location.href + } + if(!element.href.endsWith("/")){ + element.href = element.href + "/"; + } + } + else{ + winlocation = window.location.href + } + if(element.href == winlocation){ + $(element.parentNode).addClass("active") + }}); + + //This code is for creating a collapsable sidebar for the mobile view + let mediaQuery = window.matchMedia('(max-width: 47.9875rem)') + function mobileSidenav(e) { + if (e.matches) { + $('#sidebar-collapse').collapse('hide') + } + else{ + $('#sidebar-collapse').collapse('show') + } + } + $(document).ready(function() { + mobileSidenav(mediaQuery) + let sidenav = $(".sidenav-list"); + let sidenav_active_elements = $(".sidenav .active"); + if (sidenav_active_elements.length > 0) setTimeout(() => { //setTimeout gives bootstrap time to execute first + let offsetValue = sidenav_active_elements[0].offsetTop; + if (offsetValue <= 0){ + offsetValue = sidenav_active_elements[sidenav_active_elements.length - 1].offsetTop; + } + sidenav[0].scrollTop = offsetValue - 60; + }); + }); + + mediaQuery.addEventListener('change', mobileSidenav) +}); \ No newline at end of file diff --git a/attack-theme/static/style/_layouts.scss b/attack-theme/static/style/_layouts.scss index 09de44c497d..1d31f4de454 100644 --- a/attack-theme/static/style/_layouts.scss +++ b/attack-theme/static/style/_layouts.scss @@ -388,6 +388,10 @@ a { } } +.tables-mobile { + overflow-y: auto; +} + .table-bordered, .blog-post table, .changelog table { &, & td, & th { border: 1px solid border-color(body); @@ -619,6 +623,19 @@ pre { } /******/ +.nestedlist { + counter-reset: item; +} + +.nestedlist-item { + display: block; +} + +.nestedlist-item::before { + content: counters(item, ".") ". "; + counter-increment: item; +} + /*CALLOUTS*/ // callouts style in the Contribute page .bs-callout { @@ -1051,6 +1068,11 @@ pre { /******/ +// how to display the sidebar +div#sidebars { + display: contents +} + /*Plus/Minus expand icons*/ // used in the expandable list items in the side navigation and in the expandable gray blocks in ATT&CKCON .expand-icon { @@ -1137,6 +1159,10 @@ pre { } } +.contact-center { + margin-block-start: 20vh; +} + /*Card Blocks*/ // container of groups of cards .expand-panel { diff --git a/attack-theme/static/style/_nav.scss b/attack-theme/static/style/_nav.scss index ffd4e0b80e9..082ef15a0ee 100644 --- a/attack-theme/static/style/_nav.scss +++ b/attack-theme/static/style/_nav.scss @@ -220,6 +220,10 @@ background-color: #dfdfdf; } + .data-sources-menu { + padding-top: 15px; + } + .sidebar.nav { // max-height: 60vh; overflow-y: auto; diff --git a/attack-theme/templates/general/attack-index.html b/attack-theme/templates/general/attack-index.html index 78274d38b20..57c613f7913 100644 --- a/attack-theme/templates/general/attack-index.html +++ b/attack-theme/templates/general/attack-index.html @@ -68,7 +68,7 @@

- ATT&CK v14 is coming October 31st. + ATT&CK v14 has been released.
We hope everyone will enjoy our latest treats!

diff --git a/attack-theme/templates/general/attackcon-overview.html b/attack-theme/templates/general/attackcon-overview.html index b33437e1cac..380986eee32 100644 --- a/attack-theme/templates/general/attackcon-overview.html +++ b/attack-theme/templates/general/attackcon-overview.html @@ -5,9 +5,7 @@ {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
- {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
+ {% endblock %} {% block innerright %} @@ -117,5 +115,5 @@

Sponsors

{% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/attack-theme/templates/general/base-template.html b/attack-theme/templates/general/base-template.html index 3fad1450130..2d58912ceb4 100644 --- a/attack-theme/templates/general/base-template.html +++ b/attack-theme/templates/general/base-template.html @@ -161,7 +161,6 @@ - {% endblock %} \ No newline at end of file diff --git a/attack-theme/templates/general/faq-overview.html b/attack-theme/templates/general/faq-overview.html index b1b039b1d1d..b369d52ef5e 100644 --- a/attack-theme/templates/general/faq-overview.html +++ b/attack-theme/templates/general/faq-overview.html @@ -1,13 +1,11 @@ {% extends "general/two-column.html" %} {% set active_page = "resources" -%} -{% set title = "FAQ - " + page.title + " | MITRE ATT&CK®" -%} +{% set title = "FAQ | MITRE ATT&CK®" -%} {% set parsed = page.data | from_json %} {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
- {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
+ {% endblock %} {% block innerright %} @@ -19,42 +17,51 @@
  • FAQ
    • +
    -

    Frequently Asked Questions

    -
    +
    -

    {{parsed.name}}

    -
    -

    Table of Contents

    -
      -
      - {% for qa in parsed.questions %} - -
    1. - {{qa.question}} -
      2. - {% endfor %} -
      -
    -
    -
    -
    -
      - {% for qa in parsed.questions %} -
      -
      -
    1. - {{qa.question}} -
      2. +

      Frequently Asked Questions

      +

      Table of Contents

      +
      +
        + {% for section in parsed.sections %} +
        +
        +
      1. + {{section.name}} +
          + {% for qa in section.questions %} +
        1. + {{qa.question}} +
          2. + {% endfor %} +
        +
        2. +
        -
        - {{qa.answer}} -
        -
        - + {% endfor %} +
      +
      + {% for section in parsed.sections %} +

      {{section.name}}

      +
        + {% for qa in section.questions %} +
        +
        +
      1. + {{qa.question}} +
        2. +
        +
        + {{qa.answer}} +
        +
        +
        + {% endfor %} +
      {% endfor %} -
    @@ -64,5 +71,5 @@
    {% block scripts %} {{ super() }} - -{% endblock %} \ No newline at end of file + +{% endblock %} \ No newline at end of file diff --git a/attack-theme/templates/general/intro-overview.html b/attack-theme/templates/general/intro-overview.html index 29e410b8abc..d4eb1b182c4 100644 --- a/attack-theme/templates/general/intro-overview.html +++ b/attack-theme/templates/general/intro-overview.html @@ -4,26 +4,31 @@ {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} -{{ super () }} -
      -
    1. Home
      2. -
    2. Resources
      3. -
    3. {{ page.title }}
      4. -
    -
    -

    {{ page.title }}

    +
    +
      +
    1. Home
      2. +
    2. Resources
      3. +
    3. {{ page.title }}
      4. +
    +
    +
    +
    +
    +
    +

    {{ page.title }}

    {{ page.content }}
    +
    +
    +
    {% endblock %} {% block scripts %} {{ super () }} - + {% endblock %} diff --git a/attack-theme/templates/general/sidebar-resources-template.html b/attack-theme/templates/general/sidebar-resources-template.html new file mode 100644 index 00000000000..e2876bd9d4f --- /dev/null +++ b/attack-theme/templates/general/sidebar-resources-template.html @@ -0,0 +1,9 @@ +{% set RESOURCE_NAV = ${RESOURCE_NAV} -%} +{% import 'macros/navigation.html' as navigation %} +
    + {{navigation.sidenav(RESOURCE_NAV, output_file)}} +
    +{% block scripts %} + + +{% endblock %} \ No newline at end of file diff --git a/attack-theme/templates/general/sidebar-template.html b/attack-theme/templates/general/sidebar-template.html new file mode 100644 index 00000000000..35887ffb5c8 --- /dev/null +++ b/attack-theme/templates/general/sidebar-template.html @@ -0,0 +1,9 @@ +{% import 'macros/navigation.html' as navigation %} +{% set parsed = page.data | from_json %} +
    + {{ navigation.sidenav(parsed.menu, output_file) }} +
    +{% block scripts %} + + +{% endblock %} \ No newline at end of file diff --git a/attack-theme/templates/general/two-column.html b/attack-theme/templates/general/two-column.html index de595fdd145..74c51701f5d 100644 --- a/attack-theme/templates/general/two-column.html +++ b/attack-theme/templates/general/two-column.html @@ -4,7 +4,7 @@ {% block left %} {{ super() }} @@ -22,3 +22,8 @@ {% endblock %} {% endblock %} +{% block scripts %} +{{ super() }} + + +{% endblock %} diff --git a/attack-theme/templates/macros/datasource_table.html b/attack-theme/templates/macros/datasource_table.html index 6a18cd05f05..062a57a5e4c 100644 --- a/attack-theme/templates/macros/datasource_table.html +++ b/attack-theme/templates/macros/datasource_table.html @@ -1,6 +1,7 @@ {% import 'macros/clean_output.html' as clean_output %} {% macro datasource_table(datasources, show_descriptions, citations=None) %} +
    @@ -50,4 +51,5 @@ {% endfor %}
    +
    {% endmacro %} \ No newline at end of file diff --git a/attack-theme/templates/macros/navigation.html b/attack-theme/templates/macros/navigation.html index 4a385b5f279..41e86328ec5 100644 --- a/attack-theme/templates/macros/navigation.html +++ b/attack-theme/templates/macros/navigation.html @@ -20,7 +20,7 @@ --> {% macro sidenav(root, output_file, filter=False) %}
    -
    {{root.name | upper}} +
    {{root.name | upper}}
    @@ -41,8 +41,7 @@
    {% endif %}
    - {% endmacro %} diff --git a/attack-theme/templates/macros/navigation_menu.html b/attack-theme/templates/macros/navigation_menu.html index 1aa97d850b2..b77fd46285b 100644 --- a/attack-theme/templates/macros/navigation_menu.html +++ b/attack-theme/templates/macros/navigation_menu.html @@ -48,7 +48,7 @@
    {% for child in element.children %} {% if child.children %} - {{has_child(child)}} + {{child_has_child(child)}} {% elif child.external_link %} {{external_link(child)}} {% else %} @@ -57,4 +57,19 @@ {% endfor %}
    +{% endmacro %} + +{% macro child_has_child(element) %} + +
    + +
    + {% for child in element.children %} + {{ child.display_name }} + {% endfor %} +
    +
    {% endmacro %} \ No newline at end of file diff --git a/attack-theme/templates/macros/techniques_used.html b/attack-theme/templates/macros/techniques_used.html index 21e5d5cf626..e707f7738b7 100644 --- a/attack-theme/templates/macros/techniques_used.html +++ b/attack-theme/templates/macros/techniques_used.html @@ -4,6 +4,7 @@ {% if title %}

    {{title}}

    {% endif %} +
    @@ -133,4 +134,5 @@

    {{title}}

    {% endfor %}
    +
    {% endmacro %} \ No newline at end of file diff --git a/data/attackcon.json b/data/attackcon.json index da1942107cf..799f6e56af8 100644 --- a/data/attackcon.json +++ b/data/attackcon.json @@ -375,10 +375,10 @@ { "title": "What’s New with ATT&CK for Cloud?", "presenters": [{ - "names": ["Jen Burns"], + "names": ["Jack Burns"], "organization": "MITRE" }], - "description": "Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&Ckcon Power Hour session held on October 9, 2020.", + "description": "Jack Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK for Cloud. He’s also a red team developer and lead for ATT&CK Evaluations, using his skills in software engineering and adversary emulation. Previously, he was a tech lead at HubSpot on the Infrastructure Security team where he focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&Ckcon Power Hour session held on October 9, 2020.", "video": "https://www.youtube.com/watch?v=a-xs5VqlcKI&list=PLkTApXQou_8KKl3fOIPKD_9pNpmSe1TKu&index=24", "slides": "https://www.slideshare.net/attackcon2018/whats-new-with-attck-for-cloud" }, @@ -1139,4 +1139,4 @@ "slides": "https://www.slideshare.net/attackcon2018/mitre-attckcon-2018-the-use-of-game-theory-with-mitre-attck-matt-summers-and-nick-dunn-ncc-group" } ] -}] \ No newline at end of file +}] diff --git a/data/resources_navigation.json b/data/resources_navigation.json index d9c71f7884f..08a20f1c4b8 100644 --- a/data/resources_navigation.json +++ b/data/resources_navigation.json @@ -14,6 +14,12 @@ "path": "/resources/getting-started/", "children": [] }, + { + "name": "Contribute", + "id": "contribute", + "path": "/resources/contribute/", + "children": [] + }, { "name": "Training", "id": "training", @@ -69,6 +75,12 @@ "path": "/resources/brand/", "children": [] }, + { + "name": "Benefactors", + "id": "benefactors", + "path": "/resources/benefactors/", + "children": [] + }, { "name": "Privacy Policy", "id": "privacy", @@ -86,6 +98,12 @@ "id": "changelog", "path": "/resources/changelog.html", "children": [] + }, + { + "name": "Contact", + "id": "contact", + "path": "/contact/", + "children": [] } ] } diff --git a/data/versions.json b/data/versions.json index 8bc2ab4d159..752353e8cb5 100644 --- a/data/versions.json +++ b/data/versions.json @@ -1,11 +1,20 @@ { "current": { - "name": "v13.1", - "date_start": "April 25, 2023", - "changelog": "updates-april-2023", - "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v13.1" + "name": "v14.0", + "date_start": "October 31, 2023", + "changelog": "updates-october-2023", + "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v14.0" }, "previous": [ + { + "name": "v13.1", + "aliases": [], + "date_start": "April 25, 2023", + "date_end": "October 30, 2023", + "changelog": "updates-april-2023", + "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v13.1", + "commit": "9b7a6e9dc76eb2f1f6079a102806a648bb400bad" + }, { "name": "v12.1", "aliases": [], diff --git a/modules/assets/__init__.py b/modules/assets/__init__.py new file mode 100644 index 00000000000..f39002b53e5 --- /dev/null +++ b/modules/assets/__init__.py @@ -0,0 +1,9 @@ +from . import assets +from . import assets_config + + +def get_priority(): + return assets_config.priority + +def run_module(): + return (assets.generate_assets(), assets_config.module_name) diff --git a/modules/assets/assets.py b/modules/assets/assets.py new file mode 100644 index 00000000000..25c166e201e --- /dev/null +++ b/modules/assets/assets.py @@ -0,0 +1,248 @@ +import collections +import json +import os + +from loguru import logger + +from modules import util + +from . import assets_config +from .. import site_config + + +def generate_assets(): + """Responsible for verifying asset directory and starting off asset markdown generation.""" + # Create content pages directory if does not already exist + util.buildhelpers.create_content_pages_dir() + + # Move templates to templates directory + util.buildhelpers.move_templates(assets_config.module_name, assets_config.assets_templates_path) + + # Verify if directory exists + if not os.path.isdir(assets_config.asset_markdown_path): + os.mkdir(assets_config.asset_markdown_path) + + # Generate redirections + util.buildhelpers.generate_redirections( + redirections_filename=assets_config.assets_redirection_location, redirect_md=site_config.redirect_md + ) + + # Generates the markdown files to be used for page generation + assets_generated = generate_markdown_files() + + if not assets_generated: + util.buildhelpers.remove_module_from_menu(assets_config.module_name) + + +def generate_markdown_files(): + """ + Responsible for generating asset index page and getting shared data for all assets. + """ + has_asset = False + + asset_list = util.relationshipgetters.get_asset_list() + + asset_list_no_deprecated_revoked = util.buildhelpers.filter_deprecated_revoked(asset_list) + + if asset_list_no_deprecated_revoked: + has_asset = True + + if has_asset: + data = {} + + notes = util.relationshipgetters.get_objects_using_notes() + side_menu_data = util.buildhelpers.get_side_menu_data( + "Assets", "/assets/", asset_list_no_deprecated_revoked + ) + data["side_menu_data"] = side_menu_data + data["assets_table"] = get_assets_table_data(asset_list_no_deprecated_revoked) + data["assets_list_len"] = str(len(asset_list_no_deprecated_revoked)) + + subs = assets_config.asset_index_md + json.dumps(data) + + with open( + os.path.join(assets_config.asset_markdown_path, "overview.md"), "w", encoding="utf8" + ) as md_file: + md_file.write(subs) + + # Create the markdown for assets + for asset in asset_list: + generate_asset_md(asset, side_menu_data, notes) + + return has_asset + + +def generate_asset_md(asset, side_menu_data, notes): + """Responsible for generating markdown of all assets.""" + + attack_id = util.buildhelpers.get_attack_id(asset) + + if not attack_id: return + + data = {} + data["attack_id"] = attack_id + data["side_menu_data"] = side_menu_data + data["notes"] = notes.get(asset["id"]) + + dates = util.buildhelpers.get_created_and_modified_dates(asset) + if dates.get("created"): + data["created"] = dates["created"] + if dates.get("modified"): + data["modified"] = dates["modified"] + if asset.get("name"): + data["name"] = asset["name"] + if asset.get("x_mitre_version"): + data["version"] = asset["x_mitre_version"] + + if isinstance(asset.get("x_mitre_contributors"), collections.abc.Iterable): + data["contributors_list"] = asset["x_mitre_contributors"] + + if asset.get("x_mitre_platforms"): + asset["x_mitre_platforms"].sort() + data["platforms"] = ", ".join(asset["x_mitre_platforms"]) + + if asset.get("x_mitre_sectors"): + asset["x_mitre_sectors"].sort() + data["sectors"] = ", ".join(asset["x_mitre_sectors"]) + + # Get initial reference list + reference_list = {"current_number": 0} + + # Get initial reference list from asset object + reference_list = util.buildhelpers.update_reference_list(reference_list, asset) + + if asset.get("description"): + data["descr"] = asset["description"] + if asset.get("x_mitre_deprecated"): + data["deprecated"] = True + + # Get technique data for technique table + data["technique_table_data"] = get_techniques_targeting_asset_data(asset, reference_list) + + # Get navigator layers for this asset + layers = util.buildhelpers.get_navigator_layers( + data["name"], + data["attack_id"], + "asset", + "targeted by", + data["version"] if "version" in data else None, + data["technique_table_data"], + ) + + data["layers"] = [] + for layer in layers: + with open( + os.path.join( + assets_config.asset_markdown_path, + "-".join([data["attack_id"], "techniques", layer["domain"]]) + ".md", + ), + "w", + encoding="utf8", + ) as layer_json: + subs = site_config.layer_md.substitute( + { + "attack_id": data["attack_id"], + "path": "assets/" + data["attack_id"], + "domain": layer["domain"], + } + ) + subs = subs + layer["layer"] + layer_json.write(subs) + data["layers"].append( + { + "domain": layer["domain"], + "name": layer["name"], + "filename": layer["filename"], + "navigator_link": site_config.navigator_link, + } + ) + + if asset.get("x_mitre_related_assets"): + data["related_assets_table"] = get_related_asset_data(asset["x_mitre_related_assets"]) + + data["citations"] = reference_list + data["versioning_feature"] = site_config.check_versions_module() + + subs = assets_config.asset_md.substitute(data) + subs = subs + json.dumps(data) + + # Write out the markdown file + with open( + os.path.join(assets_config.asset_markdown_path, data["attack_id"] + ".md"), "w", encoding="utf8" + ) as md_file: + md_file.write(subs) + + +def get_assets_table_data(asset_list): + """Responsible for generating asset table data for the asset index page""" + assets_table_data = [] + for asset in asset_list: + attack_id = util.buildhelpers.get_attack_id(asset) + if not attack_id: continue + + domain_list = util.buildhelpers.get_domain_name(asset) + row = { + "id": attack_id, + "name": asset["name"] if asset.get("name") else attack_id, + } + + for domain_idx in range(len(domain_list)): + domain_list[domain_idx] = domain_list[domain_idx].replace('-attack','') + if domain_list[domain_idx] == "ics": + domain_list[domain_idx] = domain_list[domain_idx].upper() + else: + domain_list[domain_idx] = domain_list[domain_idx].capitalize() + row["domains"] = domain_list + + if asset.get("description"): + row["descr"] = asset["description"] + + if asset.get("x_mitre_deprecated"): + row["deprecated"] = True + + assets_table_data.append(row) + + return assets_table_data + + +def get_related_asset_data(related_assets): + if not related_assets: return [] + + related_asset_data = [] + for related_asset in related_assets: + row = { + "name": related_asset["name"], # required + } + if related_asset.get("related_asset_sectors"): + related_asset["related_asset_sectors"].sort() + row["sectors"] = ", ".join(related_asset["related_asset_sectors"]) + if related_asset.get("description"): + row["descr"] = related_asset["description"] + related_asset_data.append(row) + return related_asset_data + + +def get_techniques_targeting_asset_data(asset, reference_list): + """Given an asset and its reference list, get the techniques targeting the asset. + Check the reference list for citations, if not found in list, add it. + """ + technique_list = {} + techniques_targeting_assets = util.relationshipgetters.get_techniques_targeting_assets() + + if techniques_targeting_assets.get(asset.get("id")): + for technique in techniques_targeting_assets[asset["id"]]: + # Do not add if technique is deprecated + if not technique["object"].get("x_mitre_deprecated"): + technique_list = util.buildhelpers.technique_used_helper(technique_list, technique, reference_list) + + technique_data = [] + for item in technique_list: + technique_data.append(technique_list[item]) + # Sort by technique name + technique_data = sorted(technique_data, key=lambda k: k["name"].lower()) + + # Sort by domain name + technique_data = sorted( + technique_data, key=lambda k: [site_config.custom_alphabet.index(c) for c in k["domain"].lower()] + ) + return technique_data diff --git a/modules/assets/assets_config.py b/modules/assets/assets_config.py new file mode 100644 index 00000000000..deafdb527d0 --- /dev/null +++ b/modules/assets/assets_config.py @@ -0,0 +1,22 @@ +from string import Template + +module_name = "Assets" +priority = 7.2 + +# Markdown path for assets +asset_markdown_path = "content/pages/assets/" + +# String template for asset index page +asset_index_md = ( + "Title: Asset overview\nTemplate: assets/assets-index\nsave_as: assets/index.html\ndata: " +) + +# String template for asset page +asset_md = Template( + "Title: ${name}\nTemplate: assets/asset\nsave_as: assets/${attack_id}/index.html\ndata: " +) + +# Path for templates +assets_templates_path = "modules/assets/templates/" + +assets_redirection_location = "modules/assets/assets_redirections.json" diff --git a/modules/assets/assets_redirections.json b/modules/assets/assets_redirections.json new file mode 100644 index 00000000000..16b713b22f4 --- /dev/null +++ b/modules/assets/assets_redirections.json @@ -0,0 +1,7 @@ +[ + { + "title": "assets-redirect", + "from": "assets.html", + "to": "/assets/" + } +] diff --git a/modules/assets/templates/asset.html b/modules/assets/templates/asset.html new file mode 100644 index 00000000000..0dfb2452ac9 --- /dev/null +++ b/modules/assets/templates/asset.html @@ -0,0 +1,172 @@ +{% extends "general/two-column.html" %} +{% set parsed = page.data | from_json %} +{% set title = parsed.name + ", Asset " + parsed.attack_id + " | MITRE ATT&CK®" -%} +{% set active_page = "assets" -%} + +{% import 'macros/deprecated.html' as deprecated %} +{% import 'macros/navigator.html' as navigator %} +{% import 'macros/references.html' as references %} +{% import 'macros/navigation.html' as navigation %} +{% import 'macros/techniques_used.html' as techniques_used %} +{% import 'macros/versioning.html' as versioning %} +{% import 'macros/clean_output.html' as clean_output %} +{% import 'macros/citations.html' as citations %} +{% import 'macros/notes.html' as notes %} + +{% block head %} + {{ super () }} + {% if parsed.deprecated %} + + {% endif %} +{% endblock %} + +{% block innerleft %} + +
    + {{ navigation.sidenav(parsed.side_menu_data, output_file) }} +
    + +{% endblock %} + +{% block innerright %} +{{ super () }} + +
      +
    1. Home
      2. +
    2. Assets
      3. +
    3. {{ parsed.name }}
      4. +
    +
    +
    +
    +
    +
    +

    {{ parsed.name }}

    + + {% if parsed.deprecated %} + {% if parsed.descr %} + {{ deprecated.deprecated(clean_output.stixToHTML(parsed.descr, firstParagraphOnly=True)) }} + {% else %} + {{ deprecated.deprecated("This asset has been deprecated.") }} + {% endif %} + {% else %} +
    +
    + {% if parsed.descr %} +
    + {{ clean_output.stixToHTML(parsed.descr, parsed.citations) }} +
    + {% endif %} + {% if parsed.notes %} + {{ notes.notes_section(parsed.notes) }} + {% endif %} +
    +
    +
    +
    + {% if parsed.attack_id %} +
    +
    + ID: {{ parsed.attack_id }} +
    +
    + {% endif %} + {% if parsed.platforms %} +
    +
    + +
    +
    + {{ "Platform" if parsed.platforms | length < 2 else "Platforms" }}: {{parsed.platforms}} +
    +
    + {% endif %} + {% if parsed.sectors %} +
    +
    + {{ "Sector" if parsed.sectors | length < 2 else "Sectors" }}: {{parsed.sectors}} +
    +
    + {% endif %} + {% if parsed.contributors_list %} +
    +
    + Contributors: {{ parsed.contributors_list|join("; ") }} +
    +
    + {% endif %} + {% if parsed.version %} +
    +
    + Version: {{ parsed.version }} +
    +
    + {% endif %} + {% if parsed.created %} +
    +
    + Created: {{ parsed.created }} +
    +
    + {% endif %} + {% if parsed.modified %} +
    +
    + Last Modified: {{ parsed.modified }} +
    +
    + {% endif %} +
    +
    + {% if parsed.versioning_feature %} + {{ versioning.permalink_button(output_file, parsed.attack_id)}} + {% endif %} +
    +
    + + {% if parsed.related_assets_table %} +

    Related Assets

    + + + + + + + + + + {% for related_asset in parsed.related_assets_table %} + + + + + + {% endfor %} + +
    NameSectorsDescription
    {{ related_asset.name }}{{ related_asset.sectors }} + {{ clean_output.stixToHTML(related_asset.descr, parsed.citations) }} +
    + {% endif %} + + {% if parsed.technique_table_data %} + {{ navigator.layer_links(parsed.attack_id, "assets", parsed.layers) }} + {{ techniques_used.techniques_used(parsed.technique_table_data, "Techniques", true, "", parsed.citations) }} + {% endif %} + + {{ citations.reference_section(parsed.citations) }} + {% endif %} +
    +
    +
    +
    + +{% endblock %} + +{% block scripts %} + {{ super() }} + + + + + +{% endblock %} diff --git a/modules/assets/templates/assets-index.html b/modules/assets/templates/assets-index.html new file mode 100644 index 00000000000..fb66fc70f94 --- /dev/null +++ b/modules/assets/templates/assets-index.html @@ -0,0 +1,85 @@ +{% extends "general/two-column.html" %} +{% set title = "Assets | MITRE ATT&CK®" %} +{% set parsed = page.data | from_json %} +{% set active_page = "assets" -%} +{% import 'macros/navigation.html' as navigation %} +{% import 'macros/clean_output.html' as clean_output %} + +{% block innerleft %} + +
    + {{ navigation.sidenav(parsed.side_menu_data, output_file) }} +
    + +{% endblock %} + +{% block innerright %} + {{ super () }} +
      +
    1. Home
      2. +
    2. Assets
      3. +
    +
    +
    +
    +
    +
    +
    +

    Assets

    +

    + Assets represent the devices and systems commonly found within Industrial Control System environments. Each asset object includes a mapping of technique relationships that represent the adversary actions that may target the device based on its capability and function. +

    +

    + Often, these devices have different names or sector specific terms as you look across the industry. To track these differences more accurately, we use the “Related Assets” field which associates these terms based on similar functions, architectural location, and exposure to similar adversary techniques. Each related asset includes a name, optional sector identifier, and a description to provide nuance to the asset page definition. +

    +

    + Although originally represented under the platform field in ATT&CK, Assets are distinctly separate from platforms. Platforms generally describe the operating system or application (i.e., Microsoft Windows) while Assets represent the device which includes considerations for hardware, software, architecture, and intended function. Assets may leverage platforms to describe a device’s commonly observed operating system. +

    +
    Assets: {{ parsed.assets_list_len }}
    + + + + + + + + + + + {% for row in parsed.assets_table %} + + + + + + + {% endfor %} + +
    IDNameDomainDescription
    + {{ row.id | upper }} + + {{ row.name }} + + {% for dom in row.domains %} + {{dom}} +
    + {% endfor %} +     		+ {% if row.deprecated %} + ****Deprecation Warning**** + {% endif %} + {{ clean_output.stixToHTML(row.descr) }} +
    +
    +
    +
    +
    +
    + +{% endblock %} + +{% block scripts %} + {{ super() }} + + +{% endblock %} \ No newline at end of file diff --git a/modules/benefactors/__init__.py b/modules/benefactors/__init__.py new file mode 100644 index 00000000000..f21046ea539 --- /dev/null +++ b/modules/benefactors/__init__.py @@ -0,0 +1,21 @@ +from . import benefactors +from . import benefactors_config +import json + + +def get_priority(): + return benefactors_config.priority + + +def get_menu(): + return { + "display_name": "Benefactors", + "module_name": "Benefactors", + "url": "/resources/benefactors/", + "external_link": False, + "priority": benefactors_config.priority, + "children": [], + } + +def run_module(): + return (benefactors.generate_benefactors(), benefactors_config.module_name) diff --git a/modules/benefactors/benefactors.py b/modules/benefactors/benefactors.py new file mode 100644 index 00000000000..4861ab2fdbe --- /dev/null +++ b/modules/benefactors/benefactors.py @@ -0,0 +1,28 @@ +import json +import math +import os + +from modules import util + +from . import benefactors_config +from .. import site_config + + +def generate_benefactors(): + """Generate benefactors page markdown""" + + # Create content pages directory if does not already exist + util.buildhelpers.create_content_pages_dir() + + # Move templates to templates directory + util.buildhelpers.move_templates(benefactors_config.module_name, benefactors_config.benefactors_templates_path) + + # Create directory if it does not exist + if not os.path.isdir(benefactors_config.benefactors_markdown_path): + os.mkdir(benefactors_config.benefactors_markdown_path) + + benefactors_md = benefactors_config.benefactors_md + + # write markdown to file + with open(os.path.join(benefactors_config.benefactors_markdown_path, "benefactors.md"), "w", encoding="utf8") as md_file: + md_file.write(benefactors_md) diff --git a/modules/benefactors/benefactors_config.py b/modules/benefactors/benefactors_config.py new file mode 100644 index 00000000000..ae8ae4db38f --- /dev/null +++ b/modules/benefactors/benefactors_config.py @@ -0,0 +1,12 @@ +module_name = "Benefactors" +priority = 9 + +# Markdown path for benefactors +benefactors_markdown_path = "content/pages/resources" + +# String template for benefactors index page +benefactors_md = ( + "Title: Benefactors\n" "Template: benefactors/benefactors\n" "save_as: resources/benefactors/index.html\n" "data: " +) + +benefactors_templates_path = "modules/benefactors/templates" diff --git a/modules/benefactors/templates/benefactors.html b/modules/benefactors/templates/benefactors.html new file mode 100644 index 00000000000..d394606a203 --- /dev/null +++ b/modules/benefactors/templates/benefactors.html @@ -0,0 +1,54 @@ +{% extends "general/two-column.html" %} +{% set active_page = "resources" -%} +{% set title = "Benefactors | MITRE ATT&CK®" -%} +{% import 'macros/navigation.html' as navigation %} + +{% block innerleft %} + +{% endblock %} + +{% block innerright %} +
    +
      +
    1. Home
      2. +
    2. Resources
      3. +
    3. Benefactors
      4. +
    +
    +
    +
    +
    +
    +

    Benefactors Program

    +

    + MITRE ATT&CK® is a globally-accessible, community-driven knowledge base of adversary tactics and techniques based on real-world observations. + The ATT&CK framework is used as a blueprint for the development of specific threat models and methodologies across the private sector, government, and the cybersecurity product and service community. + Benefactors sustain and advance ATT&CK through their financial contributions, ensuring that it adapts along with evolving cyber threats and changing environments. +

    +

    Benefactors

    +

    + Become an ATT&CK Benefactor! Benefactors help propel the evolution of ATT&CK through financial contributions. Donations directly support framework progression, pioneering research into underrepresented domains and emerging threats, and community engagement. + To show our thanks, ATT&CK benefactors are also the recipient of many benefits, including public recognition as a benefactor of MITRE ATT&CK as well as briefings with the ATT&CK leadership team. +

    +

    + You can find additional information and opportunities with the benefactor program at the program link below. You are also welcome to contact us at attack@mitre.org. +

    +
    + + + +
    +
    +
    +
    +
    +{% endblock %} +{% block scripts %} +{{ super () }} + + +{% endblock %} \ No newline at end of file diff --git a/modules/blog/blog_config.py b/modules/blog/blog_config.py index cd6759f8ece..b26974ea252 100644 --- a/modules/blog/blog_config.py +++ b/modules/blog/blog_config.py @@ -1,2 +1,2 @@ module_name = "Blog" -priority = 9 +priority = 10 diff --git a/modules/campaigns/__init__.py b/modules/campaigns/__init__.py index 7887aef5dae..99ff4eaa234 100644 --- a/modules/campaigns/__init__.py +++ b/modules/campaigns/__init__.py @@ -5,17 +5,5 @@ def get_priority(): return campaigns_config.priority - -def get_menu(): - return { - "display_name": campaigns_config.module_name, - "module_name": campaigns_config.module_name, - "url": "/campaigns", - "external_link": False, - "priority": campaigns_config.priority, - "children": [], - } - - def run_module(): return (campaigns.generate_campaigns(), campaigns_config.module_name) diff --git a/modules/campaigns/campaigns.py b/modules/campaigns/campaigns.py index 0a4eba57575..dba435d80ab 100644 --- a/modules/campaigns/campaigns.py +++ b/modules/campaigns/campaigns.py @@ -67,7 +67,7 @@ def generate_markdown_files(): data["campaigns_list_len"] = str(len(campaign_list_no_deprecated_revoked)) subs = campaigns_config.campaign_index_md + json.dumps(data) - + generate_sidebar_campaigns(side_menu_data) with open( os.path.join(campaigns_config.campaign_markdown_path, "overview.md"), "w", encoding="utf8" ) as md_file: @@ -141,6 +141,7 @@ def generate_campaign_md(campaign, side_menu_data, notes): data["name"], data["attack_id"], "campaign", + "used by", data["version"] if "version" in data else None, data["technique_table_data"], ) @@ -307,3 +308,16 @@ def get_software_table_data(campaign, reference_list): software_data = [software_list[item] for item in software_list] software_data = sorted(software_data, key=lambda k: k["name"].lower()) return software_data + +def generate_sidebar_campaigns(side_menu_data): + """Responsible for generating the sidebar for the campaigns pages.""" + logger.info("Generating campaigns sidebar") + data = {} + data["menu"] = side_menu_data + + # Sidebar Overview + sidebar_campaigns_md = campaigns_config.sidebar_campaigns_md + json.dumps(data) + + # write markdown to file + with open(os.path.join(campaigns_config.campaign_markdown_path, "sidebar_campaigns.md"), "w", encoding="utf8") as md_file: + md_file.write(sidebar_campaigns_md) diff --git a/modules/campaigns/campaigns_config.py b/modules/campaigns/campaigns_config.py index 94d0a5de8e5..3eae07cc697 100644 --- a/modules/campaigns/campaigns_config.py +++ b/modules/campaigns/campaigns_config.py @@ -20,3 +20,10 @@ campaigns_templates_path = "modules/campaigns/templates/" campaigns_redirection_location = "modules/campaigns/campaigns_redirections.json" + +sidebar_campaigns_md = ( + "Title: Campaigns Sidebar\n" + "Template: general/sidebar-template \n" + "save_as: campaigns/sidebar-campaigns/index.html\n" + "data: " +) \ No newline at end of file diff --git a/modules/campaigns/templates/campaign.html b/modules/campaigns/templates/campaign.html index 24ddfbc0fe5..874baadaa8f 100644 --- a/modules/campaigns/templates/campaign.html +++ b/modules/campaigns/templates/campaign.html @@ -27,9 +27,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.side_menu_data, output_file) }} -
    + {% endblock %} @@ -162,6 +160,7 @@

    {{ parsed.name }}

    {% if parsed.alias_descriptions %}

    Associated Campaign Descriptions

    +
    @@ -182,10 +181,12 @@

    Associated Campaign Descriptions

    {% endfor %}
    +
    {% endif %} {% if parsed.group_data %}

    Groups

    +
    @@ -212,6 +213,7 @@

    Groups

    {% endfor %}
    +
    {% endif %} {% if parsed.technique_table_data %} @@ -221,6 +223,7 @@

    Groups

    {% if parsed.software_data %}

    Software

    +
    @@ -247,6 +250,7 @@

    Software

    {% endfor %}
    +
    {% endif %} {{ citations.reference_section(parsed.citations) }} @@ -261,8 +265,8 @@

    Software

    {% block scripts %} {{ super() }} - + {% endblock %} diff --git a/modules/campaigns/templates/campaigns-index.html b/modules/campaigns/templates/campaigns-index.html index 7787ed35046..9aa0e1c6ce2 100644 --- a/modules/campaigns/templates/campaigns-index.html +++ b/modules/campaigns/templates/campaigns-index.html @@ -7,9 +7,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.side_menu_data, output_file) }} -
    + {% endblock %} @@ -51,6 +49,7 @@

    Campaigns

    Campaigns: {{ parsed.campaigns_list_len }}
    +
    @@ -84,6 +83,7 @@
    Campaigns: {{ parsed.campaigns_list_len }}
    {% endfor %}
    +
    @@ -95,5 +95,5 @@
    Campaigns: {{ parsed.campaigns_list_len }}
    {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/contribute/__init__.py b/modules/contribute/__init__.py deleted file mode 100644 index b81b657ddb8..00000000000 --- a/modules/contribute/__init__.py +++ /dev/null @@ -1,28 +0,0 @@ -from . import contribute -from . import contribute_config -import json - - -def get_priority(): - return contribute_config.priority - - -def get_menu(): - return { - "display_name": "Contribute", - "module_name": "Contribute", - "url": "/resources/contribute/", - "external_link": False, - "priority": contribute_config.priority, - "children": [], - } - - -def get_redirections(): - with open(contribute_config.contribute_redirection_location, "r", encoding="utf8") as json_redirections: - return json.load(json_redirections) - return [] - - -def run_module(): - return (contribute.generate_contribute(), contribute_config.module_name) diff --git a/modules/contribute/contribute.py b/modules/contribute/contribute.py deleted file mode 100644 index 6f9e2d52aa0..00000000000 --- a/modules/contribute/contribute.py +++ /dev/null @@ -1,61 +0,0 @@ -import json -import math -import os - -from modules import util - -from . import contribute_config -from .. import site_config - - -def generate_contribute(): - """Generate contribute page markdown""" - - # Create content pages directory if does not already exist - util.buildhelpers.create_content_pages_dir() - - # Move templates to templates directory - util.buildhelpers.move_templates(contribute_config.module_name, contribute_config.contribute_templates_path) - - # Generate redirections - util.buildhelpers.generate_redirections( - redirections_filename=contribute_config.contribute_redirection_location, redirect_md=site_config.redirect_md - ) - - ms = util.relationshipgetters.get_ms() - contributors = util.stixhelpers.get_contributors(ms) - - if not contributors: - util.buildhelpers.remove_module_from_menu(contribute_config.module_name) - return - - data = {} - - data["contributors"] = [] - - contributors_first_col = [] - contributors_second_col = [] - - half = math.ceil((len(contributors)) / 2) - list_size = len(contributors) - - for index in range(0, half): - contributors_first_col.append(contributors[index]) - - for index in range(half, list_size): - contributors_second_col.append(contributors[index]) - - data["contributors"].append(contributors_first_col) - data["contributors"].append(contributors_second_col) - - subs = contribute_config.contribute_index_md + json.dumps(data) - - # Create directory if it does not exist - if not os.path.isdir(contribute_config.contribute_markdown_path): - os.mkdir(contribute_config.contribute_markdown_path) - - # Open markdown file for the contribute page - with open( - os.path.join(contribute_config.contribute_markdown_path, "contribute.md"), "w", encoding="utf8" - ) as md_file: - md_file.write(subs) diff --git a/modules/contribute/contribute_config.py b/modules/contribute/contribute_config.py deleted file mode 100644 index 857319849bd..00000000000 --- a/modules/contribute/contribute_config.py +++ /dev/null @@ -1,14 +0,0 @@ -module_name = "Contribute" -priority = 10 - -# Markdown path for contribute -contribute_markdown_path = "content/pages/resources" - -# String template for contribution index page -contribute_index_md = ( - "Title: Contribute\n" "Template: contribute/contribute\n" "save_as: resources/contribute/index.html\n" "data: " -) - -contribute_templates_path = "modules/contribute/templates" - -contribute_redirection_location = "modules/contribute/contribute_redirections.json" diff --git a/modules/datasources/__init__.py b/modules/datasources/__init__.py index 722076992e1..56b61bcbdd9 100644 --- a/modules/datasources/__init__.py +++ b/modules/datasources/__init__.py @@ -9,12 +9,20 @@ def get_priority(): def get_menu(): return { - "display_name": datasources_config.module_name, + "display_name": datasources_config.module_tab_name, "module_name": datasources_config.module_name_no_spaces, "url": "/datasources", "external_link": False, "priority": datasources_config.priority, - "children": [], + "children": [ + {"display_name": "Data Sources", "url": "/datasources", "external_link": False, "children": []}, + {"display_name": "Mitigations", "url": "/mitigations/", "external_link": False, "children": [ + {"display_name": "Enterprise", "url": "/mitigations/enterprise/", "external_link": False, "children": []}, + {"display_name": "Mobile", "url": "/mitigations/mobile/", "external_link": False, "children": []}, + {"display_name": "ICS", "url": "/mitigations/ics/", "external_link": False, "children": []}, + ]}, + {"display_name": "Assets", "url": "/assets", "external_link": False, "children": [] } + ] } diff --git a/modules/datasources/datasources_config.py b/modules/datasources/datasources_config.py index 220a45a81d3..584af6d1eff 100644 --- a/modules/datasources/datasources_config.py +++ b/modules/datasources/datasources_config.py @@ -2,6 +2,7 @@ module_name = "Data Sources" module_name_no_spaces = "datasources" +module_tab_name = "Defenses" priority = 4.1 @@ -22,4 +23,4 @@ ) # Path for templates -datasources_templates_path = "modules/datasources/templates/" +datasources_templates_path = "modules/datasources/templates/" \ No newline at end of file diff --git a/modules/datasources/templates/datasource.html b/modules/datasources/templates/datasource.html index 8e7ce56c470..9ec60ae9daf 100644 --- a/modules/datasources/templates/datasource.html +++ b/modules/datasources/templates/datasource.html @@ -177,7 +177,6 @@

    {{parsed.name}}: {{datacomponent.name}}

    {% endif %} - {% if datacomponent.techniques %} {% if datacomponent.add_datacomponent_ref %} {{techniques_used.techniques_used(datacomponent.techniques, "", true, "Detects", parsed.citations)}} @@ -185,7 +184,6 @@

    {{parsed.name}}: {{datacomponent.name}}

    {{techniques_used.techniques_used(datacomponent.techniques, "", true, "")}} {% endif %} {% endif %} - {% endfor %} @@ -205,6 +203,7 @@

    {{parsed.name}}: {{datacomponent.name}}

    + diff --git a/modules/datasources/templates/datasources-index.html b/modules/datasources/templates/datasources-index.html index 9a9348972d4..eeb400f2f42 100644 --- a/modules/datasources/templates/datasources-index.html +++ b/modules/datasources/templates/datasources-index.html @@ -8,7 +8,7 @@ {% block innerleft %}
    - {{ navigation.sidenav(parsed.side_menu_data, output_file, true) }} + {{ navigation.sidenav(parsed.side_menu_data, output_file) }}
    {% endblock %} @@ -27,13 +27,35 @@

    Data Sources

    Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Data sources also include data components, which identify specific properties/values of a data source relevant to detecting a given ATT&CK technique or sub-technique.

    -
    Data Sources: {{ parsed.datasources_list_len }}
    - +
    +
    - - - + + + @@ -74,5 +96,7 @@
    Data Sources: {{ parsed.datasources_list_len }} + + {% endblock %} \ No newline at end of file diff --git a/modules/groups/__init__.py b/modules/groups/__init__.py index 96480c1aee3..abe5567a490 100644 --- a/modules/groups/__init__.py +++ b/modules/groups/__init__.py @@ -6,17 +6,19 @@ def get_priority(): return groups_config.priority - def get_menu(): return { - "display_name": groups_config.module_name, + "display_name": groups_config.module_tab_name, "module_name": groups_config.module_name, "url": "/groups", "external_link": False, "priority": groups_config.priority, - "children": [], + "children": [ + {"display_name": "Groups", "url": "/groups", "external_link": False, "children": []}, + {"display_name": "Software", "url": "/software", "external_link": False, "children": []}, + {"display_name": "Campaigns", "url": "/campaigns", "external_link": False, "children": []}, + ] } - def run_module(): return (groups.generate_groups(), groups_config.module_name) diff --git a/modules/groups/groups.py b/modules/groups/groups.py index 5b2c888bd6c..e1ee4097f15 100644 --- a/modules/groups/groups.py +++ b/modules/groups/groups.py @@ -4,6 +4,8 @@ from modules import util +from loguru import logger + from . import groups_config from .. import site_config @@ -77,6 +79,7 @@ def generate_markdown_files(): for group in group_list: generate_group_md(group, side_menu_data, notes) + generate_sidebar_groups(side_menu_data) return has_group @@ -132,6 +135,7 @@ def generate_group_md(group, side_menu_data, notes): data["name"], data["attack_id"], "group", + "used by", data["version"] if "version" in data else None, data["technique_table_data"], inheritance, # extend legend to include color coding for inherited techniques, if applicable @@ -435,3 +439,16 @@ def update_software_list(pairings, software_list, reference_list, reference, id) software_list[software_stix_id]["techniques"].append(tech_data) return software_list, reference + +def generate_sidebar_groups(side_menu_data): + """Responsible for generating the sidebar for the groups pages.""" + logger.info("Generating groups sidebar") + data = {} + data["menu"] = side_menu_data + + # Sidebar Overview + sidebar_groups_md = groups_config.sidebar_groups_md + json.dumps(data) + + # write markdown to file + with open(os.path.join(groups_config.group_markdown_path, "sidebar_groups.md"), "w", encoding="utf8") as md_file: + md_file.write(sidebar_groups_md) diff --git a/modules/groups/groups_config.py b/modules/groups/groups_config.py index 24d8feb5d04..20a7da88a4e 100644 --- a/modules/groups/groups_config.py +++ b/modules/groups/groups_config.py @@ -1,6 +1,7 @@ from string import Template module_name = "Groups" +module_tab_name = "CTI" priority = 6 # Markdown path for groups @@ -16,3 +17,10 @@ groups_templates_path = "modules/groups/templates/" groups_redirection_location = "modules/groups/groups_redirections.json" + +sidebar_groups_md = ( + "Title: Groups Sidebar\n" + "Template: general/sidebar-template \n" + "save_as: groups/sidebar-groups/index.html\n" + "data: " +) \ No newline at end of file diff --git a/modules/groups/templates/group.html b/modules/groups/templates/group.html index c2247770c39..bfab72e72d7 100644 --- a/modules/groups/templates/group.html +++ b/modules/groups/templates/group.html @@ -27,9 +27,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.side_menu_data, output_file) }} -
    + {% endblock %} @@ -141,6 +139,7 @@

    {% if parsed.alias_descriptions %}

    Associated Group Descriptions

    +
    IDNameDomainID + + + Name + + + Domain + + + Description
    @@ -161,10 +160,12 @@

    Associated Group Descriptions

    {% endfor %}
    +
    {% endif %} {% if parsed.campaign_data %}

    Campaigns

    +
    @@ -205,6 +206,7 @@

    Campaigns

    {% endfor %}
    +
    {% endif %} {% if parsed.technique_table_data %} @@ -214,6 +216,7 @@

    Campaigns

    {% if parsed.software_data %}

    Software

    +
    @@ -252,6 +255,7 @@

    Software

    {% endfor %}
    +
    {% endif %} {{ citations.reference_section(parsed.citations) }} @@ -266,7 +270,7 @@

    Software

    {% block scripts %} {{ super() }} - + diff --git a/modules/groups/templates/groups-index.html b/modules/groups/templates/groups-index.html index 382d907dd7a..aa3ea66b7bd 100644 --- a/modules/groups/templates/groups-index.html +++ b/modules/groups/templates/groups-index.html @@ -7,9 +7,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.side_menu_data, output_file) }} -
    + {% endblock %} @@ -45,6 +43,7 @@

    Groups

    Groups: {{ parsed.groups_list_len }}
    +
    @@ -76,6 +75,7 @@
    Groups: {{ parsed.groups_list_len }}
    {% endfor %}
    +
    @@ -87,5 +87,5 @@
    Groups: {{ parsed.groups_list_len }}
    {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/matrices/matrices.py b/modules/matrices/matrices.py index bfd8a99ac07..22a3ab254bf 100644 --- a/modules/matrices/matrices.py +++ b/modules/matrices/matrices.py @@ -27,7 +27,7 @@ def generate_matrices(): notes = util.relationshipgetters.get_objects_using_notes() side_menu_data = util.buildhelpers.get_side_menu_matrices(matrices_config.matrices) - + generate_sidebar_matrices(side_menu_data) matrix_generated = False for matrix in matrices_config.matrices: @@ -259,3 +259,16 @@ def transform_tactic(tactic_id): ) return data, has_subtechniques, tour_technique + +def generate_sidebar_matrices(side_menu_data): + """Responsible for generating the sidebar for the matrices pages.""" + logger.info("Generating matrices sidebar") + data = {} + data["menu"] = side_menu_data + + # Sidebar Overview + sidebar_matrices_md = matrices_config.sidebar_matrices_md + json.dumps(data) + + # write markdown to file + with open(os.path.join(matrices_config.matrix_markdown_path, "sidebar_matrices.md"), "w", encoding="utf8") as md_file: + md_file.write(sidebar_matrices_md) diff --git a/modules/matrices/matrices_config.py b/modules/matrices/matrices_config.py index ef8f4d31377..6ecf34d27b8 100644 --- a/modules/matrices/matrices_config.py +++ b/modules/matrices/matrices_config.py @@ -30,6 +30,13 @@ "data: " ) +sidebar_matrices_md = ( + "Title: Matrices Sidebar\n" + "Template: general/sidebar-template \n" + "save_as: matrices/sidebar-matrices/index.html\n" + "data: " +) + # The tree of matricies on /matrices/ matrices = [ { diff --git a/modules/matrices/templates/matrix.html b/modules/matrices/templates/matrix.html index a4c4624a9c5..fc1177aa7ea 100644 --- a/modules/matrices/templates/matrix.html +++ b/modules/matrices/templates/matrix.html @@ -30,7 +30,7 @@ {% block innerleft %} - {{ navigation.sidenav(parsed.menu, output_file) }} + {% endblock %} @@ -120,8 +120,8 @@

    {{parsed.name}} {{matrix_plural}}

    {{ super() }} - -{% endblock %} + + {% endblock %} diff --git a/modules/mitigations/__init__.py b/modules/mitigations/__init__.py index 704fd5eb3e5..40d74cfbd41 100644 --- a/modules/mitigations/__init__.py +++ b/modules/mitigations/__init__.py @@ -6,20 +6,5 @@ def get_priority(): return mitigations_config.priority -def get_menu(): - return { - "display_name": mitigations_config.module_name, - "module_name": mitigations_config.module_name, - "url": "/mitigations/", - "external_link": False, - "priority": mitigations_config.priority, - "children": [ - {"display_name": "Enterprise", "url": "/mitigations/enterprise/", "external_link": False, "children": []}, - {"display_name": "Mobile", "url": "/mitigations/mobile/", "external_link": False, "children": []}, - {"display_name": "ICS", "url": "/mitigations/ics/", "external_link": False, "children": []}, - ], - } - - def run_module(): return (mitigations.generate_mitigations(), mitigations_config.module_name) diff --git a/modules/mitigations/mitigations.py b/modules/mitigations/mitigations.py index e6e6eb64e3c..47a63bb020e 100644 --- a/modules/mitigations/mitigations.py +++ b/modules/mitigations/mitigations.py @@ -54,7 +54,7 @@ def generate_mitigations(): if not mitigation_generated: if check_if_generated: mitigation_generated = True - + generate_sidebar_mitigations(side_nav_data) if not mitigation_generated: util.buildhelpers.remove_module_from_menu(mitigations_config.module_name) @@ -137,6 +137,7 @@ def generate_mitigation_md(mitigation, domain, side_menu_data, notes): data["name"], data["attack_id"], "mitigation", + "mitigated by", data["version"] if "version" in data else None, data["techniques_addressed_data"], ) @@ -230,3 +231,16 @@ def get_techniques_addressed_data(mitigation, reference_list): technique_data, key=lambda k: [site_config.custom_alphabet.index(c) for c in k["domain"].lower()] ) return technique_data + +def generate_sidebar_mitigations(side_nav_data): + """Responsible for generating the sidebar for the mitigations pages.""" + logger.info("Generating mitigations sidebar") + data = {} + data["menu"] = side_nav_data + + # Sidebar Overview + sidebar_mitigations_md = mitigations_config.sidebar_mitigations_md + json.dumps(data) + + # write markdown to file + with open(os.path.join(mitigations_config.mitigation_markdown_path, "sidebar_mitigations.md"), "w", encoding="utf8") as md_file: + md_file.write(sidebar_mitigations_md) diff --git a/modules/mitigations/mitigations_config.py b/modules/mitigations/mitigations_config.py index 54d0d2987a0..f60ea69f4b4 100644 --- a/modules/mitigations/mitigations_config.py +++ b/modules/mitigations/mitigations_config.py @@ -32,3 +32,10 @@ "save_as: mitigations/${attack_id}/index.html\n" "data: " ) + +sidebar_mitigations_md = ( + "Title: Mitigations Sidebar\n" + "Template: general/sidebar-template \n" + "save_as: mitigations/sidebar-mitigations/index.html\n" + "data: " +) \ No newline at end of file diff --git a/modules/mitigations/templates/mitigation.html b/modules/mitigations/templates/mitigation.html index 95515399a6a..261d8e1518b 100644 --- a/modules/mitigations/templates/mitigation.html +++ b/modules/mitigations/templates/mitigation.html @@ -26,9 +26,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.side_menu_data, output_file) }} -
    + {% endblock %} @@ -111,5 +109,5 @@

    {% block scripts %} {{ super() }} - -{% endblock %} \ No newline at end of file + +{% endblock %} \ No newline at end of file diff --git a/modules/mitigations/templates/mitigations-domain-index.html b/modules/mitigations/templates/mitigations-domain-index.html index 509ead41ec5..9412fb49db5 100644 --- a/modules/mitigations/templates/mitigations-domain-index.html +++ b/modules/mitigations/templates/mitigations-domain-index.html @@ -14,9 +14,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.side_menu_data, output_file) }} -
    + {% endblock %} @@ -59,6 +57,7 @@

    Mitigations: {{parsed.mitigation_list_len}}
    +
    @@ -83,6 +82,7 @@
    Mitigations: {{parsed.mitigation_list_len}}
    {% endfor %}
    +
    @@ -93,5 +93,5 @@
    Mitigations: {{parsed.mitigation_list_len}}
    {% block scripts %} {{ super() }} - -{% endblock %} \ No newline at end of file + +{% endblock %} \ No newline at end of file diff --git a/modules/random_page/random_page.py b/modules/random_page/random_page.py index 11236283fc0..604e7e65e17 100644 --- a/modules/random_page/random_page.py +++ b/modules/random_page/random_page.py @@ -16,6 +16,7 @@ def generate_json(): "groups": "Group", "software": "Software", "campaigns": "Campaign", + "assets": "Asset" } routes = {} @@ -57,6 +58,8 @@ def generate_json(): add_to_json = True elif route == "campaigns" and re.search(r"C[0-9]{4}", thepath): add_to_json = True + elif route == "assets" and re.search(r"A[0-9]{4}", thepath): + add_to_json = True if add_to_json: json_data[value].append(thepath[6:]) diff --git a/modules/resources/__init__.py b/modules/resources/__init__.py index 1f4e4eb7d35..fd1805b7fd2 100644 --- a/modules/resources/__init__.py +++ b/modules/resources/__init__.py @@ -22,6 +22,12 @@ def get_menu(): "external_link": False, "children": [], }, + { + "display_name": "Contribute", + "url": "/resources/contribute/", + "external_link": False, + "children": [], + }, {"display_name": "Training", "url": "/resources/training/", "external_link": False, "children": []}, {"display_name": "ATT&CKcon", "url": "/resources/attackcon/", "external_link": False, "children": []}, { diff --git a/modules/contribute/contribute_redirections.json b/modules/resources/contribute_redirections.json similarity index 100% rename from modules/contribute/contribute_redirections.json rename to modules/resources/contribute_redirections.json diff --git a/modules/resources/docs/changelogs/v13.1-v14.0/changelog-detailed.html b/modules/resources/docs/changelogs/v13.1-v14.0/changelog-detailed.html new file mode 100644 index 00000000000..9ccc37ac781 --- /dev/null +++ b/modules/resources/docs/changelogs/v13.1-v14.0/changelog-detailed.html @@ -0,0 +1,2516 @@ + + + + ATT&CK Changes + + + + +

    ATT&CK Changes Between v13.1 and v14.0

    Key

    + + + + +
    + + + + + +
    Colors for description field
    Added
    Changed
    Deleted
    +
    +

    Additional formats

    +

    These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

    + +

    This JSON file contains the machine readble output used to create this page: changelog.json

    +

    Techniques

    enterprise-attack

    New Techniques

    [T1098.006] Account Manipulation: Additional Container Cluster Roles

    Current version: 1.0

    Description: An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC) + +This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. + +Note that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.(Citation: Google Cloud Kubernetes IAM)(Citation: AWS EKS IAM Roles for Service Accounts)(Citation: Microsoft Azure Kubernetes Service Service Accounts) In these cases, this technique may be used in conjunction with [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).

    [T1036.009] Masquerading: Break Process Trees

    Current version: 1.0

    Description: An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022) + +On Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the `fork()` API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the `init` system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree. + +Another example is using the “daemon” syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022)

    [T1555.006] Credentials from Password Stores: Cloud Secrets Management Stores

    Current version: 1.0

    Description: Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. + +Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables. + +If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault) + +**Note:** this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.

    [T1659] Content Injection

    Current version: 1.0

    Description: Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer) + +Adversaries may inject content to victim systems in various ways, including: + +* From the middle, where the adversary is in-between legitimate online client-server communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM) +* From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide) + +Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)

    [T1021.008] Remote Services: Direct Cloud VM Connections

    Current version: 1.0

    Description: Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager). + +Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access. + +Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., [Cloud Administration Command](https://attack.mitre.org/techniques/T1651)).

    [T1562.012] Impair Defenses: Disable or Modify Linux Audit System

    Current version: 1.0

    Description: Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. + +Often referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`, containing a sequence of `auditctl` commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022) + +With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)

    [T1567.004] Exfiltration Over Web Service: Exfiltration Over Webhook

    Current version: 1.0

    Description: Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application. + +Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated [Automated Exfiltration](https://attack.mitre.org/techniques/T1020) of emails, chat messages, and other data.(Citation: Push Security SaaS Attacks Repository Webhooks) Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.(Citation: Microsoft SQL Server) + +Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.(Citation: CyberArk Labs Discord)(Citation: Talos Discord Webhook Abuse)(Citation: Checkmarx Webhooks)

    [T1657] Financial Theft

    Current version: 1.0

    Description: Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) "pig butchering,"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) + +Adversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC) + +Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks) + +Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)

    [T1564.011] Hide Artifacts: Ignore Process Interrupts

    Current version: 1.0

    Description: Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. + +Adversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection. + +Hiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.

    [T1656] Impersonation

    Current version: 1.0

    Description: Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims. + +In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657). + +Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as `payment`, `request`, or `urgent` to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.   + +Impersonation is typically preceded by reconnaissance techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589) and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591) as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001)) to substantiate their false identity.(Citation: CrowdStrike-BEC) + +There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)

    [T1027.012] Obfuscated Files or Information: LNK Icon Smuggling

    Current version: 1.0

    Description: Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. + +Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017) + +LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads. +

    [T1654] Log Enumeration

    Current version: 1.0

    Description: Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)). + +Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) + +Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.

    [T1578.005] Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations

    Current version: 1.0

    Description: Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim. + +For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy) + +Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)

    [T1653] Power Settings

    Current version: 1.0

    Description: Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate) + +Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.(Citation: Microsoft: Powercfg command-line options)(Citation: systemdsleep Linux) + +For example, `powercfg` controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.(Citation: Two New Monero Malware Attacks Target Windows and Android Users) Adversaries may also extend system lock screen timeout settings.(Citation: BATLOADER: The Evasive Downloader Malware) Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.(Citation: CoinLoader: A Sophisticated Malware Loader Campaign) + +Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.(Citation: Condi-Botnet-binaries)

    [T1566.004] Phishing: Spearphishing Voice

    Current version: 1.0

    Description: Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient. + +All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Software](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth) + +Adversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing)

    [T1598.004] Phishing for Information: Spearphishing Voice

    Current version: 1.0

    Description: Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient. + +All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams) + +Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing) + +Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to tailor pretexts to be even more persuasive and believable for the victim.

    [T1548.005] Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access

    Current version: 1.0

    Description: Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. + +Just-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Google Cloud Just in Time Access 2023)(Citation: Azure Just in Time Access 2023) + +Account impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account.(Citation: Google Cloud Service Account Authentication Roles) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) + +Many cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles) + +While users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation) + +**Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)

    [T1016.002] System Network Configuration Discovery: Wi-Fi Discovery

    Current version: 1.0

    Description: Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns. + +Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader) + +On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac) +

    Major Version Changes

    [T1562.008] Impair Defenses: Disable or Modify Cloud Logs

    Current version: 2.0

    Version changed from: 1.3 → 2.0

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1An adversary may disable cloud logging capabilities and intet1An adversary may disable or modify cloud logging capabilitie
    >grations to limit what data is collected on their activities>s and integrations to limit what data is collected on their 
    > and avoid detection. Cloud environments allow for collectio>activities and avoid detection. Cloud environments allow for
    >n and analysis of audit and application logs that provide in> collection and analysis of audit and application logs that 
    >sight into what activities a user does within the environmen>provide insight into what activities a user does within the 
    >t. If an adversary has sufficient permissions, they can disa>environment. If an adversary has sufficient permissions, the
    >ble logging to avoid detection of their activities.  For exa>y can disable or modify logging to avoid detection of their 
    >mple, in AWS an adversary may disable CloudWatch/CloudTrail >activities.  For example, in AWS an adversary may disable Cl
    >integrations prior to conducting further malicious activity.>oudWatch/CloudTrail integrations prior to conducting further
    >(Citation: Following the CloudTrail: Generating strong AWS s> malicious activity.(Citation: Following the CloudTrail: Gen
    >ecurity signals with Sumo Logic) In Office 365, an adversary>erating strong AWS security signals with Sumo Logic) They ma
    > may disable logging on mail collection activities for speci>y alternatively tamper with logging functionality – for exam
    >fic users by using the `Set-MailboxAuditBypassAssociation` c>ple, by removing any associated SNS topics, disabling multi-
    >mdlet, by disabling M365 Advanced Auditing for the user, or >region logging, or disabling settings that validate and/or e
    >by downgrading the user’s license from an Enterprise E5 to a>ncrypt log files.(Citation: AWS Update Trail)(Citation: Pacu
    >n Enterprise E3 license.(Citation: Dark Reading Microsoft 36> Detection Disruption Module) In Office 365, an adversary ma
    >5 Attacks 2021)>y disable logging on mail collection activities for specific
     > users by using the `Set-MailboxAuditBypassAssociation` cmdl
     >et, by disabling M365 Advanced Auditing for the user, or by 
     >downgrading the user’s license from an Enterprise E5 to an E
     >nterprise E3 license.(Citation: Dark Reading Microsoft 365 A
     >ttacks 2021)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-20 18:13:50.277000+00:002023-10-15 10:47:17.305000+00:00
    nameDisable Cloud LogsDisable or Modify Cloud Logs
    descriptionAn adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. + +For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. + +For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.32.0
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'AWS Update Trail', 'description': 'AWS. (n.d.). update-trail. Retrieved August 4, 2023.', 'url': 'https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html'}
    external_references{'source_name': 'Pacu Detection Disruption Module', 'description': 'Rhino Security Labs. (2021, April 29). Pacu Detection Disruption Module. Retrieved August 4, 2023.', 'url': 'https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py'}

    [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

    Current version: 2.0

    Version changed from: 1.2 → 2.0

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may achieve persistence by adding a program to at1Adversaries may achieve persistence by adding a program to a
    > startup folder or referencing it with a Registry run key. A> startup folder or referencing it with a Registry run key. A
    >dding an entry to the "run keys" in the Registry or startup >dding an entry to the "run keys" in the Registry or startup 
    >folder will cause the program referenced to be executed when>folder will cause the program referenced to be executed when
    > a user logs in.(Citation: Microsoft Run Key) These programs> a user logs in.(Citation: Microsoft Run Key) These programs
    > will be executed under the context of the user and will hav> will be executed under the context of the user and will hav
    >e the account's associated permissions level.  Placing a pro>e the account's associated permissions level.  The following
    >gram within a startup folder will also cause that program to> run keys are created by default on Windows systems:  * <cod
    > execute when a user logs in. There is a startup folder loca>e>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
    >tion for individual user accounts as well as a system-wide s>n\Run</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Wi
    >tartup folder that will be checked regardless of which user >ndows\CurrentVersion\RunOnce</code> * <code>HKEY_LOCAL_MACHI
    >account logs in. The startup folder path for the current use>NE\Software\Microsoft\Windows\CurrentVersion\Run</code> * <c
    >r is <code>C:\Users\\[Username]\AppData\Roaming\Microsoft\Wi>ode>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer
    >ndows\Start Menu\Programs\Startup</code>. The startup folder>sion\RunOnce</code>  Run keys may exist under multiple hives
    > path for all users is <code>C:\ProgramData\Microsoft\Window>.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebyt
    >s\Start Menu\Programs\StartUp</code>.  The following run key>es Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\M
    >s are created by default on Windows systems:  * <code>HKEY_C>icrosoft\Windows\CurrentVersion\RunOnceEx</code> is also ava
    >URRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</c>ilable but is not created by default on Windows Vista and ne
    >ode> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu>wer. Registry run key entries can reference programs directl
    >rrentVersion\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\Softw>y or list them as a dependency.(Citation: Microsoft Run Key)
    >are\Microsoft\Windows\CurrentVersion\Run</code> * <code>HKEY> For example, it is possible to load a DLL at logon using a 
    >_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run>"Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Mic
    >Once</code>  Run keys may exist under multiple hives.(Citati>rosoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d 
    >on: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow64>"C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx 
    >32Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\Microsoft>Mar 2018)  Placing a program within a startup folder will al
    >\Windows\CurrentVersion\RunOnceEx</code> is also available b>so cause that program to execute when a user logs in. There 
    >ut is not created by default on Windows Vista and newer. Reg>is a startup folder location for individual user accounts as
    >istry run key entries can reference programs directly or lis> well as a system-wide startup folder that will be checked r
    >t them as a dependency.(Citation: Microsoft Run Key) For exa>egardless of which user account logs in. The startup folder 
    >mple, it is possible to load a DLL at logon using a "Depend">path for the current user is <code>C:\Users\\[Username]\AppD
    > key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\W>ata\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</c
    >indows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp>ode>. The startup folder path for all users is <code>C:\Prog
    >\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018>ramData\Microsoft\Windows\Start Menu\Programs\StartUp</code>
    >)  The following Registry keys can be used to set startup fo>.  The following Registry keys can be used to set startup fo
    >lder items for persistence:  * <code>HKEY_CURRENT_USER\Softw>lder items for persistence:  * <code>HKEY_CURRENT_USER\Softw
    >are\Microsoft\Windows\CurrentVersion\Explorer\User Shell Fol>are\Microsoft\Windows\CurrentVersion\Explorer\User Shell Fol
    >ders</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Win>ders</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Win
    >dows\CurrentVersion\Explorer\Shell Folders</code> * <code>HK>dows\CurrentVersion\Explorer\Shell Folders</code> * <code>HK
    >EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\E>EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\E
    >xplorer\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\SOFT>xplorer\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\SOFT
    >WARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Fo>WARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Fo
    >lders</code>  The following Registry keys can control automa>lders</code>  The following Registry keys can control automa
    >tic startup of services during boot:  * <code>HKEY_LOCAL_MAC>tic startup of services during boot:  * <code>HKEY_LOCAL_MAC
    >HINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn>HINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn
    >ce</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windo>ce</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windo
    >ws\CurrentVersion\RunServicesOnce</code> * <code>HKEY_LOCAL_>ws\CurrentVersion\RunServicesOnce</code> * <code>HKEY_LOCAL_
    >MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService>MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService
    >s</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Window>s</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Window
    >s\CurrentVersion\RunServices</code>  Using policy settings t>s\CurrentVersion\RunServices</code>  Using policy settings t
    >o specify startup programs creates corresponding values in e>o specify startup programs creates corresponding values in e
    >ither of two Registry keys:  * <code>HKEY_LOCAL_MACHINE\Soft>ither of two Registry keys:  * <code>HKEY_LOCAL_MACHINE\Soft
    >ware\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run<>ware\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run<
    >/code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\>/code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\
    >CurrentVersion\Policies\Explorer\Run</code>  The Winlogon ke>CurrentVersion\Policies\Explorer\Run</code>  Programs listed
    >y controls actions that occur when a user logs on to a compu> in the load value of the registry key <code>HKEY_CURRENT_US
    >ter running Windows 7. Most of these actions are under the c>ER\Software\Microsoft\Windows NT\CurrentVersion\Windows</cod
    >ontrol of the operating system, but you can also add custom >e> run automatically for the currently logged-on user.  By d
    >actions here. The <code>HKEY_LOCAL_MACHINE\Software\Microsof>efault, the multistring <code>BootExecute</code> value of th
    >t\Windows NT\CurrentVersion\Winlogon\Userinit</code> and <co>e registry key <code>HKEY_LOCAL_MACHINE\System\CurrentContro
    >de>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentV>lSet\Control\Session Manager</code> is set to <code>autochec
    >ersion\Winlogon\Shell</code> subkeys can automatically launc>k autochk *</code>. This value causes Windows, at startup, t
    >h programs.  Programs listed in the load value of the regist>o check the file-system integrity of the hard disks if the s
    >ry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT>ystem has been shut down abnormally. Adversaries can add oth
    >\CurrentVersion\Windows</code> run when any user logs on.  B>er programs or processes to this registry value which will a
    >y default, the multistring <code>BootExecute</code> value of>utomatically launch at boot.  Adversaries can use these conf
    > the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentCon>iguration locations to execute malware, such as remote acces
    >trolSet\Control\Session Manager</code> is set to <code>autoc>s tools, to maintain persistence through system reboots. Adv
    >heck autochk *</code>. This value causes Windows, at startup>ersaries may also use [Masquerading](https://attack.mitre.or
    >, to check the file-system integrity of the hard disks if th>g/techniques/T1036) to make the Registry entries look as if 
    >e system has been shut down abnormally. Adversaries can add >they are associated with legitimate programs.
    >other programs or processes to this registry value which wil 
    >l automatically launch at boot.  Adversaries can use these c 
    >onfiguration locations to execute malware, such as remote ac 
    >cess tools, to maintain persistence through system reboots.  
    >Adversaries may also use [Masquerading](https://attack.mitre 
    >.org/techniques/T1036) to make the Registry entries look as  
    >if they are associated with legitimate programs. 
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:52.183000+00:002023-10-16 09:08:22.319000+00:00
    descriptionAdversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. + +Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. + +The following run keys are created by default on Windows systems: + +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce +* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run +* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce + +Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) + +The following Registry keys can be used to set startup folder items for persistence: + +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders +* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders +* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders + +The following Registry keys can control automatic startup of services during boot: + +* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices + +Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: + +* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run + +The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs. + +Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on. + +By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. + +Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. + +The following run keys are created by default on Windows systems: + +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce +* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run +* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce + +Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) + +Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. + +The following Registry keys can be used to set startup folder items for persistence: + +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders +* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders +* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders + +The following Registry keys can control automatic startup of services during boot: + +* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices + +Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: + +* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run +* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run + +Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run automatically for the currently logged-on user. + +By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. + +Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.22.0
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsHarun Küßner
    Minor Version Changes

    [T1548] Abuse Elevation Control Mechanism

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Mitigations:

    • M1018: User Account Management

    New Detections:

    • DS0002: User Account (User Account Modification)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-21 12:35:07.744000+00:002023-10-02 00:47:11.369000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesUser Account: User Account Modification
    x_mitre_platformsOffice 365
    x_mitre_platformsIaaS
    x_mitre_platformsGoogle Workspace
    x_mitre_platformsAzure AD

    [T1098] Account Manipulation

    Current version: 2.6

    Version changed from: 2.5 → 2.6

    + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may manipulate accounts to maintain access to vit1Adversaries may manipulate accounts to maintain and/or eleva
    >ctim systems. Account manipulation may consist of any action>te access to victim systems. Account manipulation may consis
    > that preserves adversary access to a compromised account, s>t of any action that preserves or modifies adversary access 
    >uch as modifying credentials or permission groups. These act>to a compromised account, such as modifying credentials or p
    >ions could also include account activity designed to subvert>ermission groups. These actions could also include account a
    > security policies, such as performing iterative password up>ctivity designed to subvert security policies, such as perfo
    >dates to bypass password duration policies and preserve the >rming iterative password updates to bypass password duration
    >life of compromised credentials.   In order to create or man> policies and preserve the life of compromised credentials. 
    >ipulate accounts, the adversary must already have sufficient>  In order to create or manipulate accounts, the adversary m
    > permissions on systems or the domain. However, account mani>ust already have sufficient permissions on systems or the do
    >pulation may also lead to privilege escalation where modific>main. However, account manipulation may also lead to privile
    >ations grant access to additional roles, permissions, or hig>ge escalation where modifications grant access to additional
    >her-privileged [Valid Accounts](https://attack.mitre.org/tec> roles, permissions, or higher-privileged [Valid Accounts](h
    >hniques/T1078).>ttps://attack.mitre.org/techniques/T1078).
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 23:29:30.966000+00:002023-10-16 17:45:54.884000+00:00
    descriptionAdversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. + +In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. + +In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.52.6
    iterable_item_added
    STIX FieldOld valueNew Value
    kill_chain_phases{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}
    x_mitre_contributorsArad Inbar, Fidelis Security
    x_mitre_platformsContainers

    [T1583] Acquire Infrastructure

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may buy, lease, or rent infrastructure that can t1Adversaries may buy, lease, or rent infrastructure that can 
    >be used during targeting. A wide variety of infrastructure e>be used during targeting. A wide variety of infrastructure e
    >xists for hosting and orchestrating adversary operations. In>xists for hosting and orchestrating adversary operations. In
    >frastructure solutions include physical or cloud servers, do>frastructure solutions include physical or cloud servers, do
    >mains, and third-party web services.(Citation: TrendmicroHid>mains, and third-party web services.(Citation: TrendmicroHid
    >eoutsLease) Additionally, botnets are available for rent or >eoutsLease) Additionally, botnets are available for rent or 
    >purchase.  Use of these infrastructure solutions allows adve>purchase.  Use of these infrastructure solutions allows adve
    >rsaries to stage, launch, and execute operations. Solutions >rsaries to stage, launch, and execute operations. Solutions 
    >may help adversary operations blend in with traffic that is >may help adversary operations blend in with traffic that is 
    >seen as normal, such as contacting third-party web services >seen as normal, such as contacting third-party web services 
    >or acquiring infrastructure to support [Proxy](https://attac>or acquiring infrastructure to support [Proxy](https://attac
    >k.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus>k.mitre.org/techniques/T1090), including from residential pr
    >) Depending on the implementation, adversaries may use infra>oxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI P
    >structure that makes it difficult to physically tie back to >roxies Credential Stuffing)(Citation: Mandiant APT29 Microso
    >them as well as utilize infrastructure that can be rapidly p>ft 365 2022) Depending on the implementation, adversaries ma
    >rovisioned, modified, and shut down.>y use infrastructure that makes it difficult to physically t
     >ie back to them as well as utilize infrastructure that can b
     >e rapidly provisioned, modified, and shut down.
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-02 21:34:46.139000+00:002023-10-02 01:10:09.833000+00:00
    descriptionAdversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. + +Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. + +Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.21.3
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Mandiant APT29 Microsoft 365 2022', 'description': 'Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.', 'url': 'https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft'}
    external_references{'source_name': 'FBI Proxies Credential Stuffing', 'description': 'FBI. (2022, August 18). Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts . Retrieved July 6, 2023.', 'url': 'https://www.ic3.gov/Media/News/2022/220818.pdf'}
    x_mitre_contributorsGoldstein Menachem

    [T1098.001] Account Manipulation: Additional Cloud Credentials

    Current version: 2.6

    Version changed from: 2.5 → 2.6

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may add adversary-controlled credentials to a clt1Adversaries may add adversary-controlled credentials to a cl
    >oud account to maintain persistent access to victim accounts>oud account to maintain persistent access to victim accounts
    > and instances within the environment.  For example, adversa> and instances within the environment.  For example, adversa
    >ries may add credentials for Service Principals and Applicat>ries may add credentials for Service Principals and Applicat
    >ions in addition to existing legitimate credentials in Azure>ions in addition to existing legitimate credentials in Azure
    > AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat> AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat
    >ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide>ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide
    >o) These credentials include both x509 keys and passwords.(C>o) These credentials include both x509 keys and passwords.(C
    >itation: Microsoft SolarWinds Customer Guidance) With suffic>itation: Microsoft SolarWinds Customer Guidance) With suffic
    >ient permissions, there are a variety of ways to add credent>ient permissions, there are a variety of ways to add credent
    >ials including the Azure Portal, Azure command line interfac>ials including the Azure Portal, Azure command line interfac
    >e, and Azure or Az PowerShell modules.(Citation: Demystifyin>e, and Azure or Az PowerShell modules.(Citation: Demystifyin
    >g Azure AD Service Principals)  In infrastructure-as-a-servi>g Azure AD Service Principals)  In infrastructure-as-a-servi
    >ce (IaaS) environments, after gaining access through [Cloud >ce (IaaS) environments, after gaining access through [Cloud 
    >Accounts](https://attack.mitre.org/techniques/T1078/004), ad>Accounts](https://attack.mitre.org/techniques/T1078/004), ad
    >versaries may generate or import their own SSH keys using ei>versaries may generate or import their own SSH keys using ei
    >ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</>ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</
    >code> API in AWS or the <code>gcloud compute os-login ssh-ke>code> API in AWS or the <code>gcloud compute os-login ssh-ke
    >ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi>ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi
    >s allows persistent access to instances within the cloud env>s allows persistent access to instances within the cloud env
    >ironment without further usage of the compromised cloud acco>ironment without further usage of the compromised cloud acco
    >unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind>unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind
    > the Scenes)  Adversaries may also use the <code>CreateAcces> the Scenes)  Adversaries may also use the <code>CreateAcces
    >sKey</code> API in AWS or the <code>gcloud iam service-accou>sKey</code> API in AWS or the <code>gcloud iam service-accou
    >nts keys create</code> command in GCP to add access keys to >nts keys create</code> command in GCP to add access keys to 
    >an account. If the target account has different permissions >an account. If the target account has different permissions 
    >from the requesting account, the adversary may also be able >from the requesting account, the adversary may also be able 
    >to escalate their privileges in the environment (i.e. [Cloud>to escalate their privileges in the environment (i.e. [Cloud
    > Accounts](https://attack.mitre.org/techniques/T1078/004)).(> Accounts](https://attack.mitre.org/techniques/T1078/004)).(
    >Citation: Rhino Security Labs AWS Privilege Escalation)  In >Citation: Rhino Security Labs AWS Privilege Escalation)(Cita
    >AWS environments, adversaries with the appropriate permissio>tion: Sysdig ScarletEel 2.0) For example, in Azure AD enviro
    >ns may also use the `sts:GetFederationToken` API call to cre>nments, an adversary with the Application Administrator role
    >ate a temporary set of credentials tied to the permissions o> can add a new set of credentials to their application's ser
    >f the original user account. These credentials may remain va>vice principal. In doing so the adversary would be able to a
    >lid for the duration of their lifetime even if the original >ccess the service principal’s roles and permissions, which m
    >account’s API credentials are deactivated. (Citation: Crowds>ay be different from those of the Application Administrator.
    >trike AWS User Federation Persistence)>(Citation: SpecterOps Azure Privilege Escalation)   In AWS e
     >nvironments, adversaries with the appropriate permissions ma
     >y also use the `sts:GetFederationToken` API call to create a
     > temporary set of credentials tied to the permissions of the
     > original user account. These credentials may remain valid f
     >or the duration of their lifetime even if the original accou
     >nt’s API credentials are deactivated. (Citation: Crowdstrike
     > AWS User Federation Persistence)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-05-04 18:03:36.622000+00:002023-10-03 17:37:24.011000+00:00
    descriptionAdversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. + +For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals) + +In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) + +Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation) + +In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated. +(Citation: Crowdstrike AWS User Federation Persistence)Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. + +For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals) + +In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) + +Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) + +In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated. +(Citation: Crowdstrike AWS User Federation Persistence)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.52.6
    iterable_item_added
    STIX FieldOld valueNew Value
    kill_chain_phases{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}
    external_references{'source_name': 'SpecterOps Azure Privilege Escalation', 'description': 'Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.', 'url': 'https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5'}
    external_references{'source_name': 'Sysdig ScarletEel 2.0', 'description': 'SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.', 'url': 'https://sysdig.com/blog/scarleteel-2-0/'}
    x_mitre_contributorsArad Inbar, Fidelis Security

    [T1098.003] Account Manipulation: Additional Cloud Roles

    Current version: 2.3

    Version changed from: 2.2 → 2.3

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1An adversary may add additional roles or permissions to an at1An adversary may add additional roles or permissions to an a
    >dversary-controlled cloud account to maintain persistent acc>dversary-controlled cloud account to maintain persistent acc
    >ess to a tenant. For example, adversaries may update IAM pol>ess to a tenant. For example, adversaries may update IAM pol
    >icies in cloud-based environments or add a new global admini>icies in cloud-based environments or add a new global admini
    >strator in Office 365 environments.(Citation: AWS IAM Polici>strator in Office 365 environments.(Citation: AWS IAM Polici
    >es and Permissions)(Citation: Google Cloud IAM Policies)(Cit>es and Permissions)(Citation: Google Cloud IAM Policies)(Cit
    >ation: Microsoft Support O365 Add Another Admin, October 201>ation: Microsoft Support O365 Add Another Admin, October 201
    >9)(Citation: Microsoft O365 Admin Roles) With sufficient per>9)(Citation: Microsoft O365 Admin Roles) With sufficient per
    >missions, a compromised account can gain almost unlimited ac>missions, a compromised account can gain almost unlimited ac
    >cess to data and settings (including the ability to reset th>cess to data and settings (including the ability to reset th
    >e passwords of other admins).(Citation: Expel AWS Attacker) >e passwords of other admins).(Citation: Expel AWS Attacker) 
    >(Citation: Microsoft O365 Admin Roles)   This account modifi>(Citation: Microsoft O365 Admin Roles)   This account modifi
    >cation may immediately follow [Create Account](https://attac>cation may immediately follow [Create Account](https://attac
    >k.mitre.org/techniques/T1136) or other malicious account act>k.mitre.org/techniques/T1136) or other malicious account act
    >ivity. Adversaries may also modify existing [Valid Accounts]>ivity. Adversaries may also modify existing [Valid Accounts]
    >(https://attack.mitre.org/techniques/T1078) that they have c>(https://attack.mitre.org/techniques/T1078) that they have c
    >ompromised. This could lead to privilege escalation, particu>ompromised. This could lead to privilege escalation, particu
    >larly if the roles added allow for lateral movement to addit>larly if the roles added allow for lateral movement to addit
    >ional accounts.  For example, in Azure AD environments, an a>ional accounts.  For example, in AWS environments, an advers
    >dversary with the Application Administrator role can add [Ad>ary with appropriate permissions may be able to use the <cod
    >ditional Cloud Credentials](https://attack.mitre.org/techniq>e>CreatePolicyVersion</code> API to define a new version of 
    >ues/T1098/001) to their application's service principal. In >an IAM policy or the <code>AttachUserPolicy</code> API to at
    >doing so the adversary would be able to gain the service pri>tach an IAM policy with additional or distinct permissions t
    >ncipal’s roles and permissions, which may be different from >o a compromised user account.(Citation: Rhino Security Labs 
    >those of the Application Administrator.(Citation: SpecterOps>AWS Privilege Escalation)
    > Azure Privilege Escalation) Similarly, in AWS environments, 
    > an adversary with appropriate permissions may be able to us 
    >e the <code>CreatePolicyVersion</code> API to define a new v 
    >ersion of an IAM policy or the <code>AttachUserPolicy</code> 
    > API to attach an IAM policy with additional or distinct per 
    >missions to a compromised user account.(Citation: Rhino Secu 
    >rity Labs AWS Privilege Escalation)  Similarly, an adversary 
    > with the Azure AD Global Administrator role can toggle the  
    >“Access management for Azure resources” option to gain the a 
    >bility to assign privileged access to Azure subscriptions an 
    >d virtual machines to Azure AD users, including themselves.( 
    >Citation: Azure AD to AD)  
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-14 22:48:50.142000+00:002023-10-03 17:37:41.250000+00:00
    descriptionAn adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) +(Citation: Microsoft O365 Admin Roles) + +This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts. + +For example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation) + +Similarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) +(Citation: Microsoft O365 Admin Roles) + +This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts. + +For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.22.3
    iterable_item_added
    STIX FieldOld valueNew Value
    kill_chain_phases{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}
    x_mitre_contributorsArad Inbar, Fidelis Security
    iterable_item_removed
    STIX FieldOld valueNew Value
    external_references{'source_name': 'SpecterOps Azure Privilege Escalation', 'description': 'Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.', 'url': 'https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5'}
    external_references{'source_name': 'Azure AD to AD', 'description': 'Sean Metcalf. (2020, May 27). From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path. Retrieved September 28, 2022.', 'url': 'https://adsecurity.org/?p=4277'}

    [T1098.002] Account Manipulation: Additional Email Delegate Permissions

    Current version: 2.1

    Version changed from: 2.0 → 2.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-19 14:55:26.110000+00:002023-10-03 17:38:00.554000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version2.02.1
    iterable_item_added
    STIX FieldOld valueNew Value
    kill_chain_phases{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}
    x_mitre_contributorsArad Inbar, Fidelis Security

    [T1557] Adversary-in-the-Middle

    Current version: 2.3

    Version changed from: 2.2 → 2.3

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may attempt to position themselves between two ot1Adversaries may attempt to position themselves between two o
    >r more networked devices using an adversary-in-the-middle (A>r more networked devices using an adversary-in-the-middle (A
    >iTM) technique to support follow-on behaviors such as [Netwo>iTM) technique to support follow-on behaviors such as [Netwo
    >rk Sniffing](https://attack.mitre.org/techniques/T1040) or [>rk Sniffing](https://attack.mitre.org/techniques/T1040), [Tr
    >Transmitted Data Manipulation](https://attack.mitre.org/tech>ansmitted Data Manipulation](https://attack.mitre.org/techni
    >niques/T1565/002). By abusing features of common networking >ques/T1565/002), or replay attacks ([Exploitation for Creden
    >protocols that can determine the flow of network traffic (e.>tial Access](https://attack.mitre.org/techniques/T1212)). By
    >g. ARP, DNS, LLMNR, etc.), adversaries may force a device to> abusing features of common networking protocols that can de
    > communicate through an adversary controlled system so they >termine the flow of network traffic (e.g. ARP, DNS, LLMNR, e
    >can collect information or perform additional actions.(Citat>tc.), adversaries may force a device to communicate through 
    >ion: Rapid7 MiTM Basics)  For example, adversaries may manip>an adversary controlled system so they can collect informati
    >ulate victim DNS settings to enable other malicious activiti>on or perform additional actions.(Citation: Rapid7 MiTM Basi
    >es such as preventing/redirecting users from accessing legit>cs)  For example, adversaries may manipulate victim DNS sett
    >imate sites and/or pushing additional malware.(Citation: tti>ings to enable other malicious activities such as preventing
    >nt_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_>/redirecting users from accessing legitimate sites and/or pu
    >with_miner) Adversaries may also manipulate DNS and leverage>shing additional malware.(Citation: ttint_rat)(Citation: dns
    > their position in order to intercept user credentials and s>_changer_trojans)(Citation: ad_blocker_with_miner) Adversari
    >ession cookies.(Citation: volexity_0day_sophos_FW) [Downgrad>es may also manipulate DNS and leverage their position in or
    >e Attack](https://attack.mitre.org/techniques/T1562/010)s ca>der to intercept user credentials and session cookies.(Citat
    >n also be used to establish an AiTM position, such as by neg>ion: volexity_0day_sophos_FW) [Downgrade Attack](https://att
    >otiating a less secure, deprecated, or weaker version of com>ack.mitre.org/techniques/T1562/010)s can also be used to est
    >munication protocol (SSL/TLS) or encryption algorithm.(Citat>ablish an AiTM position, such as by negotiating a less secur
    >ion: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_at>e, deprecated, or weaker version of communication protocol (
    >t_tls)(Citation: tlseminar_downgrade_att)  Adversaries may a>SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgra
    >lso leverage the AiTM position to attempt to monitor and/or >de_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlse
    >modify traffic, such as in [Transmitted Data Manipulation](h>minar_downgrade_att)  Adversaries may also leverage the AiTM
    >ttps://attack.mitre.org/techniques/T1565/002). Adversaries c> position to attempt to monitor and/or modify traffic, such 
    >an setup a position similar to AiTM to prevent traffic from >as in [Transmitted Data Manipulation](https://attack.mitre.o
    >flowing to the appropriate destination, potentially to [Impa>rg/techniques/T1565/002). Adversaries can setup a position s
    >ir Defenses](https://attack.mitre.org/techniques/T1562) and/>imilar to AiTM to prevent traffic from flowing to the approp
    >or in support of a [Network Denial of Service](https://attac>riate destination, potentially to [Impair Defenses](https://
    >k.mitre.org/techniques/T1498).>attack.mitre.org/techniques/T1562) and/or in support of a [N
     >etwork Denial of Service](https://attack.mitre.org/technique
     >s/T1498).
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:37.568000+00:002023-09-27 20:27:50.792000+00:00
    descriptionAdversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) + +For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att) + +Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) + +For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att) + +Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version2.22.3

    [T1560.001] Archive Collected Data: Archive via Utility

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-14 19:28:21.394000+00:002023-09-15 19:02:53.995000+00:00
    x_mitre_version1.21.3

    [T1053.002] Scheduled Task/Job: At

    Current version: 2.1

    Version changed from: 2.0 → 2.1

    New Detections:

    • DS0029: Network Traffic (Network Traffic Flow)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-18 20:12:04.110000+00:002023-08-11 21:13:52.767000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version2.02.1
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow

    [T1037] Boot or Logon Initialization Scripts

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:38.295000+00:002023-08-11 20:54:55.991000+00:00
    x_mitre_version2.12.2

    [T1070.007] Indicator Removal: Clear Network Connection History and Configurations

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may clear or remove evidence of malicious networt1Adversaries may clear or remove evidence of malicious networ
    >k connections in order to clean up traces of their operation>k connections in order to clean up traces of their operation
    >s. Configuration settings as well as various artifacts that >s. Configuration settings as well as various artifacts that 
    >highlight connection history may be created on a system from>highlight connection history may be created on a system and/
    > behaviors that require network connections, such as [Remote>or in application logs from behaviors that require network c
    > Services](https://attack.mitre.org/techniques/T1021) or [Ex>onnections, such as [Remote Services](https://attack.mitre.o
    >ternal Remote Services](https://attack.mitre.org/techniques/>rg/techniques/T1021) or [External Remote Services](https://a
    >T1133). Defenders may use these artifacts to monitor or othe>ttack.mitre.org/techniques/T1133). Defenders may use these a
    >rwise analyze network connections created by adversaries.  N>rtifacts to monitor or otherwise analyze network connections
    >etwork connection history may be stored in various locations> created by adversaries.  Network connection history may be 
    > on a system. For example, RDP connection history may be sto>stored in various locations. For example, RDP connection his
    >red in Windows Registry values under (Citation: Microsoft RD>tory may be stored in Windows Registry values under (Citatio
    >P Removal):  * <code>HKEY_CURRENT_USER\Software\Microsoft\Te>n: Microsoft RDP Removal):  * <code>HKEY_CURRENT_USER\Softwa
    >rminal Server Client\Default</code> * <code>HKEY_CURRENT_USE>re\Microsoft\Terminal Server Client\Default</code> * <code>H
    >R\Software\Microsoft\Terminal Server Client\Servers</code>  >KEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\S
    >Windows may also store information about recent RDP connecti>ervers</code>  Windows may also store information about rece
    >ons in files such as <code>C:\Users\\%username%\Documents\De>nt RDP connections in files such as <code>C:\Users\\%usernam
    >fault.rdp</code> and `C:\Users\%username%\AppData\Local\Micr>e%\Documents\Default.rdp</code> and `C:\Users\%username%\App
    >osoft\Terminal Server Client\Cache\`.(Citation: Moran RDPiec>Data\Local\Microsoft\Terminal Server Client\Cache\`.(Citatio
    >es) Similarly, macOS and Linux hosts may store information h>n: Moran RDPieces) Similarly, macOS and Linux hosts may stor
    >ighlighting connection history in system logs (such as those>e information highlighting connection history in system logs
    > stored in `/Library/Logs` and/or `/var/log/`).(Citation: Ap> (such as those stored in `/Library/Logs` and/or `/var/log/`
    >ple Culprit Access)(Citation: FreeDesktop Journal)(Citation:>).(Citation: Apple Culprit Access)(Citation: FreeDesktop Jou
    > Apple Unified Log Analysis Remote Login and Screen Sharing)>rnal)(Citation: Apple Unified Log Analysis Remote Login and 
    >  Malicious network connections may also require changes to >Screen Sharing)  Malicious network connections may also requ
    >network configuration settings, such as [Disable or Modify S>ire changes to third-party applications or network configura
    >ystem Firewall](https://attack.mitre.org/techniques/T1562/00>tion settings, such as [Disable or Modify System Firewall](h
    >4) or tampering to enable [Proxy](https://attack.mitre.org/t>ttps://attack.mitre.org/techniques/T1562/004) or tampering t
    >echniques/T1090). Adversaries may delete or modify this data>o enable [Proxy](https://attack.mitre.org/techniques/T1090).
    > to conceal indicators and/or impede defensive analysis.> Adversaries may delete or modify this data to conceal indic
     >ators and/or impede defensive analysis.
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-21 16:24:06.968000+00:002023-09-08 18:05:28.311000+00:00
    descriptionAdversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries. + +Network connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal): + +* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default +* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers + +Windows may also store information about recent RDP connections in files such as C:\Users\\%username%\Documents\Default.rdp and `C:\Users\%username%\AppData\Local\Microsoft\Terminal +Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing) + +Malicious network connections may also require changes to network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries. + +Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal): + +* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default +* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers + +Windows may also store information about recent RDP connections in files such as C:\Users\\%username%\Documents\Default.rdp and `C:\Users\%username%\AppData\Local\Microsoft\Terminal +Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing) + +Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.01.1

    [T1070.001] Indicator Removal: Clear Windows Event Logs

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    New Detections:

    • DS0009: Process (Process Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 15:32:03.205000+00:002023-08-11 21:43:04.568000+00:00
    x_mitre_version1.21.3
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesProcess: Process Creation

    [T1136.003] Create Account: Cloud Account

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-06 21:24:56.669000+00:002023-10-16 17:34:42.544000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.31.4

    [T1078.004] Valid Accounts: Cloud Accounts

    Current version: 1.6

    Version changed from: 1.5 → 1.6

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may obtain and abuse credentials of a cloud accot1Valid accounts in cloud environments may allow adversaries t
    >unt as a means of gaining Initial Access, Persistence, Privi>o perform actions to achieve Initial Access, Persistence, Pr
    >lege Escalation, or Defense Evasion. Cloud accounts are thos>ivilege Escalation, or Defense Evasion. Cloud accounts are t
    >e created and configured by an organization for use by users>hose created and configured by an organization for use by us
    >, remote support, services, or for administration of resourc>ers, remote support, services, or for administration of reso
    >es within a cloud service provider or SaaS application. In s>urces within a cloud service provider or SaaS application. C
    >ome cases, cloud accounts may be federated with traditional >loud Accounts can exist solely in the cloud or be hybrid joi
    >identity management systems, such as Windows Active Director>ned between on-premises systems and the cloud through federa
    >y.(Citation: AWS Identity Federation)(Citation: Google Feder>tion with other identity sources such as Windows Active Dire
    >ating GC)(Citation: Microsoft Deploying AD Federation)  Comp>ctory. (Citation: AWS Identity Federation)(Citation: Google 
    >romised credentials for cloud accounts can be used to harves>Federating GC)(Citation: Microsoft Deploying AD Federation) 
    >t sensitive data from online storage accounts and databases.> Service or user accounts may be targeted by adversaries thr
    > Access to cloud accounts can also be abused to gain Initial>ough [Brute Force](https://attack.mitre.org/techniques/T1110
    > Access to a network by abusing a [Trusted Relationship](htt>), [Phishing](https://attack.mitre.org/techniques/T1566), or
    >ps://attack.mitre.org/techniques/T1199). Similar to [Domain > various other means to gain access to the environment. Fede
    >Accounts](https://attack.mitre.org/techniques/T1078/002), co>rated accounts may be a pathway for the adversary to affect 
    >mpromise of federated cloud accounts may allow adversaries t>both on-premises systems and cloud environments.  An adversa
    >o more easily move laterally within an environment.  Once a >ry may create long lasting [Additional Cloud Credentials](ht
    >cloud account is compromised, an adversary may perform [Acco>tps://attack.mitre.org/techniques/T1098/001) on a compromise
    >unt Manipulation](https://attack.mitre.org/techniques/T1098)>d cloud account to maintain persistence in the environment. 
    > - for example, by adding [Additional Cloud Roles](https://a>Such credentials may also be used to bypass security control
    >ttack.mitre.org/techniques/T1098/003) - to maintain persiste>s such as multi-factor authentication.   Cloud accounts may 
    >nce and potentially escalate their privileges.>also be able to assume [Temporary Elevated Cloud Access](htt
     >ps://attack.mitre.org/techniques/T1548/005) or other privile
     >ges through various means within the environment. Misconfigu
     >rations in role assignments or role assumption policies may 
     >allow an adversary to use these mechanisms to leverage permi
     >ssions outside the intended scope of the account. Such over 
     >privileged accounts may be used to harvest sensitive data fr
     >om online storage accounts and databases through [Cloud API]
     >(https://attack.mitre.org/techniques/T1059/009) or other met
     >hods.  
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-21 13:17:14.441000+00:002023-10-16 17:25:38.546000+00:00
    descriptionAdversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) + +Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. + +Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) + +Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments. + +An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. + +Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. +
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.51.6

    [T1538] Cloud Service Dashboard

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-03-16 12:56:36.098000+00:002023-10-16 16:51:02.852000+00:00
    x_mitre_version1.11.2

    [T1554] Compromise Client Software Binary

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may modify client software binaries to establisht1Adversaries may modify client software binaries to establish
    > persistent access to systems. Client software enables users> persistent access to systems. Client software enables users
    > to access services provided by a server. Common client soft> to access services provided by a server. Common client soft
    >ware types are SSH clients, FTP clients, email clients, and >ware types are SSH clients, FTP clients, email clients, and 
    >web browsers.  Adversaries may make modifications to client >web browsers.  Adversaries may make modifications to client 
    >software binaries to carry out malicious tasks when those ap>software binaries to carry out malicious tasks when those ap
    >plications are in use. For example, an adversary may copy so>plications are in use. For example, an adversary may copy so
    >urce code for the client software, add a backdoor, compile f>urce code for the client software, add a backdoor, compile f
    >or the target, and replace the legitimate application binary>or the target, and replace the legitimate application binary
    > (or support files) with the backdoored one. Since these app> (or support files) with the backdoored one. An adversary ma
    >lications may be routinely executed by the user, the adversa>y also modify an existing binary by patching in malicious fu
    >ry can leverage this for persistent access to the host.>nctionality (e.g., IAT Hooking/Entry point patching)(Citatio
     >n: Unit42 Banking Trojans Hooking 2022) prior to the binary’
     >s legitimate execution. For example, an adversary may modify
     > the entry point of a binary to point to malicious code patc
     >hed in by the adversary before resuming normal execution flo
     >w.(Citation: ESET FontOnLake Analysis 2021)  Since these app
     >lications may be routinely executed by the user, the adversa
     >ry can leverage this for persistent access to the host.
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-10-19 03:18:43.648000+00:002023-10-03 04:18:40.956000+00:00
    descriptionAdversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. + +Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. + +Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021) + +Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.
    x_mitre_version1.01.1
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Unit42 Banking Trojans Hooking 2022', 'description': 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure. Retrieved September 27, 2023.', 'url': 'https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n'}
    external_references{'source_name': 'ESET FontOnLake Analysis 2021', 'description': 'Vladislav Hrčka. (2021, January 1). FontOnLake. Retrieved September 27, 2023.', 'url': 'https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf'}

    [T1584] Compromise Infrastructure

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may compromise third-party infrastructure that ct1Adversaries may compromise third-party infrastructure that c
    >an be used during targeting. Infrastructure solutions includ>an be used during targeting. Infrastructure solutions includ
    >e physical or cloud servers, domains, and third-party web an>e physical or cloud servers, domains, and third-party web an
    >d DNS services. Instead of buying, leasing, or renting infra>d DNS services. Instead of buying, leasing, or renting infra
    >structure an adversary may compromise infrastructure and use>structure an adversary may compromise infrastructure and use
    > it during other phases of the adversary lifecycle.(Citation> it during other phases of the adversary lifecycle.(Citation
    >: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio>: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio
    >n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens >n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens 
    >Part 2) Additionally, adversaries may compromise numerous ma>Part 2) Additionally, adversaries may compromise numerous ma
    >chines to form a botnet they can leverage.  Use of compromis>chines to form a botnet they can leverage.  Use of compromis
    >ed infrastructure allows adversaries to stage, launch, and e>ed infrastructure allows adversaries to stage, launch, and e
    >xecute operations. Compromised infrastructure can help adver>xecute operations. Compromised infrastructure can help adver
    >sary operations blend in with traffic that is seen as normal>sary operations blend in with traffic that is seen as normal
    >, such as contact with high reputation or trusted sites. For>, such as contact with high reputation or trusted sites. For
    > example, adversaries may leverage compromised infrastructur> example, adversaries may leverage compromised infrastructur
    >e (potentially also in conjunction with [Digital Certificate>e (potentially also in conjunction with [Digital Certificate
    >s](https://attack.mitre.org/techniques/T1588/004)) to furthe>s](https://attack.mitre.org/techniques/T1588/004)) to furthe
    >r blend in and support staged information gathering and/or [>r blend in and support staged information gathering and/or [
    >Phishing](https://attack.mitre.org/techniques/T1566) campaig>Phishing](https://attack.mitre.org/techniques/T1566) campaig
    >ns.(Citation: FireEye DNS Hijack 2019) Additionally, adversa>ns.(Citation: FireEye DNS Hijack 2019) Additionally, adversa
    >ries may also compromise infrastructure to support [Proxy](h>ries may also compromise infrastructure to support [Proxy](h
    >ttps://attack.mitre.org/techniques/T1090).(Citation: amnesty>ttps://attack.mitre.org/techniques/T1090) and/or proxyware s
    >_nso_pegasus)  By using compromised infrastructure, adversar>ervices.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Pro
    >ies may make it difficult to tie their actions back to them.>xyjacking)  By using compromised infrastructure, adversaries
    > Prior to targeting, adversaries may compromise the infrastr> may make it difficult to tie their actions back to them. Pr
    >ucture of other adversaries.(Citation: NSA NCSC Turla OilRig>ior to targeting, adversaries may compromise the infrastruct
    >)>ure of other adversaries.(Citation: NSA NCSC Turla OilRig)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 13:32:15.704000+00:002023-10-02 01:10:49.053000+00:00
    descriptionAdversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. + +Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) + +By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. + +Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking) + +By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Sysdig Proxyjacking', 'description': 'Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.', 'url': 'https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/'}
    x_mitre_contributorsGoldstein Menachem

    [T1136] Create Account

    Current version: 2.4

    Version changed from: 2.3 → 2.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 23:24:48.840000+00:002023-10-16 17:42:28.207000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.32.4
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_platformsContainers
    x_mitre_platformsSaaS

    [T1110.004] Brute Force: Credential Stuffing

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-14 23:05:16.857000+00:002023-10-16 16:53:12.789000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.31.4

    [T1552.001] Unsecured Credentials: Credentials In Files

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0009: Process (Process Creation)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Administrator', 'SYSTEM', 'User']
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:44.951000+00:002023-08-23 22:24:50.812000+00:00
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesProcess: Process Creation

    [T1555] Credentials from Password Stores

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may search for common password storage locationst1Adversaries may search for common password storage locations
    > to obtain user credentials. Passwords are stored in several> to obtain user credentials. Passwords are stored in several
    > places on a system, depending on the operating system or ap> places on a system, depending on the operating system or ap
    >plication holding the credentials. There are also specific a>plication holding the credentials. There are also specific a
    >pplications that store passwords to make it easier for users>pplications and services that store passwords to make them e
    > manage and maintain. Once credentials are obtained, they ca>asier for users to manage and maintain, such as password man
    >n be used to perform lateral movement and access restricted >agers and cloud secrets vaults. Once credentials are obtaine
    >information.>d, they can be used to perform lateral movement and access r
     >estricted information.

    New Mitigations:

    • M1026: Privileged Account Management

    New Detections:

    • DS0025: Cloud Service (Cloud Service Enumeration)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Administrator']
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-01 18:25:13.952000+00:002023-09-30 20:16:41.759000+00:00
    descriptionAdversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
    x_mitre_version1.01.1
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesCloud Service: Cloud Service Enumeration
    x_mitre_platformsIaaS

    [T1552.002] Unsecured Credentials: Credentials in Registry

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Administrator', 'User']
    values_changed
    STIX FieldOld valueNew Value
    modified2020-02-07 20:49:18.834000+00:002023-07-28 18:29:56.525000+00:00
    x_mitre_version1.01.1

    [T1485] Data Destruction

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User', 'Administrator', 'root', 'SYSTEM']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-03-25 14:47:48.728000+00:002023-10-03 17:30:32.192000+00:00
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsJoey Lei
    x_mitre_platformsContainers

    [T1530] Data from Cloud Storage

    Current version: 2.1

    Version changed from: 2.0 → 2.1

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may access data from improperly secured cloud stt1Adversaries may access data from cloud storage.  Many IaaS p
    >orage.  Many cloud service providers offer solutions for onl>roviders offer solutions for online data object storage such
    >ine data object storage such as Amazon S3, Azure Storage, an> as Amazon S3, Azure Storage, and Google Cloud Storage. Simi
    >d Google Cloud Storage. These solutions differ from other st>larly, SaaS enterprise platforms such as Office 365 and Goog
    >orage solutions (such as SQL or Elasticsearch) in that there>le Workspace provide cloud-based document storage to users t
    > is no overarching application. Data from these solutions ca>hrough services such as OneDrive and Google Drive, while Saa
    >n be retrieved directly using the cloud provider's APIs.   I>S application providers such as Slack, Confluence, Salesforc
    >n other cases, SaaS application providers such as Slack, Con>e, and Dropbox may provide cloud storage solutions as a peri
    >fluence, and Salesforce also provide cloud storage solutions>pheral or primary use case of their platform.   In some case
    > as a peripheral use case of their platform. These cloud obj>s, as with IaaS-based cloud storage, there exists no overarc
    >ects can be extracted directly from their associated applica>hing application (such as SQL or Elasticsearch) with which t
    >tion.(Citation: EA Hacked via Slack - June 2021)(Citation: S>o interact with the stored objects: instead, data from these
    >ecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Ci> solutions is retrieved directly though the [Cloud API](http
    >tation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(>s://attack.mitre.org/techniques/T1059/009). In SaaS applicat
    >Citation: Dark Clouds_Usenix_Mulazzani_08_2011)  Adversaries>ions, adversaries may be able to collect this data directly 
    > may collect sensitive data from these cloud storage solutio>from APIs or backend cloud storage objects, rather than thro
    >ns. Providers typically offer security guides to help end us>ugh their front-end application or interface (i.e., [Data fr
    >ers configure systems, though misconfigurations are a common>om Information Repositories](https://attack.mitre.org/techni
    > problem.(Citation: Amazon S3 Security, 2019)(Citation: Micr>ques/T1213)).   Adversaries may collect sensitive data from 
    >osoft Azure Storage Security, 2019)(Citation: Google Cloud S>these cloud storage solutions. Providers typically offer sec
    >torage Best Practices, 2019) There have been numerous incide>urity guides to help end users configure systems, though mis
    >nts where cloud storage has been improperly secured, typical>configurations are a common problem.(Citation: Amazon S3 Sec
    >ly by unintentionally allowing public access to unauthentica>urity, 2019)(Citation: Microsoft Azure Storage Security, 201
    >ted users, overly-broad access by all users, or even access >9)(Citation: Google Cloud Storage Best Practices, 2019) Ther
    >for any anonymous person outside the control of the Identity>e have been numerous incidents where cloud storage has been 
    > Access Management system without even needing basic user pe>improperly secured, typically by unintentionally allowing pu
    >rmissions.  This open access may expose various types of sen>blic access to unauthenticated users, overly-broad access by
    >sitive data, such as credit cards, personally identifiable i> all users, or even access for any anonymous person outside 
    >nformation, or medical records.(Citation: Trend Micro S3 Exp>the control of the Identity Access Management system without
    >osed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(C> even needing basic user permissions.  This open access may 
    >itation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-meg>expose various types of sensitive data, such as credit cards
    >a-extortion_05_2021)  Adversaries may also obtain then abuse>, personally identifiable information, or medical records.(C
    > leaked credentials from source repositories, logs, or other>itation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired M
    > means as a way to gain access to cloud storage objects.>agecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach,
     > 2017)(Citation: Rclone-mega-extortion_05_2021)  Adversaries
     > may also obtain then abuse leaked credentials from source r
     >epositories, logs, or other means as a way to gain access to
     > cloud storage objects.
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-18 19:10:42.621000+00:002023-09-29 16:11:43.530000+00:00
    descriptionAdversaries may access data from improperly secured cloud storage. + +Many cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. + +In other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011) + +Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions. + +This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021) + +Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.Adversaries may access data from cloud storage. + +Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. + +In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). + +Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions. + +This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021) + +Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version2.02.1
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_platformsGoogle Workspace
    x_mitre_platformsOffice 365
    iterable_item_removed
    STIX FieldOld valueNew Value
    external_references{'source_name': 'SecureWorld - How Secure Is Your Slack Channel - Dec 2021', 'description': ' Drew Todd. (2021, December 28). How Secure Is Your Slack Channel?. Retrieved May 31, 2022.', 'url': 'https://www.secureworld.io/industry-news/how-secure-is-your-slack-channel#:~:text=Electronic%20Arts%20hacked%20through%20Slack%20channel&text=In%20total%2C%20the%20hackers%20claim,credentials%20over%20a%20Slack%20channel.'}
    external_references{'source_name': 'EA Hacked via Slack - June 2021', 'description': 'Anthony Spadafora. (2021, June 11). EA hack reportedly used stolen cookies and Slack to target gaming giant. Retrieved May 31, 2022.', 'url': 'https://www.techradar.com/news/ea-hack-reportedly-used-stolen-cookies-and-slack-to-hack-gaming-giant'}
    external_references{'source_name': 'HackerNews - 3 SaaS App Cyber Attacks - April 2022', 'description': 'Hananel Livneh. (2022, April 7). Into the Breach: Breaking Down 3 SaaS App Cyber Attacks in 2022. Retrieved May 31, 2022.', 'url': 'https://thehackernews.com/2022/04/into-breach-breaking-down-3-saas-app.html'}
    external_references{'source_name': 'Dark Clouds_Usenix_Mulazzani_08_2011', 'description': 'Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl. (2011, August). Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. Retrieved July 14, 2022.', 'url': 'https://www.usenix.org/conference/usenix-security-11/dark-clouds-horizon-using-cloud-storage-attack-vector-and-online-slack'}

    [T1039] Data from Network Shared Drive

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    New Detections:

    • DS0029: Network Traffic (Network Traffic Flow)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:35.611000+00:002023-08-11 21:06:07.690000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow

    [T1140] Deobfuscate/Decode Files or Information

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-21 12:21:06.026000+00:002023-08-14 19:28:18.334000+00:00
    x_mitre_version1.21.3

    [T1098.005] Account Manipulation: Device Registration

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-20 18:14:17.197000+00:002023-10-03 17:38:39.065000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    kill_chain_phases{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}
    x_mitre_contributorsArad Inbar, Fidelis Security

    [T1006] Direct Volume Access

    Current version: 2.1

    Version changed from: 2.0 → 2.1

    + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may directly access a volume to bypass file accet1Adversaries may directly access a volume to bypass file acce
    >ss controls and file system monitoring. Windows allows progr>ss controls and file system monitoring. Windows allows progr
    >ams to have direct access to logical volumes. Programs with >ams to have direct access to logical volumes. Programs with 
    >direct access may read and write files directly from the dri>direct access may read and write files directly from the dri
    >ve by analyzing file system data structures. This technique >ve by analyzing file system data structures. This technique 
    >bypasses Windows file access controls as well as file system>may bypass Windows file access controls as well as file syst
    > monitoring tools. (Citation: Hakobyan 2009)  Utilities, suc>em monitoring tools. (Citation: Hakobyan 2009)  Utilities, s
    >h as NinjaCopy, exist to perform these actions in PowerShell>uch as `NinjaCopy`, exist to perform these actions in PowerS
    >. (Citation: Github PowerSploit Ninjacopy)>hell.(Citation: Github PowerSploit Ninjacopy) Adversaries ma
     >y also use built-in or third-party utilities (such as `vssad
     >min`, `wbadmin`, and [esentutl](https://attack.mitre.org/sof
     >tware/S0404)) to create shadow copies or backups of data fro
     >m system volumes.(Citation: LOLBAS Esentutl)

    New Mitigations:

    • M1018: User Account Management
    • M1040: Behavior Prevention on Endpoint

    New Detections:

    • DS0022: File (File Creation)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_contributors['Tom Simpson, CrowdStrike Falcon OverWatch']
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Administrator']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-02-09 14:09:00.753000+00:002023-10-01 14:19:18.804000+00:00
    descriptionAdversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009) + +Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009) + +Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)
    x_mitre_version2.02.1
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'LOLBAS Esentutl', 'description': 'LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.', 'url': 'https://lolbas-project.github.io/lolbas/Binaries/Esentutl/'}
    x_mitre_data_sourcesFile: File Creation

    [T1562.002] Impair Defenses: Disable Windows Event Logging

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    New Detections:

    • DS0024: Windows Registry (Windows Registry Key Modification)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-17 23:24:19.730000+00:002023-09-18 22:33:57.556000+00:00
    x_mitre_version1.21.3
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesWindows Registry: Windows Registry Key Modification

    [T1562.001] Impair Defenses: Disable or Modify Tools

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may modify and/or disable security tools to avoit1Adversaries may modify and/or disable security tools to avoi
    >d possible detection of their malware/tools and activities. >d possible detection of their malware/tools and activities. 
    >This may take many forms, such as killing security software >This may take many forms, such as killing security software 
    >processes or services, modifying / deleting Registry keys or>processes or services, modifying / deleting Registry keys or
    > configuration files so that tools do not operate properly, > configuration files so that tools do not operate properly, 
    >or other methods to interfere with security tools scanning o>or other methods to interfere with security tools scanning o
    >r reporting information. Adversaries may also disable update>r reporting information. Adversaries may also disable update
    >s to prevent the latest security patches from reaching tools>s to prevent the latest security patches from reaching tools
    > on victim systems.(Citation: SCADAfence_ransomware)  Advers> on victim systems.(Citation: SCADAfence_ransomware)  Advers
    >aries may also tamper with artifacts deployed and utilized b>aries may also tamper with artifacts deployed and utilized b
    >y security tools. Security tools may make dynamic changes to>y security tools. Security tools may make dynamic changes to
    > system components in order to maintain visibility into spec> system components in order to maintain visibility into spec
    >ific events. For example, security products may load their o>ific events. For example, security products may load their o
    >wn modules and/or modify those loaded by processes to facili>wn modules and/or modify those loaded by processes to facili
    >tate data collection. Similar to [Indicator Blocking](https:>tate data collection. Similar to [Indicator Blocking](https:
    >//attack.mitre.org/techniques/T1562/006), adversaries may un>//attack.mitre.org/techniques/T1562/006), adversaries may un
    >hook or otherwise modify these features added by tools (espe>hook or otherwise modify these features added by tools (espe
    >cially those that exist in userland or are otherwise potenti>cially those that exist in userland or are otherwise potenti
    >ally accessible to adversaries) to avoid detection.(Citation>ally accessible to adversaries) to avoid detection.(Citation
    >: OutFlank System Calls)(Citation: MDSec System Calls)   Adv>: OutFlank System Calls)(Citation: MDSec System Calls)   Adv
    >ersaries may also focus on specific applications such as Sys>ersaries may also focus on specific applications such as Sys
    >mon. For example, the “Start” and “Enable” values in <code>H>mon. For example, the “Start” and “Enable” values in <code>H
    >KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autol>KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autol
    >ogger\EventLog-Microsoft-Windows-Sysmon-Operational</code> m>ogger\EventLog-Microsoft-Windows-Sysmon-Operational</code> m
    >ay be modified to tamper with and potentially disable Sysmon>ay be modified to tamper with and potentially disable Sysmon
    > logging.(Citation: disable_win_evt_logging)   In cloud envi> logging.(Citation: disable_win_evt_logging)   On network de
    >ronments, tools disabled by adversaries may include cloud mo>vices, adversaries may attempt to skip digital signature ver
    >nitoring agents that report back to services such as AWS Clo>ification checks by altering startup configuration files and
    >udWatch or Google Cloud Monitor.  Furthermore, although defe> effectively disabling firmware verification that typically 
    >nsive tools may have anti-tampering mechanisms, adversaries >occurs at boot.(Citation: Fortinet Zero-Day and Custom Malwa
    >may abuse tools such as legitimate rootkit removal kits to i>re Used by Suspected Chinese Actor in Espionage Operation)(C
    >mpair and/or disable these tools.(Citation: chasing_avaddon_>itation: Analysis of FG-IR-22-369)  In cloud environments, t
    >ransomware)(Citation: dharma_ransomware)(Citation: demystify>ools disabled by adversaries may include cloud monitoring ag
    >ing_ryuk)(Citation: doppelpaymer_crowdstrike) For example, a>ents that report back to services such as AWS CloudWatch or 
    >dversaries have used tools such as GMER to find and shut dow>Google Cloud Monitor.  Furthermore, although defensive tools
    >n hidden processes and antivirus software on infected system> may have anti-tampering mechanisms, adversaries may abuse t
    >s.(Citation: demystifying_ryuk)  Additionally, adversaries m>ools such as legitimate rootkit removal kits to impair and/o
    >ay exploit legitimate drivers from anti-virus software to ga>r disable these tools.(Citation: chasing_avaddon_ransomware)
    >in access to kernel space (i.e. [Exploitation for Privilege >(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(C
    >Escalation](https://attack.mitre.org/techniques/T1068)), whi>itation: doppelpaymer_crowdstrike) For example, adversaries 
    >ch may lead to bypassing anti-tampering features.(Citation: >have used tools such as GMER to find and shut down hidden pr
    >avoslocker_ransomware)>ocesses and antivirus software on infected systems.(Citation
     >: demystifying_ryuk)  Additionally, adversaries may exploit 
     >legitimate drivers from anti-virus software to gain access t
     >o kernel space (i.e. [Exploitation for Privilege Escalation]
     >(https://attack.mitre.org/techniques/T1068)), which may lead
     > to bypassing anti-tampering features.(Citation: avoslocker_
     >ransomware)

    New Detections:

    • DS0009: Process (Process Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 13:43:42.986000+00:002023-05-28 16:57:27.185000+00:00
    descriptionAdversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) + +Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) + +Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) + +In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. + +Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) + +Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) + +Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) + +Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) + +On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369) + +In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. + +Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) + +Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)
    x_mitre_version1.41.5
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Analysis of FG-IR-22-369', 'description': ' Guillaume Lovet and Alex Kong. (2023, March 9). Analysis of FG-IR-22-369. Retrieved May 15, 2023.', 'url': 'https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis'}
    external_references{'source_name': 'Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation', 'description': 'ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.', 'url': 'https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem'}
    x_mitre_data_sourcesProcess: Process Creation
    x_mitre_platformsNetwork

    [T1021.003] Remote Services: Distributed Component Object Model

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-03 18:58:54.034000+00:002023-08-11 20:21:55.610000+00:00
    x_mitre_version1.21.3

    [T1136.002] Create Account: Domain Account

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Administrator']
    values_changed
    STIX FieldOld valueNew Value
    modified2020-03-23 18:12:36.696000+00:002023-10-16 17:36:37.600000+00:00
    x_mitre_version1.01.1

    [T1078.002] Valid Accounts: Domain Accounts

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-13 17:17:03.605000+00:002023-08-14 14:55:07.432000+00:00
    x_mitre_version1.31.4

    [T1562.010] Impair Defenses: Downgrade Attack

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may downgrade or use a version of system featuret1Adversaries may downgrade or use a version of system feature
    >s that may be outdated, vulnerable, and/or does not support >s that may be outdated, vulnerable, and/or does not support 
    >updated security controls such as logging. For example, [Pow>updated security controls. Downgrade attacks typically take 
    >erShell](https://attack.mitre.org/techniques/T1059/001) vers>advantage of a system’s backward compatibility to force it i
    >ions 5+ includes Script Block Logging (SBL) which can record>nto less secure modes of operation.   Adversaries may downgr
    > executed script content. However, adversaries may attempt t>ade and use various less-secure versions of features of a sy
    >o execute a previous version of PowerShell that does not sup>stem, such as [Command and Scripting Interpreter](https://at
    >port SBL with the intent to [Impair Defenses](https://attack>tack.mitre.org/techniques/T1059)s or even network protocols 
    >.mitre.org/techniques/T1562) while running malicious scripts>that can be abused to enable [Adversary-in-the-Middle](https
    > that may have otherwise been detected.(Citation: CrowdStrik>://attack.mitre.org/techniques/T1557) or [Network Sniffing](
    >e BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citatio>https://attack.mitre.org/techniques/T1040).(Citation: Praeto
    >n: att_def_ps_logging)  Adversaries may downgrade and use le>rian TLS Downgrade Attack 2014) For example, [PowerShell](ht
    >ss-secure versions of various features of a system, such as >tps://attack.mitre.org/techniques/T1059/001) versions 5+ inc
    >[Command and Scripting Interpreter](https://attack.mitre.org>ludes Script Block Logging (SBL) which can record executed s
    >/techniques/T1059)s or even network protocols that can be ab>cript content. However, adversaries may attempt to execute a
    >used to enable [Adversary-in-the-Middle](https://attack.mitr> previous version of PowerShell that does not support SBL wi
    >e.org/techniques/T1557).(Citation: Praetorian TLS Downgrade >th the intent to [Impair Defenses](https://attack.mitre.org/
    >Attack 2014)>techniques/T1562) while running malicious scripts that may h
     >ave otherwise been detected.(Citation: CrowdStrike BGH Ranso
     >mware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_
     >ps_logging)  Adversaries may similarly target network traffi
     >c to downgrade from an encrypted HTTPS connection to an unse
     >cured HTTP connection that exposes network data in clear tex
     >t.(Citation: Targeted SSL Stripping Attacks Are Real)(Citati
     >on: Crowdstrike Downgrade)

    New Mitigations:

    • M1054: Software Configuration
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-05-19 16:28:31.041000+00:002023-10-03 16:40:15.445000+00:00
    descriptionAdversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging) + +Adversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation. + +Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging) + +Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_detectionMonitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment. + +Monitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment. + +Monitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks) + +Monitor network data to detect cases where HTTP is used instead of HTTPS.
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Crowdstrike Downgrade', 'description': 'Bart Lenaerts-Bergman. (2023, March 14). WHAT ARE DOWNGRADE ATTACKS?. Retrieved May 24, 2023.', 'url': 'https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/'}
    external_references{'source_name': 'Targeted SSL Stripping Attacks Are Real', 'description': 'Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.', 'url': 'https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/'}
    x_mitre_contributorsArad Inbar, Fidelis Security

    [T1559.002] Inter-Process Communication: Dynamic Data Exchange

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User']
    values_changed
    STIX FieldOld valueNew Value
    modified2022-02-22 13:22:30.191000+00:002023-09-15 18:57:21.881000+00:00
    x_mitre_version1.21.3

    [T1055.001] Process Injection: Dynamic-link Library Injection

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-18 21:07:23.748000+00:002023-08-11 21:34:38.558000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.21.3

    [T1114] Email Collection

    Current version: 2.5

    Version changed from: 2.4 → 2.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 20:46:04.871000+00:002023-09-29 21:06:03.098000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.42.5

    [T1564.008] Hide Artifacts: Email Hiding Rules

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 20:42:20.079000+00:002023-10-16 16:41:53.957000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.21.3

    [T1027.009] Obfuscated Files or Information: Embedded Payloads

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-21 14:40:48.074000+00:002023-09-29 21:14:57.263000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.01.1

    [T1011] Exfiltration Over Other Network Medium

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Mitigations:

    • M1042: Disable or Remove Feature or Program
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2022-03-08 21:02:16.115000+00:002023-09-11 16:06:10.376000+00:00
    x_mitre_version1.11.2

    [T1567] Exfiltration Over Web Service

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    New Detections:

    • DS0015: Application Log (Application Log Content)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-19 21:28:34.699000+00:002023-09-05 15:00:36.471000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.21.3
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesApplication Log: Application Log Content
    x_mitre_platformsOffice 365
    x_mitre_platformsSaaS
    x_mitre_platformsGoogle Workspace

    [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-08-30 12:49:02.969000+00:002023-09-15 19:11:47.547000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.11.2

    [T1567.001] Exfiltration Over Web Service: Exfiltration to Code Repository

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-03-28 00:58:55.433000+00:002023-09-15 19:08:16.882000+00:00
    x_mitre_version1.01.1

    [T1212] Exploitation for Credential Access

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may exploit software vulnerabilities in an attemt1Adversaries may exploit software vulnerabilities in an attem
    >pt to collect credentials. Exploitation of a software vulner>pt to collect credentials. Exploitation of a software vulner
    >ability occurs when an adversary takes advantage of a progra>ability occurs when an adversary takes advantage of a progra
    >mming error in a program, service, or within the operating s>mming error in a program, service, or within the operating s
    >ystem software or kernel itself to execute adversary-control>ystem software or kernel itself to execute adversary-control
    >led code. Credentialing and authentication mechanisms may be>led code.   Credentialing and authentication mechanisms may 
    > targeted for exploitation by adversaries as a means to gain>be targeted for exploitation by adversaries as a means to ga
    > access to useful credentials or circumvent the process to g>in access to useful credentials or circumvent the process to
    >ain access to systems. One example of this is MS14-068, whic> gain authenticated access to systems. One example of this i
    >h targets Kerberos and can be used to forge Kerberos tickets>s `MS14-068`, which targets Kerberos and can be used to forg
    > using domain user permissions.(Citation: Technet MS14-068)(>e Kerberos tickets using domain user permissions.(Citation: 
    >Citation: ADSecurity Detecting Forged Tickets) Exploitation >Technet MS14-068)(Citation: ADSecurity Detecting Forged Tick
    >for credential access may also result in Privilege Escalatio>ets) Another example of this is replay attacks, in which the
    >n depending on the process targeted or credentials obtained.> adversary intercepts data packets sent between parties and 
     >then later replays these packets. If services don't properly
     > validate authentication requests, these replayed packets ma
     >y allow an adversary to impersonate one of the parties and g
     >ain unauthorized access or privileges.(Citation: Bugcrowd Re
     >play Attack)(Citation: Comparitech Replay Attack)(Citation: 
     >Microsoft Midnight Blizzard Replay Attack)  Such exploitatio
     >n has been demonstrated in cloud environments as well. For e
     >xample, adversaries have exploited vulnerabilities in public
     > cloud infrastructure that allowed for unintended authentica
     >tion token creation and renewal.(Citation: Storm-0558 techni
     >ques for unauthorized email access)  Exploitation for creden
     >tial access may also result in Privilege Escalation dependin
     >g on the process targeted or credentials obtained.

    New Mitigations:

    • M1013: Application Developer Guidance
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-28 16:06:49.447000+00:002023-10-15 11:45:21.555000+00:00
    descriptionAdversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.  + +Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack) + +Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access) + +Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.41.5
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Bugcrowd Replay Attack', 'description': 'Bugcrowd. (n.d.). Replay Attack. Retrieved September 27, 2023.', 'url': 'https://www.bugcrowd.com/glossary/replay-attack/'}
    external_references{'source_name': 'Comparitech Replay Attack', 'description': 'Justin Schamotta. (2022, October 28). What is a replay attack?. Retrieved September 27, 2023.', 'url': 'https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/'}
    external_references{'source_name': 'Storm-0558 techniques for unauthorized email access', 'description': 'Microsoft Threat Intelligence. (2023, July 14). Analysis of Storm-0558 techniques for unauthorized email access. Retrieved September 18, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/'}
    external_references{'source_name': 'Microsoft Midnight Blizzard Replay Attack', 'description': 'Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 27, 2023.', 'url': 'https://twitter.com/MsftSecIntel/status/1671579359994343425'}
    x_mitre_contributorsMohit Rathore
    x_mitre_platformsAzure AD

    [T1211] Exploitation for Defense Evasion

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may exploit a system or application vulnerabilitt1Adversaries may exploit a system or application vulnerabilit
    >y to bypass security features. Exploitation of a software vu>y to bypass security features. Exploitation of a vulnerabili
    >lnerability occurs when an adversary takes advantage of a pr>ty occurs when an adversary takes advantage of a programming
    >ogramming error in a program, service, or within the operati> error in a program, service, or within the operating system
    >ng system software or kernel itself to execute adversary-con> software or kernel itself to execute adversary-controlled c
    >trolled code. Vulnerabilities may exist in defensive securit>ode. Vulnerabilities may exist in defensive security softwar
    >y software that can be used to disable or circumvent them.  >e that can be used to disable or circumvent them.  Adversari
    >Adversaries may have prior knowledge through reconnaissance >es may have prior knowledge through reconnaissance that secu
    >that security software exists within an environment or they >rity software exists within an environment or they may perfo
    >may perform checks during or shortly after the system is com>rm checks during or shortly after the system is compromised 
    >promised for [Security Software Discovery](https://attack.mi>for [Security Software Discovery](https://attack.mitre.org/t
    >tre.org/techniques/T1518/001). The security software will li>echniques/T1518/001). The security software will likely be t
    >kely be targeted directly for exploitation. There are exampl>argeted directly for exploitation. There are examples of ant
    >es of antivirus software being targeted by persistent threat>ivirus software being targeted by persistent threat groups t
    > groups to avoid detection.>o avoid detection.  There have also been examples of vulnera
     >bilities in public cloud infrastructure of SaaS applications
     > that may bypass defense boundaries (Citation: Salesforce ze
     >ro-day in facebook phishing attack), evade security logs (Ci
     >tation: Bypassing CloudTrail in AWS Service Catalog), or dep
     >loy hidden infrastructure.(Citation: GhostToken GCP flaw)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-28 16:10:16.632000+00:002023-10-15 11:41:47.274000+00:00
    descriptionAdversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. + +Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. + +Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection. + +There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Salesforce zero-day in facebook phishing attack', 'description': 'Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.', 'url': 'https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/'}
    external_references{'source_name': 'Bypassing CloudTrail in AWS Service Catalog', 'description': 'Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.', 'url': 'https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/'}
    external_references{'source_name': 'GhostToken GCP flaw', 'description': 'Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.', 'url': 'https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/'}
    x_mitre_platformsSaaS
    x_mitre_platformsIaaS

    [T1071.002] Application Layer Protocol: File Transfer Protocols

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may communicate using application layer protocolt1Adversaries may communicate using application layer protocol
    >s associated with transferring files to avoid detection/netw>s associated with transferring files to avoid detection/netw
    >ork filtering by blending in with existing traffic. Commands>ork filtering by blending in with existing traffic. Commands
    > to the remote system, and often the results of those comman> to the remote system, and often the results of those comman
    >ds, will be embedded within the protocol traffic between the>ds, will be embedded within the protocol traffic between the
    > client and server.   Protocols such as FTP, FTPS, and TFTP > client and server.   Protocols such as SMB, FTP, FTPS, and 
    >that transfer files may be very common in environments.  Pac>TFTP that transfer files may be very common in environments.
    >kets produced from these protocols may have many fields and >  Packets produced from these protocols may have many fields
    >headers in which data can be concealed. Data could also be c> and headers in which data can be concealed. Data could also
    >oncealed within the transferred files. An adversary may abus> be concealed within the transferred files. An adversary may
    >e these protocols to communicate with systems under their co> abuse these protocols to communicate with systems under the
    >ntrol within a victim network while also mimicking normal, e>ir control within a victim network while also mimicking norm
    >xpected traffic. >al, expected traffic. 
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-08-21 14:41:22.911000+00:002023-10-01 02:42:15.473000+00:00
    descriptionAdversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. + +Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. + +Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
    x_mitre_version1.01.1

    [T1187] Forced Authentication

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User']
    values_changed
    STIX FieldOld valueNew Value
    modified2020-06-19 17:16:41.470000+00:002023-08-14 19:30:45.123000+00:00
    x_mitre_version1.21.3

    [T1606] Forge Web Credentials

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may forge credential materials that can be used t1Adversaries may forge credential materials that can be used 
    >to gain access to web applications or Internet services. Web>to gain access to web applications or Internet services. Web
    > applications and services (hosted in cloud SaaS environment> applications and services (hosted in cloud SaaS environment
    >s or on-premise servers) often use session cookies, tokens, >s or on-premise servers) often use session cookies, tokens, 
    >or other materials to authenticate and authorize user access>or other materials to authenticate and authorize user access
    >.  Adversaries may generate these credential materials in or>.  Adversaries may generate these credential materials in or
    >der to gain access to web resources. This differs from [Stea>der to gain access to web resources. This differs from [Stea
    >l Web Session Cookie](https://attack.mitre.org/techniques/T1>l Web Session Cookie](https://attack.mitre.org/techniques/T1
    >539), [Steal Application Access Token](https://attack.mitre.>539), [Steal Application Access Token](https://attack.mitre.
    >org/techniques/T1528), and other similar behaviors in that t>org/techniques/T1528), and other similar behaviors in that t
    >he credentials are new and forged by the adversary, rather t>he credentials are new and forged by the adversary, rather t
    >han stolen or intercepted from legitimate users. The generat>han stolen or intercepted from legitimate users.  The genera
    >ion of web credentials often requires secret values, such as>tion of web credentials often requires secret values, such a
    > passwords, [Private Keys](https://attack.mitre.org/techniqu>s passwords, [Private Keys](https://attack.mitre.org/techniq
    >es/T1552/004), or other cryptographic seed values.(Citation:>ues/T1552/004), or other cryptographic seed values.(Citation
    > GitHub AWS-ADFS-Credential-Generator) Adversaries may also >: GitHub AWS-ADFS-Credential-Generator) Adversaries may also
    >forge tokens by taking advantage of features such as the `As> forge tokens by taking advantage of features such as the `A
    >sumeRole` and `GetFederationToken` APIs in AWS, which allow >ssumeRole` and `GetFederationToken` APIs in AWS, which allow
    >users to request temporary security credentials.(Citation: A> users to request temporary security credentials (i.e., [Tem
    >WS Temporary Security Credentials)  Once forged, adversaries>porary Elevated Cloud Access](https://attack.mitre.org/techn
    > may use these web credentials to access resources (ex: [Use>iques/T1548/005)), or the `zmprov gdpak` command in Zimbra, 
    > Alternate Authentication Material](https://attack.mitre.org>which generates a pre-authentication key that can be used to
    >/techniques/T1550)), which may bypass multi-factor and other> generate tokens for any user in the domain.(Citation: AWS T
    > authentication protection mechanisms.(Citation: Pass The Co>emporary Security Credentials)(Citation: Zimbra Preauth)  On
    >okie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Cit>ce forged, adversaries may use these web credentials to acce
    >ation: Microsoft SolarWinds Customer Guidance)  >ss resources (ex: [Use Alternate Authentication Material](ht
     >tps://attack.mitre.org/techniques/T1550)), which may bypass 
     >multi-factor and other authentication protection mechanisms.
     >(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Coo
     >kies January 2019)(Citation: Microsoft SolarWinds Customer G
     >uidance)  
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-05-04 18:05:16.877000+00:002023-10-15 11:10:03.428000+00:00
    descriptionAdversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. + +Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials) + +Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. + +Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. + +The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth) + +Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Zimbra Preauth', 'description': 'Zimbra. (2023, March 16). Preauth. Retrieved May 31, 2023.', 'url': 'https://wiki.zimbra.com/wiki/Preauth'}

    [T1027.006] Obfuscated Files or Information: HTML Smuggling

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    New Mitigations:

    • M1048: Application Isolation and Sandboxing
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-05-19 16:29:47.637000+00:002023-07-14 14:01:41.475000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.01.1

    [T1562] Impair Defenses

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    New Mitigations:

    • M1054: Software Configuration

    New Detections:

    • DS0009: Process (OS API Execution)
    • DS0009: Process (Process Modification)
    • DS0022: File (File Deletion)
    • DS0022: File (File Modification)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-15 00:48:46.626000+00:002023-10-20 16:43:53.391000+00:00
    external_references[1]['url']https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/#:~:text=Don’t%20Sleep%20has%20the%20capability%20to%20keep%20the%20computer%20from%20being%20shutdown%20and%20the%20user%20from%20being%20signed%20off.%20This%20was%20likely%20done%20to%20ensure%20nothing%20will%20interfere%20with%20the%20propagation%20of%20the%20ransomware%20payloadhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.41.5
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesFile: File Modification
    x_mitre_data_sourcesProcess: Process Modification
    x_mitre_data_sourcesFile: File Deletion
    x_mitre_data_sourcesProcess: OS API Execution

    [T1562.006] Impair Defenses: Indicator Blocking

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 15:25:10.496000+00:002023-09-18 22:23:55.329000+00:00
    x_mitre_version1.21.3

    [T1105] Ingress Tool Transfer

    Current version: 2.3

    Version changed from: 2.2 → 2.3

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may transfer tools or other files from an externt1Adversaries may transfer tools or other files from an extern
    >al system into a compromised environment. Tools or files may>al system into a compromised environment. Tools or files may
    > be copied from an external adversary-controlled system to t> be copied from an external adversary-controlled system to t
    >he victim network through the command and control channel or>he victim network through the command and control channel or
    > through alternate protocols such as [ftp](https://attack.mi> through alternate protocols such as [ftp](https://attack.mi
    >tre.org/software/S0095). Once present, adversaries may also >tre.org/software/S0095). Once present, adversaries may also 
    >transfer/spread tools between victim devices within a compro>transfer/spread tools between victim devices within a compro
    >mised environment (i.e. [Lateral Tool Transfer](https://atta>mised environment (i.e. [Lateral Tool Transfer](https://atta
    >ck.mitre.org/techniques/T1570)).   Files can also be transfe>ck.mitre.org/techniques/T1570)).   On Windows, adversaries m
    >rred using various [Web Service](https://attack.mitre.org/te>ay use various utilities to download tools, such as `copy`, 
    >chniques/T1102)s as well as native or otherwise present tool>`finger`, [certutil](https://attack.mitre.org/software/S0160
    >s on the victim system.(Citation: PTSecurity Cobalt Dec 2016>), and [PowerShell](https://attack.mitre.org/techniques/T105
    >)  On Windows, adversaries may use various utilities to down>9/001) commands such as <code>IEX(New-Object Net.WebClient).
    >load tools, such as `copy`, `finger`, [certutil](https://att>downloadString()</code> and <code>Invoke-WebRequest</code>. 
    >ack.mitre.org/software/S0160), and [PowerShell](https://atta>On Linux and macOS systems, a variety of utilities also exis
    >ck.mitre.org/techniques/T1059/001) commands such as <code>IE>t, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`,
    >X(New-Object Net.WebClient).downloadString()</code> and <cod> and `wget`.(Citation: t1105_lolbas)  Adversaries may also a
    >e>Invoke-WebRequest</code>. On Linux and macOS systems, a va>buse installers and package managers, such as `yum` or `wing
    >riety of utilities also exist, such as `curl`, `scp`, `sftp`>et`, to download tools to victim hosts.  Files can also be t
    >, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lol>ransferred using various [Web Service](https://attack.mitre.
    >bas)>org/techniques/T1102)s as well as native or otherwise presen
     >t tools on the victim system.(Citation: PTSecurity Cobalt De
     >c 2016) In some cases, adversaries may be able to leverage s
     >ervices that sync between a web-based and an on-premises cli
     >ent, such as Dropbox or OneDrive, to transfer files onto vic
     >tim systems. For example, by compromising a cloud account an
     >d logging into the service's web portal, an adversary may be
     > able to trigger an automatic syncing process that transfers
     > the file onto the victim's machine.(Citation: Dropbox Malwa
     >re Sync)

    New Detections:

    • DS0017: Command (Command Execution)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-14 19:27:57.370000+00:002023-10-03 21:27:20.702000+00:00
    descriptionAdversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). + +Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) + +On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). + +On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) + +Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. + +Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.22.3
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Dropbox Malware Sync', 'description': 'David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.', 'url': 'https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/'}
    x_mitre_contributorsShailesh Tiwary (Indian Army)
    x_mitre_contributorsThe DFIR Report
    x_mitre_contributorsAlain Homewood
    x_mitre_data_sourcesCommand: Command Execution

    [T1490] Inhibit System Recovery

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-05-04 18:05:57.725000+00:002023-10-03 17:30:59.482000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.21.3
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsJoey Lei
    x_mitre_platformsContainers

    [T1553.004] Subvert Trust Controls: Install Root Certificate

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Administrator', 'User']
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:45.661000+00:002023-09-15 17:26:02.203000+00:00
    x_mitre_version1.11.2

    [T1056.001] Input Capture: Keylogging

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may log user keystrokes to intercept credentialst1Adversaries may log user keystrokes to intercept credentials
    > as the user types them. Keylogging is likely to be used to > as the user types them. Keylogging is likely to be used to 
    >acquire credentials for new access opportunities when [OS Cr>acquire credentials for new access opportunities when [OS Cr
    >edential Dumping](https://attack.mitre.org/techniques/T1003)>edential Dumping](https://attack.mitre.org/techniques/T1003)
    > efforts are not effective, and may require an adversary to > efforts are not effective, and may require an adversary to 
    >intercept keystrokes on a system for a substantial period of>intercept keystrokes on a system for a substantial period of
    > time before credentials can be successfully captured.  Keyl> time before credentials can be successfully captured. In or
    >ogging is the most prevalent type of input capture, with man>der to increase the likelihood of capturing credentials quic
    >y different ways of intercepting keystrokes.(Citation: Adven>kly, an adversary may also perform actions such as clearing 
    >tures of a Keystroke) Some methods include:  * Hooking API c>browser cookies to force users to reauthenticate to systems.
    >allbacks used for processing keystrokes. Unlike [Credential >(Citation: Talos Kimsuky Nov 2021)  Keylogging is the most p
    >API Hooking](https://attack.mitre.org/techniques/T1056/004),>revalent type of input capture, with many different ways of 
    > this focuses solely on API functions intended for processin>intercepting keystrokes.(Citation: Adventures of a Keystroke
    >g keystroke data. * Reading raw keystroke data from the hard>) Some methods include:  * Hooking API callbacks used for pr
    >ware buffer. * Windows Registry modifications. * Custom driv>ocessing keystrokes. Unlike [Credential API Hooking](https:/
    >ers. * [Modify System Image](https://attack.mitre.org/techni>/attack.mitre.org/techniques/T1056/004), this focuses solely
    >ques/T1601) may provide adversaries with hooks into the oper> on API functions intended for processing keystroke data. * 
    >ating system of network devices to read raw keystrokes for l>Reading raw keystroke data from the hardware buffer. * Windo
    >ogin sessions.(Citation: Cisco Blog Legacy Device Attacks) >ws Registry modifications. * Custom drivers. * [Modify Syste
     >m Image](https://attack.mitre.org/techniques/T1601) may prov
     >ide adversaries with hooks into the operating system of netw
     >ork devices to read raw keystrokes for login sessions.(Citat
     >ion: Cisco Blog Legacy Device Attacks) 
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributors['TruKno']
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Administrator', 'root', 'SYSTEM', 'User']
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:37.930000+00:002023-10-01 14:01:12.167000+00:00
    descriptionAdversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. + +Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: + +* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data. +* Reading raw keystroke data from the hardware buffer. +* Windows Registry modifications. +* Custom drivers. +* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021) + +Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: + +* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data. +* Reading raw keystroke data from the hardware buffer. +* Windows Registry modifications. +* Custom drivers. +* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Talos Kimsuky Nov 2021', 'description': 'An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.', 'url': 'https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html'}

    [T1003.001] OS Credential Dumping: LSASS Memory

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    New Detections:

    • DS0024: Windows Registry (Windows Registry Key Modification)
    • DS0028: Logon Session (Logon Session Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-03 18:54:21.492000+00:002023-07-24 18:52:29.338000+00:00
    x_mitre_version1.21.3
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsOlaf Hartong, Falcon Force
    x_mitre_data_sourcesWindows Registry: Windows Registry Key Modification
    x_mitre_data_sourcesLogon Session: Logon Session Creation

    [T1570] Lateral Tool Transfer

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may transfer tools or other files between systemt1Adversaries may transfer tools or other files between system
    >s in a compromised environment. Once brought into the victim>s in a compromised environment. Once brought into the victim
    > environment (i.e. [Ingress Tool Transfer](https://attack.mi> environment (i.e., [Ingress Tool Transfer](https://attack.m
    >tre.org/techniques/T1105)) files may then be copied from one>itre.org/techniques/T1105)) files may then be copied from on
    > system to another to stage adversary tools or other files o>e system to another to stage adversary tools or other files 
    >ver the course of an operation. Adversaries may copy files b>over the course of an operation.  Adversaries may copy files
    >etween internal victim systems to support lateral movement u> between internal victim systems to support lateral movement
    >sing inherent file sharing protocols such as file sharing ov> using inherent file sharing protocols such as file sharing 
    >er [SMB/Windows Admin Shares](https://attack.mitre.org/techn>over [SMB/Windows Admin Shares](https://attack.mitre.org/tec
    >iques/T1021/002) to connected network shares or with authent>hniques/T1021/002) to connected network shares or with authe
    >icated connections via [Remote Desktop Protocol](https://att>nticated connections via [Remote Desktop Protocol](https://a
    >ack.mitre.org/techniques/T1021/001).(Citation: Unit42 Locker>ttack.mitre.org/techniques/T1021/001).(Citation: Unit42 Lock
    >Goga 2019)  Files can also be transferred using native or ot>erGoga 2019)  Files can also be transferred using native or 
    >herwise present tools on the victim system, such as scp, rsy>otherwise present tools on the victim system, such as scp, r
    >nc, curl, sftp, and [ftp](https://attack.mitre.org/software/>sync, curl, sftp, and [ftp](https://attack.mitre.org/softwar
    >S0095).>e/S0095). In some cases, adversaries may be able to leverage
     > [Web Service](https://attack.mitre.org/techniques/T1102)s s
     >uch as Dropbox or OneDrive to copy files from one machine to
     > another via shared, automatically synced folders.(Citation:
     > Dropbox Malware Sync)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributors['Shailesh Tiwary (Indian Army)']
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-19 15:34:49.016000+00:002023-10-01 13:48:28.738000+00:00
    descriptionAdversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019) + +Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095).Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. + +Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019) + +Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.21.3
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Dropbox Malware Sync', 'description': 'David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.', 'url': 'https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/'}

    [T1222.002] File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User', 'root']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-09-13 21:08:09.985000+00:002023-08-14 17:54:22.970000+00:00
    x_mitre_version1.11.2

    [T1136.001] Create Account: Local Account

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may create a local account to maintain access tot1Adversaries may create a local account to maintain access to
    > victim systems. Local accounts are those configured by an o> victim systems. Local accounts are those configured by an o
    >rganization for use by users, remote support, services, or f>rganization for use by users, remote support, services, or f
    >or administration on a single system or service. With a suff>or administration on a single system or service.   For examp
    >icient level of access, the <code>net user /add</code> comma>le, with a sufficient level of access, the Windows <code>net
    >nd can be used to create a local account. On macOS systems t> user /add</code> command can be used to create a local acco
    >he <code>dscl -create</code> command can be used to create a>unt. On macOS systems the <code>dscl -create</code> command 
    > local account. Local accounts may also be added to network >can be used to create a local account. Local accounts may al
    >devices, often via common [Network Device CLI](https://attac>so be added to network devices, often via common [Network De
    >k.mitre.org/techniques/T1059/008) commands such as <code>use>vice CLI](https://attack.mitre.org/techniques/T1059/008) com
    >rname</code>.(Citation: cisco_username_cmd)  Such accounts m>mands such as <code>username</code>, or to Kubernetes cluste
    >ay be used to establish secondary credentialed access that d>rs using the `kubectl` utility.(Citation: cisco_username_cmd
    >o not require persistent remote access tools to be deployed >)(Citation: Kubernetes Service Accounts Security)  Such acco
    >on the system.>unts may be used to establish secondary credentialed access 
     >that do not require persistent remote access tools to be dep
     >loyed on the system.
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 23:23:35.209000+00:002023-10-16 17:40:37.995000+00:00
    descriptionAdversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username.(Citation: cisco_username_cmd) + +Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. + +For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) + +Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.21.3
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Kubernetes Service Accounts Security', 'description': 'Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.', 'url': 'https://kubernetes.io/docs/concepts/security/service-accounts/'}
    x_mitre_platformsContainers

    [T1078.003] Valid Accounts: Local Accounts

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-13 17:17:49.889000+00:002023-07-14 13:04:04.591000+00:00
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_platformsNetwork

    [T1127.001] Trusted Developer Utilities Proxy Execution: MSBuild

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-10-15 23:57:07.973000+00:002023-08-14 19:23:58.317000+00:00
    x_mitre_version1.21.3

    [T1036.004] Masquerading: Masquerade Task or Service

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User', 'Administrator', 'SYSTEM']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-10-18 13:24:52.618000+00:002023-09-29 20:30:58.300000+00:00
    x_mitre_version1.11.2

    [T1036] Masquerading

    Current version: 1.6

    Version changed from: 1.5 → 1.6

    + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may attempt to manipulate features of their artit1Adversaries may attempt to manipulate features of their arti
    >facts to make them appear legitimate or benign to users and/>facts to make them appear legitimate or benign to users and/
    >or security tools. Masquerading occurs when the name or loca>or security tools. Masquerading occurs when the name or loca
    >tion of an object, legitimate or malicious, is manipulated o>tion of an object, legitimate or malicious, is manipulated o
    >r abused for the sake of evading defenses and observation. T>r abused for the sake of evading defenses and observation. T
    >his may include manipulating file metadata, tricking users i>his may include manipulating file metadata, tricking users i
    >nto misidentifying the file type, and giving legitimate task>nto misidentifying the file type, and giving legitimate task
    > or service names.  Renaming abusable system utilities to ev> or service names.  Renaming abusable system utilities to ev
    >ade security monitoring is also a form of [Masquerading](htt>ade security monitoring is also a form of [Masquerading](htt
    >ps://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Ma>ps://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Ma
    >in Site)>in Site) Masquerading may also include the use of [Proxy](ht
     >tps://attack.mitre.org/techniques/T1090) or VPNs to disguise
     > IP addresses, which can allow adversaries to blend in with 
     >normal network traffic and bypass conditional access policie
     >s or anti-abuse protections.

    New Mitigations:

    • M1017: User Training

    New Detections:

    • DS0009: Process (OS API Execution)
    • DS0009: Process (Process Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-07 17:04:34.648000+00:002023-10-15 09:52:11.875000+00:00
    descriptionAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. + +Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. + +Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.
    external_references[2]['url']http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdfhttps://www.elastic.co/blog/how-hunt-masquerade-ball
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.51.6
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsGoldstein Menachem
    x_mitre_data_sourcesProcess: Process Creation
    x_mitre_data_sourcesProcess: OS API Execution

    [T1036.005] Masquerading: Match Legitimate Name or Location

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0009: Process (Process Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:42.277000+00:002023-09-14 21:12:48.409000+00:00
    external_references[3]['url']http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdfhttps://www.elastic.co/blog/how-hunt-masquerade-ball
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesProcess: Process Creation

    [T1578] Modify Cloud Compute Infrastructure

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0025: Cloud Service (Cloud Service Metadata)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-04-20 14:51:01.759000+00:002023-09-05 20:45:22.041000+00:00
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesCloud Service: Cloud Service Metadata

    [T1112] Modify Registry

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    New Detections:

    • DS0029: Network Traffic (Network Traffic Flow)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-21 12:19:38.962000+00:002023-08-14 19:19:54.148000+00:00
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow

    [T1556.006] Modify Authentication Process: Multi-Factor Authentication

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-02-09 14:18:59.080000+00:002023-10-16 16:47:26.119000+00:00
    external_references[2]['description']Manidant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.01.1

    [T1003.003] OS Credential Dumping: NTDS

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Administrator']
    values_changed
    STIX FieldOld valueNew Value
    modified2022-03-08 21:00:52.774000+00:002023-07-28 14:41:38.908000+00:00
    x_mitre_version1.11.2

    [T1106] Native API

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may interact with the native OS application progt1Adversaries may interact with the native OS application prog
    >ramming interface (API) to execute behaviors. Native APIs pr>ramming interface (API) to execute behaviors. Native APIs pr
    >ovide a controlled means of calling low-level OS services wi>ovide a controlled means of calling low-level OS services wi
    >thin the kernel, such as those involving hardware/devices, m>thin the kernel, such as those involving hardware/devices, m
    >emory, and processes.(Citation: NT API Windows)(Citation: Li>emory, and processes.(Citation: NT API Windows)(Citation: Li
    >nux Kernel API) These native APIs are leveraged by the OS du>nux Kernel API) These native APIs are leveraged by the OS du
    >ring system boot (when other system components are not yet i>ring system boot (when other system components are not yet i
    >nitialized) as well as carrying out tasks and requests durin>nitialized) as well as carrying out tasks and requests durin
    >g routine operations.  Native API functions (such as <code>N>g routine operations.  Adversaries may abuse these OS API fu
    >tCreateProcess</code>) may be directed invoked via system ca>nctions as a means of executing behaviors. Similar to [Comma
    >lls / syscalls, but these features are also often exposed to>nd and Scripting Interpreter](https://attack.mitre.org/techn
    > user-mode applications via interfaces and libraries.(Citati>iques/T1059), the native API and its hierarchy of interfaces
    >on: OutFlank System Calls)(Citation: CyberBit System Calls)(> provide mechanisms to interact with and utilize various com
    >Citation: MDSec System Calls) For example, functions such as>ponents of a victimized system.  Native API functions (such 
    > the Windows API <code>CreateProcess()</code> or GNU <code>f>as <code>NtCreateProcess</code>) may be directed invoked via
    >ork()</code> will allow programs and scripts to start other > system calls / syscalls, but these features are also often 
    >processes.(Citation: Microsoft CreateProcess)(Citation: GNU >exposed to user-mode applications via interfaces and librari
    >Fork) This may allow API callers to execute a binary, run a >es.(Citation: OutFlank System Calls)(Citation: CyberBit Syst
    >CLI command, load modules, etc. as thousands of similar API >em Calls)(Citation: MDSec System Calls) For example, functio
    >functions exist for various system operations.(Citation: Mic>ns such as the Windows API <code>CreateProcess()</code> or G
    >rosoft Win32)(Citation: LIBC)(Citation: GLIBC)  Higher level>NU <code>fork()</code> will allow programs and scripts to st
    > software frameworks, such as Microsoft .NET and macOS Cocoa>art other processes.(Citation: Microsoft CreateProcess)(Cita
    >, are also available to interact with native APIs. These fra>tion: GNU Fork) This may allow API callers to execute a bina
    >meworks typically provide language wrappers/abstractions to >ry, run a CLI command, load modules, etc. as thousands of si
    >API functionalities and are designed for ease-of-use/portabi>milar API functions exist for various system operations.(Cit
    >lity of code.(Citation: Microsoft NET)(Citation: Apple Core >ation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)  Hi
    >Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)>gher level software frameworks, such as Microsoft .NET and m
    >  Adversaries may abuse these OS API functions as a means of>acOS Cocoa, are also available to interact with native APIs.
    > executing behaviors. Similar to [Command and Scripting Inte> These frameworks typically provide language wrappers/abstra
    >rpreter](https://attack.mitre.org/techniques/T1059), the nat>ctions to API functionalities and are designed for ease-of-u
    >ive API and its hierarchy of interfaces provide mechanisms t>se/portability of code.(Citation: Microsoft NET)(Citation: A
    >o interact with and utilize various components of a victimiz>pple Core Services)(Citation: MACOS Cocoa)(Citation: macOS F
    >ed system. While invoking API functions, adversaries may als>oundation)  Adversaries may use assembly to directly or in-d
    >o attempt to bypass defensive tools (ex: unhooking monitored>irectly invoke syscalls in an attempt to subvert defensive s
    > functions via [Disable or Modify Tools](https://attack.mitr>ensors and detection signatures such as user mode API-hooks.
    >e.org/techniques/T1562/001)).>(Citation: Redops Syscalls) Adversaries may also attempt to 
     >tamper with sensors and defensive tools associated with API 
     >monitoring, such as unhooking monitored functions via [Disab
     >le or Modify Tools](https://attack.mitre.org/techniques/T156
     >2/001).
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-19 20:30:00.118000+00:002023-10-13 16:01:07.538000+00:00
    descriptionAdversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. + +Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) + +Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) + +Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. + +Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. + +Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) + +Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) + +Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version2.12.2
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Redops Syscalls', 'description': 'Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.', 'url': 'https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls'}
    x_mitre_contributorsTristan Madani (Cybereason)

    [T1046] Network Service Discovery

    Current version: 3.1

    Version changed from: 3.0 → 3.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:43.682000+00:002023-08-11 21:10:09.547000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version3.03.1

    [T1135] Network Share Discovery

    Current version: 3.2

    Version changed from: 3.1 → 3.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User']
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:46.370000+00:002023-09-29 19:44:43.870000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version3.13.2

    [T1040] Network Sniffing

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    New Mitigations:

    • M1030: Network Segmentation
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 23:31:49.085000+00:002023-07-10 15:48:01.560000+00:00
    x_mitre_version1.41.5
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsItamar Mizrahi, Cymptom

    [T1095] Non-Application Layer Protocol

    Current version: 2.3

    Version changed from: 2.2 → 2.3

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-20 19:11:53.499000+00:002023-09-29 21:07:31.570000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.22.3

    [T1027] Obfuscated Files or Information

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    New Mitigations:

    • M1017: User Training
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:43.857000+00:002023-08-28 19:17:53.015000+00:00
    x_mitre_version1.41.5

    [T1550.002] Use Alternate Authentication Material: Pass the Hash

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:45.141000+00:002023-07-28 18:24:16.246000+00:00
    x_mitre_version1.11.2

    [T1110.001] Brute Force: Password Guessing

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-14 23:04:08.394000+00:002023-10-16 16:57:41.743000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.41.5

    [T1110.003] Brute Force: Password Spraying

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-14 23:04:38.816000+00:002023-10-16 16:55:18.014000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.31.4

    [T1574.007] Hijack Execution Flow: Path Interception by PATH Environment Variable

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may execute their own malicious payloads by hijat1Adversaries may execute their own malicious payloads by hija
    >cking environment variables used to load libraries. Adversar>cking environment variables used to load libraries. The PATH
    >ies may place a program in an earlier entry in the list of d> environment variable contains a list of directories (User a
    >irectories stored in the PATH environment variable, which Wi>nd System) that the OS searches sequentially through in sear
    >ndows will then execute when it searches sequentially throug>ch of the binary that was called from a script or the comman
    >h that PATH listing in search of the binary that was called >d line.   Adversaries can place a malicious program in an ea
    >from a script or the command line.  The PATH environment var>rlier entry in the list of directories stored in the PATH en
    >iable contains a list of directories. Certain methods of exe>vironment variable, resulting in the operating system execut
    >cuting a program (namely using cmd.exe or the command-line) >ing the malicious binary rather than the legitimate binary w
    >rely solely on the PATH environment variable to determine th>hen it searches sequentially through that PATH listing.  For
    >e locations that are searched for a program when the path fo> example, on Windows if an adversary places a malicious prog
    >r the program is not given. If any directories are listed in>ram named "net.exe" in `C:\example path`, which by default p
    > the PATH environment variable before the Windows directory,>recedes `C:\Windows\system32\net.exe` in the PATH environmen
    > <code>%SystemRoot%\system32</code> (e.g., <code>C:\Windows\>t variable, when "net" is executed from the command-line the
    >system32</code>), a program may be placed in the preceding d> `C:\example path` will be called instead of the system's le
    >irectory that is named the same as a Windows program (such a>gitimate executable at `C:\Windows\system32\net.exe`. Some m
    >s cmd, PowerShell, or Python), which will be executed when t>ethods of executing a program rely on the PATH environment v
    >hat command is executed from a script or command-line.  For >ariable to determine the locations that are searched when th
    >example, if <code>C:\example path</code> precedes </code>C:\>e path for the program is not given, such as executing progr
    >Windows\system32</code> is in the PATH environment variable,>ams from a [Command and Scripting Interpreter](https://attac
    > a program that is named net.exe and placed in <code>C:\exam>k.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env
    >ple path</code> will be called instead of the Windows system> Windows 2021)  Adversaries may also directly modify the $PA
    > "net" when "net" is executed from the command-line.>TH variable specifying the directories to be searched.  An a
     >dversary can modify the `$PATH` variable to point to a direc
     >tory they have write access. When a program using the $PATH 
     >variable is called, the OS searches the specified directory 
     >and executes the malicious binary. On macOS, this can also b
     >e performed through modifying the $HOME variable. These vari
     >ables can be modified using the command-line, launchctl, [Un
     >ix Shell Configuration Modification](https://attack.mitre.or
     >g/techniques/T1546/004), or modifying the `/etc/paths.d` fol
     >der contents.(Citation: uptycs Fake POC linux malware 2023)(
     >Citation: nixCraft macOS PATH variables)(Citation: Elastic R
     >ules macOS launchctl 2022)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:39.426000+00:002023-10-03 03:29:57.078000+00:00
    descriptionAdversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. + +The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. + +For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. + +Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing. + +For example, on Windows if an adversary places a malicious program named "net.exe" in `C:\example path`, which by default precedes `C:\Windows\system32\net.exe` in the PATH environment variable, when "net" is executed from the command-line the `C:\example path` will be called instead of the system's legitimate executable at `C:\Windows\system32\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021) + +Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.01.1
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Elastic Rules macOS launchctl 2022', 'description': 'Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.', 'url': 'https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html'}
    external_references{'source_name': 'ExpressVPN PATH env Windows 2021', 'description': 'ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.', 'url': 'https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/'}
    external_references{'source_name': 'uptycs Fake POC linux malware 2023', 'description': 'Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.', 'url': 'https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware'}
    external_references{'source_name': 'nixCraft macOS PATH variables', 'description': 'Vivek Gite. (2023, August 22). MacOS – Set / Change $PATH Variable Command. Retrieved September 28, 2023.', 'url': 'https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/'}
    x_mitre_platformsmacOS
    x_mitre_platformsLinux

    [T1566] Phishing

    Current version: 2.4

    Version changed from: 2.3 → 2.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-14 17:42:15.871000+00:002023-09-08 20:27:52.947000+00:00
    x_mitre_version2.32.4

    [T1598] Phishing for Information

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-14 17:42:38.063000+00:002023-09-08 20:28:49.600000+00:00
    x_mitre_version1.21.3

    [T1547.012] Boot or Logon Autostart Execution: Print Processors

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may abuse print processors to run malicious DLLst1Adversaries may abuse print processors to run malicious DLLs
    > during system boot for persistence and/or privilege escalat> during system boot for persistence and/or privilege escalat
    >ion. Print processors are DLLs that are loaded by the print >ion. Print processors are DLLs that are loaded by the print 
    >spooler service, spoolsv.exe, during boot.   Adversaries may>spooler service, `spoolsv.exe`, during boot.(Citation: Micro
    > abuse the print spooler service by adding print processors >soft Intro Print Processors)  Adversaries may abuse the prin
    >that load malicious DLLs at startup. A print processor can b>t spooler service by adding print processors that load malic
    >e installed through the <code>AddPrintProcessor</code> API c>ious DLLs at startup. A print processor can be installed thr
    >all with an account that has <code>SeLoadDriverPrivilege</co>ough the <code>AddPrintProcessor</code> API call with an acc
    >de> enabled. Alternatively, a print processor can be registe>ount that has <code>SeLoadDriverPrivilege</code> enabled. Al
    >red to the print spooler service by adding the <code>HKLM\SY>ternatively, a print processor can be registered to the prin
    >STEM\\[CurrentControlSet or ControlSet001]\Control\Print\Env>t spooler service by adding the <code>HKLM\SYSTEM\\[CurrentC
    >ironments\\[Windows architecture: e.g., Windows x64]\Print P>ontrolSet or ControlSet001]\Control\Print\Environments\\[Win
    >rocessors\\[user defined]\Driver</code> Registry key that po>dows architecture: e.g., Windows x64]\Print Processors\\[use
    >ints to the DLL. For the print processor to be correctly ins>r defined]\Driver</code> Registry key that points to the DLL
    >talled, it must be located in the system print-processor dir> For the malicious print processor to be correctly install
    >ectory that can be found with the <code>GetPrintProcessorDir>ed, the payload must be located in the dedicated system prin
    >ectory</code> API call.(Citation: Microsoft AddPrintProcesso>t-processor directory, that can be found with the <code>GetP
    >r May 2018) After the print processors are installed, the pr>rintProcessorDirectory</code> API call, or referenced via a 
    >int spooler service, which starts during boot, must be resta>relative path from this directory.(Citation: Microsoft AddPr
    >rted in order for them to run.(Citation: ESET PipeMon May 20>intProcessor May 2018) After the print processors are instal
    >20) The print spooler service runs under SYSTEM level permis>led, the print spooler service, which starts during boot, mu
    >sions, therefore print processors installed by an adversary >st be restarted in order for them to run.(Citation: ESET Pip
    >may run under elevated privileges.>eMon May 2020)  The print spooler service runs under SYSTEM 
     >level permissions, therefore print processors installed by a
     >n adversary may run under elevated privileges.
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-10-09 16:05:36.344000+00:002023-10-04 14:16:17.655000+00:00
    descriptionAdversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. + +Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors) + +Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL. + +For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) + +The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
    x_mitre_version1.01.1
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Microsoft Intro Print Processors', 'description': 'Microsoft. (2023, June 26). Introduction to print processors. Retrieved September 27, 2023.', 'url': 'https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors'}
    x_mitre_contributorsTahseen Bin Taj

    [T1057] Process Discovery

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 23:34:02.125000+00:002023-08-11 21:40:56.448000+00:00
    x_mitre_version1.31.4

    [T1055.012] Process Injection: Process Hollowing

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    New Detections:

    • DS0009: Process (Process Creation)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-11-29 17:22:32.704000+00:002023-08-11 21:37:00.009000+00:00
    x_mitre_version1.21.3
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesProcess: Process Creation

    [T1563.002] Remote Service Session Hijacking: RDP Hijacking

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['SYSTEM']
    values_changed
    STIX FieldOld valueNew Value
    modified2020-03-23 23:24:39.182000+00:002023-08-14 15:37:02.771000+00:00
    x_mitre_version1.01.1

    [T1620] Reflective Code Loading

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-21 16:21:09.679000+00:002023-09-29 21:09:49.267000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.01.1

    [T1219] Remote Access Software

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1An adversary may use legitimate desktop support and remote at1An adversary may use legitimate desktop support and remote a
    >ccess software, such as Team Viewer, AnyDesk, Go2Assist, Log>ccess software to establish an interactive command and contr
    >Mein, AmmyyAdmin, etc, to establish an interactive command a>ol channel to target systems within networks. These services
    >nd control channel to target systems within networks. These >, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, 
    >services are commonly used as legitimate technical support s>`LogMein`, `AmmyyAdmin`, and other remote monitoring and man
    >oftware, and may be allowed by application control within a >agement (RMM) tools, are commonly used as legitimate technic
    >target environment. Remote access tools like VNC, Ammyy, and>al support software and may be allowed by application contro
    > Teamviewer are used frequently when compared with other leg>l within a target environment.(Citation: Symantec Living off
    >itimate software commonly used by adversaries.(Citation: Sym> the Land)(Citation: CrowdStrike 2015 Global Threat Report)(
    >antec Living off the Land)  Remote access tools may be insta>Citation: CrySyS Blog TeamSpy)  Remote access software may b
    >lled and used post-compromise as alternate communications ch>e installed and used post-compromise as an alternate communi
    >annel for redundant access or as a way to establish an inter>cations channel for redundant access or as a way to establis
    >active remote desktop session with the target system. They m>h an interactive remote desktop session with the target syst
    >ay also be used as a component of malware to establish a rev>em. They may also be used as a component of malware to estab
    >erse connection or back-connect to a service or adversary co>lish a reverse connection or back-connect to a service or ad
    >ntrolled system. Installation of many remote access tools ma>versary controlled system.   Adversaries may similarly abuse
    >y also include persistence (ex: the tool's installation rout> response features included in EDR and other defensive tools
    >ine creates a [Windows Service](https://attack.mitre.org/tec> that enable remote access.  Installation of many remote acc
    >hniques/T1543/003)).  Admin tools such as TeamViewer have be>ess software may also include persistence (e.g., the softwar
    >en used by several groups targeting institutions in countrie>e's installation routine creates a [Windows Service](https:/
    >s of interest to the Russian state and criminal campaigns.(C>/attack.mitre.org/techniques/T1543/003)).
    >itation: CrowdStrike 2015 Global Threat Report)(Citation: Cr 
    >ySyS Blog TeamSpy) 
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-21 14:54:10.899000+00:002023-09-28 16:23:51.194000+00:00
    descriptionAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.(Citation: Symantec Living off the Land) + +Remote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Installation of many remote access tools may also include persistence (ex: the tool's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). + +Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns.(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) + +Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. + +Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access. + +Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version2.12.2

    [T1021.001] Remote Services: Remote Desktop Protocol

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0028: Logon Session (Logon Session Metadata)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Remote Desktop Users', 'User']
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:41.927000+00:002023-08-07 14:23:30.265000+00:00
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesLogon Session: Logon Session Metadata

    [T1114.002] Email Collection: Remote Email Collection

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0015: Application Log (Application Log Content)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-03-25 13:12:56.909000+00:002023-05-31 12:34:03.420000+00:00
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesApplication Log: Application Log Content

    [T1021] Remote Services

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    New Mitigations:

    • M1042: Disable or Remove Feature or Program

    New Detections:

    • DS0005: WMI (WMI Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:42.821000+00:002023-06-02 15:31:40.498000+00:00
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesWMI: WMI Creation
    x_mitre_platformsIaaS

    [T1018] Remote System Discovery

    Current version: 3.5

    Version changed from: 3.4 → 3.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:50.033000+00:002023-08-14 19:08:59.741000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version3.43.5

    [T1496] Resource Hijacking

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may leverage the resources of co-opted systems it1Adversaries may leverage the resources of co-opted systems t
    >n order to solve resource intensive problems, which may impa>o complete resource-intensive tasks, which may impact system
    >ct system and/or hosted service availability.   One common p> and/or hosted service availability.   One common purpose fo
    >urpose for Resource Hijacking is to validate transactions of>r Resource Hijacking is to validate transactions of cryptocu
    > cryptocurrency networks and earn virtual currency. Adversar>rrency networks and earn virtual currency. Adversaries may c
    >ies may consume enough system resources to negatively impact>onsume enough system resources to negatively impact and/or c
    > and/or cause affected machines to become unresponsive.(Cita>ause affected machines to become unresponsive.(Citation: Kas
    >tion: Kaspersky Lazarus Under The Hood Blog 2017) Servers an>persky Lazarus Under The Hood Blog 2017) Servers and cloud-b
    >d cloud-based systems are common targets because of the high>ased systems are common targets because of the high potentia
    > potential for available resources, but user endpoint system>l for available resources, but user endpoint systems may als
    >s may also be compromised and used for Resource Hijacking an>o be compromised and used for Resource Hijacking and cryptoc
    >d cryptocurrency mining.(Citation: CloudSploit - Unused AWS >urrency mining.(Citation: CloudSploit - Unused AWS Regions) 
    >Regions) Containerized environments may also be targeted due>Containerized environments may also be targeted due to the e
    > to the ease of deployment via exposed APIs and the potentia>ase of deployment via exposed APIs and the potential for sca
    >l for scaling mining activities by deploying or compromising>ling mining activities by deploying or compromising multiple
    > multiple containers within an environment or cluster.(Citat> containers within an environment or cluster.(Citation: Unit
    >ion: Unit 42 Hildegard Malware)(Citation: Trend Micro Expose> 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker 
    >d Docker APIs)  Additionally, some cryptocurrency mining mal>APIs)  Additionally, some cryptocurrency mining malware iden
    >ware identify then kill off processes for competing malware >tify then kill off processes for competing malware to ensure
    >to ensure it’s not competing for resources.(Citation: Trend > it’s not competing for resources.(Citation: Trend Micro War
    >Micro War of Crypto Miners)  Adversaries may also use malwar> of Crypto Miners)  Adversaries may also use malware that le
    >e that leverages a system's network bandwidth as part of a b>verages a system's network bandwidth as part of a botnet in 
    >otnet in order to facilitate [Network Denial of Service](htt>order to facilitate [Network Denial of Service](https://atta
    >ps://attack.mitre.org/techniques/T1498) campaigns and/or to >ck.mitre.org/techniques/T1498) campaigns and/or to seed mali
    >seed malicious torrents.(Citation: GoBotKR)>cious torrents.(Citation: GoBotKR) Alternatively, they may e
     >ngage in proxyjacking by selling use of the victims' network
     > bandwidth and IP address to proxyware services.(Citation: S
     >ysdig Proxyjacking)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-18 20:16:44.560000+00:002023-10-02 01:11:32.822000+00:00
    descriptionAdversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. + +One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) + +Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners) + +Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR)Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. + +One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) + +Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners) + +Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Sysdig Proxyjacking', 'description': 'Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.', 'url': 'https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/'}
    x_mitre_contributorsGoldstein Menachem

    [T1218.011] System Binary Proxy Execution: Rundll32

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-21 12:25:32.096000+00:002023-08-14 15:35:28.965000+00:00
    x_mitre_version2.12.2

    [T1021.002] Remote Services: SMB/Windows Admin Shares

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0009: Process (Process Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-03 18:57:59.554000+00:002023-07-28 17:34:51.250000+00:00
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesProcess: Process Creation

    [T1021.004] Remote Services: SSH

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:49.323000+00:002023-08-11 20:24:03.069000+00:00
    x_mitre_version1.11.2

    [T1098.004] Account Manipulation: SSH Authorized Keys

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may modify the SSH <code>authorized_keys</code> t1Adversaries may modify the SSH <code>authorized_keys</code> 
    >file to maintain persistence on a victim host. Linux distrib>file to maintain persistence on a victim host. Linux distrib
    >utions and macOS commonly use key-based authentication to se>utions and macOS commonly use key-based authentication to se
    >cure the authentication process of SSH sessions for remote m>cure the authentication process of SSH sessions for remote m
    >anagement. The <code>authorized_keys</code> file in SSH spec>anagement. The <code>authorized_keys</code> file in SSH spec
    >ifies the SSH keys that can be used for logging into the use>ifies the SSH keys that can be used for logging into the use
    >r account for which the file is configured. This file is usu>r account for which the file is configured. This file is usu
    >ally found in the user's home directory under <code>&lt;user>ally found in the user's home directory under <code>&lt;user
    >-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authori>-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authori
    >zed Keys) Users may edit the system’s SSH config file to mod>zed Keys) Users may edit the system’s SSH config file to mod
    >ify the directives PubkeyAuthentication and RSAAuthenticatio>ify the directives PubkeyAuthentication and RSAAuthenticatio
    >n to the value “yes” to ensure public key and RSA authentica>n to the value “yes” to ensure public key and RSA authentica
    >tion are enabled. The SSH config file is usually located und>tion are enabled. The SSH config file is usually located und
    >er <code>/etc/ssh/sshd_config</code>.  Adversaries may modif>er <code>/etc/ssh/sshd_config</code>.  Adversaries may modif
    >y SSH <code>authorized_keys</code> files directly with scrip>y SSH <code>authorized_keys</code> files directly with scrip
    >ts or shell commands to add their own adversary-supplied pub>ts or shell commands to add their own adversary-supplied pub
    >lic keys. In cloud environments, adversaries may be able to >lic keys. In cloud environments, adversaries may be able to 
    >modify the SSH authorized_keys file of a particular virtual >modify the SSH authorized_keys file of a particular virtual 
    >machine via the command line interface or rest API. For exam>machine via the command line interface or rest API. For exam
    >ple, by using the Google Cloud CLI’s “add-metadata” command >ple, by using the Google Cloud CLI’s “add-metadata” command 
    >an adversary may add SSH keys to a user account.(Citation: G>an adversary may add SSH keys to a user account.(Citation: G
    >oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E>oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E
    >scalation) Similarly, in Azure, an adversary may update the >scalation) Similarly, in Azure, an adversary may update the 
    >authorized_keys file of a virtual machine via a PATCH reques>authorized_keys file of a virtual machine via a PATCH reques
    >t to the API.(Citation: Azure Update Virtual Machines) This >t to the API.(Citation: Azure Update Virtual Machines) This 
    >ensures that an adversary possessing the corresponding priva>ensures that an adversary possessing the corresponding priva
    >te key may log in as an existing user via SSH.(Citation: Ven>te key may log in as an existing user via SSH.(Citation: Ven
    >afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)   W>afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It 
    >here authorized_keys files are modified via cloud APIs or co>may also lead to privilege escalation where the virtual mach
    >mmand line interfaces, an adversary may achieve privilege es>ine or instance has distinct permissions from the requesting
    >calation on the target virtual machine if they add a key to > user.  Where authorized_keys files are modified via cloud A
    >a higher-privileged user.   SSH keys can also be added to ac>PIs or command line interfaces, an adversary may achieve pri
    >counts on network devices, such as with the `ip ssh pubkey-c>vilege escalation on the target virtual machine if they add 
    >hain` [Network Device CLI](https://attack.mitre.org/techniqu>a key to a higher-privileged user.   SSH keys can also be ad
    >es/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)>ded to accounts on network devices, such as with the `ip ssh
     > pubkey-chain` [Network Device CLI](https://attack.mitre.org
     >/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubke
     >y_ch_cmd)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 23:28:34.599000+00:002023-10-03 17:38:21.121000+00:00
    descriptionAdversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config. + +Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) + +Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. + +SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config. + +Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user. + +Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. + +SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.21.3
    iterable_item_added
    STIX FieldOld valueNew Value
    kill_chain_phases{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}
    x_mitre_contributorsArad Inbar, Fidelis Security

    [T1053.005] Scheduled Task/Job: Scheduled Task

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    New Detections:

    • DS0022: File (File Creation)
    • DS0029: Network Traffic (Network Traffic Flow)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-07 17:11:17.807000+00:002023-08-11 21:20:10.882000+00:00
    external_references[1]['description']BlackB0lt. (2022, April 15). https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml. Retrieved June 1, 2022.Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022.
    external_references[1]['url']https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.ymlhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesFile: File Creation
    x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow

    [T1546.002] Event Triggered Execution: Screensaver

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-21 12:31:54.177000+00:002023-07-28 18:17:34.185000+00:00
    x_mitre_version1.11.2

    [T1003.002] OS Credential Dumping: Security Account Manager

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    New Detections:

    • DS0022: File (File Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-06-15 16:17:19.049000+00:002023-07-24 18:53:10.860000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.01.1
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsOlaf Hartong, Falcon Force
    x_mitre_data_sourcesFile: File Creation

    [T1569.002] System Services: Service Execution

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0029: Network Traffic (Network Traffic Flow)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Administrator', 'SYSTEM']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-08-30 17:42:40.945000+00:002023-08-14 15:53:00.999000+00:00
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow

    [T1129] Shared Modules

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may execute malicious payloads via loading sharet1Adversaries may execute malicious payloads via loading share
    >d modules. The Windows module loader can be instructed to lo>d modules. Shared modules are executable files that are load
    >ad DLLs from arbitrary local paths and arbitrary Universal N>ed into processes to provide access to reusable code, such a
    >aming Convention (UNC) network paths. This functionality res>s specific custom functions or invoking OS API functions (i.
    >ides in NTDLL.dll and is part of the Windows [Native API](ht>e., [Native API](https://attack.mitre.org/techniques/T1106))
    >tps://attack.mitre.org/techniques/T1106) which is called fro>.  Adversaries may use this functionality as a way to execut
    >m functions like <code>CreateProcess</code>, <code>LoadLibra>e arbitrary payloads on a victim system. For example, advers
    >ry</code>, etc. of the Win32 API.(Citation: Wikipedia Window>aries can modularize functionality of their malware into sha
    >s Library Files)  The module loader can load DLLs:  * via sp>red objects that perform various functions such as managing 
    >ecification of the (fully-qualified or relative) DLL pathnam>C2 network communications or execution of specific actions o
    >e in the IMPORT directory;      * via EXPORT forwarded to an>n objective.  The Linux & macOS module loader can load and e
    >other DLL, specified with (fully-qualified or relative) path>xecute shared objects from arbitrary local paths. This funct
    >name (but without extension);      * via an NTFS junction or>ionality resides in `dlfcn.h` in functions such as `dlopen` 
    > symlink program.exe.local with the fully-qualified or relat>and `dlsym`. Although macOS can execute `.so` files, common 
    >ive pathname of a directory containing the DLLs specified in>practice uses `.dylib` files.(Citation: Apple Dev Dynamic Li
    > the IMPORT directory or forwarded EXPORTs;      * via <code>braries)(Citation: Linux Shared Libraries)(Citation: RotaJak
    >>&#x3c;file name="filename.extension" loadFrom="fully-qualif>iro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 201
    >ied or relative pathname"&#x3e;</code> in an embedded or ext>7)  The Windows module loader can be instructed to load DLLs
    >ernal "application manifest". The file name refers to an ent> from arbitrary local paths and arbitrary Universal Naming C
    >ry in the IMPORT directory or a forwarded EXPORT.  Adversari>onvention (UNC) network paths. This functionality resides in
    >es may use this functionality as a way to execute arbitrary > `NTDLL.dll` and is part of the Windows [Native API](https:/
    >payloads on a victim system. For example, malware may execut>/attack.mitre.org/techniques/T1106) which is called from fun
    >e share modules to load additional components or features.>ctions like `LoadLibrary` at run time.(Citation: Microsoft D
     >LL)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-19 20:31:10.657000+00:002023-10-12 21:17:14.868000+00:00
    descriptionAdversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files) + +The module loader can load DLLs: + +* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory; + +* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension); + +* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs; + +* via <file name="filename.extension" loadFrom="fully-qualified or relative pathname"> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT. + +Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)). + +Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective. + +The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017) + +The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)
    external_references[1]['source_name']Wikipedia Windows Library FilesRotaJakiro 2021 netlab360 analysis
    external_references[1]['description']Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
    external_references[1]['url']https://en.wikipedia.org/wiki/Microsoft_Windows_library_fileshttps://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_detectionMonitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. + +Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to `%SystemRoot%` and `%ProgramFiles%` directories will protect against module loads from unsafe paths. + +Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.
    x_mitre_version2.12.2
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Apple Dev Dynamic Libraries', 'description': 'Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.', 'url': 'https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html'}
    external_references{'source_name': 'Unit42 OceanLotus 2017', 'description': 'Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.', 'url': 'https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/'}
    external_references{'source_name': 'Microsoft DLL', 'description': 'Microsoft. (2023, April 28). What is a DLL. Retrieved September 7, 2023.', 'url': 'https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library'}
    external_references{'source_name': 'Linux Shared Libraries', 'description': 'Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.', 'url': 'https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html'}
    x_mitre_platformsmacOS
    x_mitre_platformsLinux

    [T1072] Software Deployment Tools

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may gain access to and use third-party software t1Adversaries may gain access to and use third-party software 
    >suites installed within an enterprise network, such as admin>suites installed within an enterprise network, such as admin
    >istration, monitoring, and deployment systems, to move later>istration, monitoring, and deployment systems, to move later
    >ally through the network. Third-party applications and softw>ally through the network. Third-party applications and softw
    >are deployment systems may be in use in the network environm>are deployment systems may be in use in the network environm
    >ent for administration purposes (e.g., SCCM, HBSS, Altiris, >ent for administration purposes (e.g., SCCM, HBSS, Altiris, 
    >etc.).  Access to a third-party network-wide or enterprise-w>etc.).    Access to a third-party network-wide or enterprise
    >ide software system may enable an adversary to have remote c>-wide software system may enable an adversary to have remote
    >ode execution on all systems that are connected to such a sy> code execution on all systems that are connected to such a 
    >stem. The access may be used to laterally move to other syst>system. The access may be used to laterally move to other sy
    >ems, gather information, or cause a specific effect, such as>stems, gather information, or cause a specific effect, such 
    > wiping the hard drives on all endpoints.  The permissions r>as wiping the hard drives on all endpoints. Network infrastr
    >equired for this action vary by system configuration; local >ucture may also have administration tools that can be simila
    >credentials may be sufficient with direct access to the thir>rly abused by adversaries. (Citation: Fortinet Zero-Day and 
    >d-party system, or specific domain credentials may be requir>Custom Malware Used by Suspected Chinese Actor in Espionage 
    >ed. However, the system may require an administrative accoun>Operation)  The permissions required for this action vary by
    >t to log in or to perform it's intended purpose.> system configuration; local credentials may be sufficient w
     >ith direct access to the third-party system, or specific dom
     >ain credentials may be required. However, the system may req
     >uire an administrative account to log in or to perform it's 
     >intended purpose.

    New Mitigations:

    • M1033: Limit Software Installation
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User', 'Administrator', 'SYSTEM']
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:36.669000+00:002023-09-27 20:31:36.724000+00:00
    descriptionAdversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). + +Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. + +The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). + +Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation) + +The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.12.2
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation', 'description': 'ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.', 'url': 'https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem'}
    x_mitre_contributorsJoe Gumke, U.S. Bank
    x_mitre_platformsNetwork

    [T1566.002] Phishing: Spearphishing Link

    Current version: 2.5

    Version changed from: 2.4 → 2.5

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may send spearphishing emails with a malicious lt1Adversaries may send spearphishing emails with a malicious l
    >ink in an attempt to gain access to victim systems. Spearphi>ink in an attempt to gain access to victim systems. Spearphi
    >shing with a link is a specific variant of spearphishing. It>shing with a link is a specific variant of spearphishing. It
    > is different from other forms of spearphishing in that it e> is different from other forms of spearphishing in that it e
    >mploys the use of links to download malware contained in ema>mploys the use of links to download malware contained in ema
    >il, instead of attaching malicious files to the email itself>il, instead of attaching malicious files to the email itself
    >, to avoid defenses that may inspect email attachments. Spea>, to avoid defenses that may inspect email attachments. Spea
    >rphishing may also involve social engineering techniques, su>rphishing may also involve social engineering techniques, su
    >ch as posing as a trusted source.  All forms of spearphishin>ch as posing as a trusted source.  All forms of spearphishin
    >g are electronically delivered social engineering targeted a>g are electronically delivered social engineering targeted a
    >t a specific individual, company, or industry. In this case,>t a specific individual, company, or industry. In this case,
    > the malicious emails contain links. Generally, the links wi> the malicious emails contain links. Generally, the links wi
    >ll be accompanied by social engineering text and require the>ll be accompanied by social engineering text and require the
    > user to actively click or copy and paste a URL into a brows> user to actively click or copy and paste a URL into a brows
    >er, leveraging [User Execution](https://attack.mitre.org/tec>er, leveraging [User Execution](https://attack.mitre.org/tec
    >hniques/T1204). The visited website may compromise the web b>hniques/T1204). The visited website may compromise the web b
    >rowser using an exploit, or the user will be prompted to dow>rowser using an exploit, or the user will be prompted to dow
    >nload applications, documents, zip files, or even executable>nload applications, documents, zip files, or even executable
    >s depending on the pretext for the email in the first place.>s depending on the pretext for the email in the first place.
    > Adversaries may also include links that are intended to int>  Adversaries may also include links that are intended to in
    >eract directly with an email reader, including embedded imag>teract directly with an email reader, including embedded ima
    >es intended to exploit the end system directly. Additionally>ges intended to exploit the end system directly. Additionall
    >, adversaries may use seemingly benign links that abuse spec>y, adversaries may use seemingly benign links that abuse spe
    >ial characters to mimic legitimate websites (known as an "ID>cial characters to mimic legitimate websites (known as an "I
    >N homograph attack").(Citation: CISA IDN ST05-016)  Adversar>DN homograph attack").(Citation: CISA IDN ST05-016) URLs may
    >ies may also utilize links to perform consent phishing, typi> also be obfuscated by taking advantage of quirks in the URL
    >cally with OAuth 2.0 request URLs that when accepted by the > schema, such as the acceptance of integer- or hexadecimal-b
    >user provide permissions/access for malicious applications, >ased hostname formats and the automatic discarding of text b
    >allowing adversaries to  [Steal Application Access Token](ht>efore an “@” symbol: for example, `hxxp://google.com@1157586
    >tps://attack.mitre.org/techniques/T1528)s.(Citation: Trend M>937`.(Citation: Mandiant URL Obfuscation 2023)  Adversaries 
    >icro Pawn Storm OAuth 2017) These stolen access tokens allow>may also utilize links to perform consent phishing, typicall
    > the adversary to perform various actions on behalf of the u>y with OAuth 2.0 request URLs that when accepted by the user
    >ser via API calls. (Citation: Microsoft OAuth 2.0 Consent Ph> provide permissions/access for malicious applications, allo
    >ishing 2021)>wing adversaries to  [Steal Application Access Token](https:
     >//attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro
     > Pawn Storm OAuth 2017) These stolen access tokens allow the
     > adversary to perform various actions on behalf of the user 
     >via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishi
     >ng 2021)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-11 00:44:21.193000+00:002023-09-06 14:08:51.616000+00:00
    descriptionAdversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. + +All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) + +Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. + +All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. + +Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) + +Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)
    x_mitre_version2.42.5
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Mandiant URL Obfuscation 2023', 'description': "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", 'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'}

    [T1598.003] Phishing for Information: Spearphishing Link

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may send spearphishing messages with a malicioust1Adversaries may send spearphishing messages with a malicious
    > link to elicit sensitive information that can be used durin> link to elicit sensitive information that can be used durin
    >g targeting. Spearphishing for information is an attempt to >g targeting. Spearphishing for information is an attempt to 
    >trick targets into divulging information, frequently credent>trick targets into divulging information, frequently credent
    >ials or other actionable information. Spearphishing for info>ials or other actionable information. Spearphishing for info
    >rmation frequently involves social engineering techniques, s>rmation frequently involves social engineering techniques, s
    >uch as posing as a source with a reason to collect informati>uch as posing as a source with a reason to collect informati
    >on (ex: [Establish Accounts](https://attack.mitre.org/techni>on (ex: [Establish Accounts](https://attack.mitre.org/techni
    >ques/T1585) or [Compromise Accounts](https://attack.mitre.or>ques/T1585) or [Compromise Accounts](https://attack.mitre.or
    >g/techniques/T1586)) and/or sending multiple, seemingly urge>g/techniques/T1586)) and/or sending multiple, seemingly urge
    >nt messages.  All forms of spearphishing are electronically >nt messages.  All forms of spearphishing are electronically 
    >delivered social engineering targeted at a specific individu>delivered social engineering targeted at a specific individu
    >al, company, or industry. In this scenario, the malicious em>al, company, or industry. In this scenario, the malicious em
    >ails contain links generally accompanied by social engineeri>ails contain links generally accompanied by social engineeri
    >ng text to coax the user to actively click or copy and paste>ng text to coax the user to actively click or copy and paste
    > a URL into a browser.(Citation: TrendMictro Phishing)(Citat> a URL into a browser.(Citation: TrendMictro Phishing)(Citat
    >ion: PCMag FakeLogin) The given website may be a clone of a >ion: PCMag FakeLogin) The given website may be a clone of a 
    >legitimate site (such as an online or corporate login portal>legitimate site (such as an online or corporate login portal
    >) or may closely resemble a legitimate site in appearance an>) or may closely resemble a legitimate site in appearance an
    >d have a URL containing elements from the real site.  Advers>d have a URL containing elements from the real site. URLs ma
    >aries may also link to "web bugs" or "web beacons" within ph>y also be obfuscated by taking advantage of quirks in the UR
    >ishing messages to verify the receipt of an emailwhile als>L schemasuch as the acceptance of integer- or hexadecimal-
    >o potentially profiling and tracking victim information such>based hostname formats and the automatic discarding of text 
    > as IP address.(Citation: NIST Web Bug)  Adversaries may als>before an “@” symbol: for example, `hxxp://google.com@115758
    >o be able to spoof a complete website using what is known as>6937`.(Citation: Mandiant URL Obfuscation 2023)  Adversaries
    > a "browser-in-the-browser" (BitB) attack. By generating a f> may also link to "web bugs" or "web beacons" within phishin
    >ake browser popup window with an HTML-based address bar that>g messages to verify the receipt of an email, while also pot
    > appears to contain a legitimate URL (such as an authenticat>entially profiling and tracking victim information such as I
    >ion portal), they may be able to prompt users to enter their>P address.(Citation: NIST Web Bug)  Adversaries may also be 
    > credentials while bypassing typical URL verification method>able to spoof a complete website using what is known as a "b
    >s.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)>rowser-in-the-browser" (BitB) attack. By generating a fake b
    >  From the fake website, information is gathered in web form>rowser popup window with an HTML-based address bar that appe
    >s and sent to the adversary. Adversaries may also use inform>ars to contain a legitimate URL (such as an authentication p
    >ation from previous reconnaissance efforts (ex: [Search Open>ortal), they may be able to prompt users to enter their cred
    > Websites/Domains](https://attack.mitre.org/techniques/T1593>entials while bypassing typical URL verification methods.(Ci
    >) or [Search Victim-Owned Websites](https://attack.mitre.org>tation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)  Adv
    >/techniques/T1594)) to craft persuasive and believable lures>ersaries can use phishing kits such as `EvilProxy` and `Evil
    >.>ginx2` to proxy the connection between the victim and the le
     >gitimate website. On a successful login, the victim is redir
     >ected to the legitimate website, while the adversary capture
     >s their session cookie (i.e., [Steal Web Session Cookie](htt
     >ps://attack.mitre.org/techniques/T1539)) in addition to thei
     >r username and password. This may enable the adversary to th
     >en bypass MFA via [Web Session Cookie](https://attack.mitre.
     >org/techniques/T1550/004).(Citation: Proofpoint Human Factor
     >)  From the fake website, information is gathered in web for
     >ms and sent to the adversary. Adversaries may also use infor
     >mation from previous reconnaissance efforts (ex: [Search Ope
     >n Websites/Domains](https://attack.mitre.org/techniques/T159
     >3) or [Search Victim-Owned Websites](https://attack.mitre.or
     >g/techniques/T1594)) to craft persuasive and believable lure
     >s.
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-15 17:38:48.406000+00:002023-10-02 01:44:28.081000+00:00
    descriptionAdversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. + +All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. + +Adversaries may also link to "web bugs" or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug) + +Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) + +From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. + +All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) + +Adversaries may also link to "web bugs" or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug) + +Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) + +Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor) + +From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.41.5
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Mandiant URL Obfuscation 2023', 'description': "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", 'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'}
    external_references{'source_name': 'Proofpoint Human Factor', 'description': 'Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.', 'url': 'https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf'}
    x_mitre_contributorsAustin Herrin

    [T1016] System Network Configuration Discovery

    Current version: 1.6

    Version changed from: 1.5 → 1.6

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:38.842000+00:002023-07-28 14:40:54.580000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.51.6

    [T1033] System Owner/User Discovery

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 23:35:40.261000+00:002023-09-29 19:50:06.736000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.41.5

    [T1543.002] Create or Modify System Process: Systemd Service

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may create or modify systemd services to repeatet1Adversaries may create or modify systemd services to repeate
    >dly execute malicious payloads as part of persistence. Syste>dly execute malicious payloads as part of persistence. Syste
    >md is a system and service manager commonly used for managin>md is a system and service manager commonly used for managin
    >g background daemon processes (also known as services) and o>g background daemon processes (also known as services) and o
    >ther system resources.(Citation: Linux man-pages: systemd Ja>ther system resources.(Citation: Linux man-pages: systemd Ja
    >nuary 2014) Systemd is the default initialization (init) sys>nuary 2014) Systemd is the default initialization (init) sys
    >tem on many Linux distributions replacing legacy init system>tem on many Linux distributions replacing legacy init system
    >s, including SysVinit and Upstart, while remaining backwards>s, including SysVinit and Upstart, while remaining backwards
    > compatible.    Systemd utilizes unit configuration files wi> compatible.    Systemd utilizes unit configuration files wi
    >th the `.service` file extension to encode information about>th the `.service` file extension to encode information about
    > a service's process. By default, system level unit files ar> a service's process. By default, system level unit files ar
    >e stored in the `/systemd/system` directory of the root owne>e stored in the `/systemd/system` directory of the root owne
    >d directories (`/`). User level unit files are stored in the>d directories (`/`). User level unit files are stored in the
    > `/systemd/user` directories of the user owned directories (> `/systemd/user` directories of the user owned directories (
    >`$HOME`). (Citation: lambert systemd 2022)   Service unit fi>`$HOME`).(Citation: lambert systemd 2022)   Inside the `.ser
    >les use the following directives to execute system commands:>vice` unit files, the following directives are used to execu
    >(Citation: freedesktop systemd.service)    * `ExecStart`, `E>te commands:(Citation: freedesktop systemd.service)    * `Ex
    >xecStartPre`, and `ExecStartPost` directives cover execution>ecStart`, `ExecStartPre`, and `ExecStartPost` directives exe
    > of commands when a service is started manually by `systemct>cute when a service is started manually by `systemctl` or on
    >l`, or on system start if the service is set to automaticall> system start if the service is set to automatically start. 
    >y start. * `ExecReload` directive covers when a service rest>* `ExecReload` directive executes when a service restarts.  
    >arts.  * `ExecStop`, `ExecStopPre`, and `ExecStopPost` direc>* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives e
    >tives cover when a service is stopped.    Adversaries may ab>xecute when a service is stopped.    Adversaries have create
    >use systemd functionality to establish persistent access to >d new service files, altered the commands a `.service` file’
    >victim systems by creating and/or modifying service unit fil>s directive executes, and modified the user directive a `.se
    >es systemd uses upon reboot or starting a service.(Citation:>rvice` file executes as, which could result in privilege esc
    > Anomali Rocke March 2019) Adversaries may also place symbol>alation. Adversaries may also place symbolic links in these 
    >ic links in these directories, enabling systemd to find thes>directories, enabling systemd to find these payloads regardl
    >e payloads regardless of where they reside on the filesystem>ess of where they reside on the filesystem.(Citation: Anomal
    >.  The `.service` file’s `User` directive can be used to run>i Rocke March 2019)(Citation: airwalk backdoor unix systems)
    > service as a specific user, which could result in privilege>(Citation: Rapid7 Service Persistence 22JUNE2016) 
    > escalation based on specific user/group permissions.(Citati 
    >on: Rapid7 Service Persistence 22JUNE2016)  
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-12 20:13:07.604000+00:002023-10-09 16:19:01.408000+00:00
    descriptionAdversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. + +Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) + +Service unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service) + +* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start. +* `ExecReload` directive covers when a service restarts. +* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped. + +Adversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem. + +The `.service` file’s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. + +Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) + +Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) + +* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start. +* `ExecReload` directive executes when a service restarts. +* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. + +Adversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'airwalk backdoor unix systems', 'description': 'airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.', 'url': 'http://www.ouah.org/backdoors.html'}
    x_mitre_contributorsTim (Wadhwa-)Brown

    [T1053.006] Scheduled Task/Job: Systemd Timers

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may abuse systemd timers to perform task schedult1Adversaries may abuse systemd timers to perform task schedul
    >ing for initial or recurring execution of malicious code. Sy>ing for initial or recurring execution of malicious code. Sy
    >stemd timers are unit files with file extension <code>.timer>stemd timers are unit files with file extension <code>.timer
    ></code> that control services. Timers can be set to run on a></code> that control services. Timers can be set to run on a
    > calendar event or after a time span relative to a starting > calendar event or after a time span relative to a starting 
    >point. They can be used as an alternative to [Cron](https://>point. They can be used as an alternative to [Cron](https://
    >attack.mitre.org/techniques/T1053/003) in Linux environments>attack.mitre.org/techniques/T1053/003) in Linux environments
    >.(Citation: archlinux Systemd Timers Aug 2020) Systemd timer>.(Citation: archlinux Systemd Timers Aug 2020) Systemd timer
    >s may be activated remotely via the <code>systemctl</code> c>s may be activated remotely via the <code>systemctl</code> c
    >ommand line utility, which operates over [SSH](https://attac>ommand line utility, which operates over [SSH](https://attac
    >k.mitre.org/techniques/T1021/004).(Citation: Systemd Remote >k.mitre.org/techniques/T1021/004).(Citation: Systemd Remote 
    >Control)  Each <code>.timer</code> file must have a correspo>Control)  Each <code>.timer</code> file must have a correspo
    >nding <code>.service</code> file with the same name, e.g., <>nding <code>.service</code> file with the same name, e.g., <
    >code>example.timer</code> and <code>example.service</code>. >code>example.timer</code> and <code>example.service</code>. 
    ><code>.service</code> files are [Systemd Service](https://at><code>.service</code> files are [Systemd Service](https://at
    >tack.mitre.org/techniques/T1543/002) unit files that are man>tack.mitre.org/techniques/T1543/002) unit files that are man
    >aged by the systemd system and service manager.(Citation: Li>aged by the systemd system and service manager.(Citation: Li
    >nux man-pages: systemd January 2014) Privileged timers are w>nux man-pages: systemd January 2014) Privileged timers are w
    >ritten to <code>/etc/systemd/system/</code> and <code>/usr/l>ritten to <code>/etc/systemd/system/</code> and <code>/usr/l
    >ib/systemd/system</code> while user level are written to <co>ib/systemd/system</code> while user level are written to <co
    >de>~/.config/systemd/user/</code>.  An adversary may use sys>de>~/.config/systemd/user/</code>.  An adversary may use sys
    >temd timers to execute malicious code at system startup or o>temd timers to execute malicious code at system startup or o
    >n a scheduled basis for persistence.(Citation: Arch Linux Pa>n a scheduled basis for persistence.(Citation: Arch Linux Pa
    >ckage Systemd Compromise BleepingComputer 10JUL2018)(Citatio>ckage Systemd Compromise BleepingComputer 10JUL2018)(Citatio
    >n: gist Arch package compromise 10JUL2018)(Citation: acrorea>n: gist Arch package compromise 10JUL2018)(Citation: acrorea
    >d package compromised Arch Linux Mail 8JUL2018) Timers insta>d package compromised Arch Linux Mail 8JUL2018) Timers insta
    >lled using privileged paths may be used to maintain root lev>lled using privileged paths may be used to maintain root lev
    >el persistence. Adversaries may also install user level time>el persistence. Adversaries may also install user level time
    >rs to achieve user level persistence.>rs to achieve user level persistence.(Citation: Falcon Sandb
     >ox smp: 28553b3a9d)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-07-27 16:43:25.027000+00:002023-09-08 11:56:26.862000+00:00
    descriptionAdversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control) + +Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/. + +An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control) + +Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/. + +An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Falcon Sandbox smp: 28553b3a9d', 'description': 'Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7. Retrieved September 8, 2023.', 'url': 'https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300'}

    [T1080] Taint Shared Content

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    New Mitigations:

    • M1049: Antivirus/Antimalware
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User']
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:36.145000+00:002023-05-31 12:33:20.915000+00:00
    x_mitre_version1.31.4

    [T1134.001] Access Token Manipulation: Token Impersonation/Theft

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-11 21:19:05.544000+00:002023-09-29 21:08:45.174000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.11.2

    [T1071.001] Application Layer Protocol: Web Protocols

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-11 15:21:27.965000+00:002023-09-29 20:22:37.414000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.11.2

    [T1059.003] Command and Scripting Interpreter: Windows Command Shell

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-07-26 17:13:07.345000+00:002023-07-28 17:50:21.947000+00:00
    x_mitre_version1.21.3

    [T1047] Windows Management Instrumentation

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    New Detections:

    • DS0005: WMI (WMI Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-07 17:10:13.696000+00:002023-07-24 20:38:58.283000+00:00
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsOlaf Hartong, Falcon Force
    x_mitre_data_sourcesWMI: WMI Creation

    [T1021.006] Remote Services: Windows Remote Management

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0029: Network Traffic (Network Traffic Flow)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User', 'Administrator']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-06-23 19:22:52.870000+00:002023-08-11 15:26:41.941000+00:00
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow

    [T1543.003] Create or Modify System Process: Windows Service

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    New Detections:

    • DS0022: File (File Metadata)
    • DS0029: Network Traffic (Network Traffic Flow)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-21 12:30:35.872000+00:002023-09-15 16:42:25.014000+00:00
    x_mitre_version1.31.4
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow
    x_mitre_data_sourcesFile: File Metadata

    [T1547.004] Boot or Logon Autostart Execution: Winlogon Helper DLL

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:47.069000+00:002023-08-14 15:11:30.220000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.01.1

    [T1547.013] Boot or Logon Autostart Execution: XDG Autostart Entries

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may modify XDG autostart entries to execute progt1Adversaries may add or modify XDG Autostart Entries to execu
    >rams or commands during system boot. Linux desktop environme>te malicious programs or commands when a user’s desktop envi
    >nts that are XDG compliant implement functionality for XDG a>ronment is loaded at login. XDG Autostart entries are availa
    >utostart entries. These entries will allow an application to>ble for any XDG-compliant Linux system. XDG Autostart entrie
    > automatically start during the startup of a desktop environ>s use Desktop Entry files (`.desktop`) to configure the user
    >ment after user logon. By default, XDG autostart entries are>’s desktop environment upon user login. These configuration 
    > stored within the <code>/etc/xdg/autostart</code> or <code>>files determine what applications launch upon user login, de
    >~/.config/autostart</code> directories and have a .desktop f>fine associated applications to open specific file types, an
    >ile extension.(Citation: Free Desktop Application Autostart >d define applications used to open removable media.(Citation
    >Feb 2006)  Within an XDG autostart entry file, the <code>Typ>: Free Desktop Application Autostart Feb 2006)(Citation: Fre
    >e</code> key specifies if the entry is an application (type >e Desktop Entry Keys)  Adversaries may abuse this feature to
    >1), link (type 2) or directory (type 3). The <code>Name</cod> establish persistence by adding a path to a malicious binar
    >e> key indicates an arbitrary name assigned by the creator a>y or command to the `Exec` directive in the `.desktop` confi
    >nd the <code>Exec</code> key indicates the application and c>guration file. When the user’s desktop environment is loaded
    >ommand line arguments to execute.(Citation: Free Desktop Ent> at user login, the `.desktop` files located in the XDG Auto
    >ry Keys)  Adversaries may use XDG autostart entries to maint>start directories are automatically executed. System-wide Au
    >ain persistence by executing malicious commands and payloads>tostart entries are located in the `/etc/xdg/autostart` dire
    >, such as remote access tools, during the startup of a deskt>ctory while the user entries are located in the `~/.config/a
    >op environment. Commands included in XDG autostart entries w>utostart` directory.  Adversaries may combine this technique
    >ith execute after user logon in the context of the currently> with [Masquerading](https://attack.mitre.org/techniques/T10
    > logged on user. Adversaries may also use [Masquerading](htt>36) to blend malicious Autostart entries with legitimate pro
    >ps://attack.mitre.org/techniques/T1036) to make XDG autostar>grams.(Citation: Red Canary Netwire Linux 2022)
    >t entries look as if they are associated with legitimate pro 
    >grams. 
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-11-10 15:55:10.103000+00:002023-10-16 16:35:12.501000+00:00
    descriptionAdversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006) + +Within an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys) + +Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys) + +Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user’s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory. + +Adversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)
    x_mitre_version1.01.1
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Red Canary Netwire Linux 2022', 'description': 'TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.', 'url': 'https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/'}
    Patches

    [T1550.001] Use Alternate Authentication Material: Application Access Token

    Current version: 1.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-05-04 18:04:17.588000+00:002023-09-19 21:24:45.231000+00:00
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsJack Burns, HubSpot
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_contributorsJen Burns, HubSpot

    [T1003.005] OS Credential Dumping: Cached Domain Credentials

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['SYSTEM']
    values_changed
    STIX FieldOld valueNew Value
    modified2020-03-24 20:41:08.996000+00:002023-10-19 18:37:57.025000+00:00
    external_references[1]['description']Microsfot. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.

    [T1526] Cloud Service Discovery

    Current version: 1.3

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1An adversary may attempt to enumerate the cloud services runt1An adversary may attempt to enumerate the cloud services run
    >ning on a system after gaining access. These methods can dif>ning on a system after gaining access. These methods can dif
    >fer from platform-as-a-service (PaaS), to infrastructure-as->fer from platform-as-a-service (PaaS), to infrastructure-as-
    >a-service (IaaS), or software-as-a-service (SaaS). Many serv>a-service (IaaS), or software-as-a-service (SaaS). Many serv
    >ices exist throughout the various cloud providers and can in>ices exist throughout the various cloud providers and can in
    >clude Continuous Integration and Continuous Delivery (CI/CD)>clude Continuous Integration and Continuous Delivery (CI/CD)
    >, Lambda Functions, Azure AD, etc. They may also include sec>, Lambda Functions, Azure AD, etc. They may also include sec
    >urity services, such as AWS GuardDuty and Microsoft Defender>urity services, such as AWS GuardDuty and Microsoft Defender
    > for Cloud, and logging services, such as AWS CloudTrail and> for Cloud, and logging services, such as AWS CloudTrail and
    > Google Cloud Audit Logs.  Adversaries may attempt to discov> Google Cloud Audit Logs.  Adversaries may attempt to discov
    >er information about the services enabled throughout the env>er information about the services enabled throughout the env
    >ironment. Azure tools and APIs, such as the Azure AD Graph A>ironment. Azure tools and APIs, such as the Azure AD Graph A
    >PI and Azure Resource Manager API, can enumerate resources a>PI and Azure Resource Manager API, can enumerate resources a
    >nd services, including applications, management groups, reso>nd services, including applications, management groups, reso
    >urces and policy definitions, and their relationships that a>urces and policy definitions, and their relationships that a
    >re accessible by an identity.(Citation: Azure - Resource Man>re accessible by an identity.(Citation: Azure - Resource Man
    >ager API)(Citation: Azure AD Graph API)  For example, Storms>ager API)(Citation: Azure AD Graph API)  For example, Storms
    >potter is an open source tool for enumerating and constructi>potter is an open source tool for enumerating and constructi
    >ng a graph for Azure resources and services, and Pacu is an >ng a graph for Azure resources and services, and Pacu is an 
    >open source AWS exploitation framework that supports several>open source AWS exploitation framework that supports several
    > methods for discovering cloud services.(Citation: Azure - S> methods for discovering cloud services.(Citation: Azure - S
    >tormspotter)(Citation: GitHub Pacu)  Adversaries may use the>tormspotter)(Citation: GitHub Pacu)  Adversaries may use the
    > information gained to shape follow-on behaviors, such as ta> information gained to shape follow-on behaviors, such as ta
    >rgeting data or credentials from enumerated services or evad>rgeting data or credentials from enumerated services or evad
    >ing identified defenses through [Disable or Modify Tools](ht>ing identified defenses through [Disable or Modify Tools](ht
    >tps://attack.mitre.org/techniques/T1562/001) or [Disable Clo>tps://attack.mitre.org/techniques/T1562/001) or [Disable or 
    >ud Logs](https://attack.mitre.org/techniques/T1562/008).>Modify Cloud Logs](https://attack.mitre.org/techniques/T1562
     >/008).
    Details
    values_changed
    STIX FieldOld valueNew Value
    descriptionAn adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. + +Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API) + +For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu) + +Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008).An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. + +Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API) + +For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu) + +Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).

    [T1218.001] System Binary Proxy Execution: Compiled HTML File

    Current version: 2.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-21 12:23:17.694000+00:002023-10-18 16:31:56.936000+00:00
    external_references[5]['url']https://msitpros.com/?p=3909https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
    x_mitre_attack_spec_version3.1.03.2.0

    [T1036.008] Masquerading: Masquerade File Type

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-11 22:37:42.319000+00:002023-06-14 23:03:51.540000+00:00
    x_mitre_contributors[1]Ben SmithBen Smith, @ezaspy

    [T1546.013] Event Triggered Execution: PowerShell Profile

    Current version: 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2022-02-08 16:39:08.851000+00:002023-10-20 17:04:13.976000+00:00
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsMatt Green, @mgreen27
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_contributorsMatthew Green

    [T1036.003] Masquerading: Rename System Utilities

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-07 17:07:20.038000+00:002023-09-14 21:12:48.411000+00:00
    external_references[2]['url']http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdfhttps://www.elastic.co/blog/how-hunt-masquerade-ball

    [T1091] Replication Through Removable Media

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-21 19:14:13.179000+00:002023-10-17 20:42:21.453000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_contributors[0]Joas Antonio dos Santos, @Cr4zyC0d3Joas Antonio dos Santos, @C0d3Cr4zy

    [T1606.002] Forge Web Credentials: SAML Tokens

    Current version: 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['Administrator']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-09-20 16:47:19.173000+00:002023-09-19 21:25:46.568000+00:00
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsJack Burns, HubSpot
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_contributorsJen Burns, HubSpot

    [T1528] Steal Application Access Token

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-21 16:25:11.482000+00:002023-09-19 21:23:50.233000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_contributors[6]Jen Burns, HubSpotJack Burns, HubSpot

    [T1539] Steal Web Session Cookie

    Current version: 1.2

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1An adversary may steal web application or service session cot1An adversary may steal web application or service session co
    >okies and use them to gain access to web applications or Int>okies and use them to gain access to web applications or Int
    >ernet services as an authenticated user without needing cred>ernet services as an authenticated user without needing cred
    >entials. Web applications and services often use session coo>entials. Web applications and services often use session coo
    >kies as an authentication token after a user has authenticat>kies as an authentication token after a user has authenticat
    >ed to a website.  Cookies are often valid for an extended pe>ed to a website.  Cookies are often valid for an extended pe
    >riod of time, even if the web application is not actively us>riod of time, even if the web application is not actively us
    >ed. Cookies can be found on disk, in the process memory of t>ed. Cookies can be found on disk, in the process memory of t
    >he browser, and in network traffic to remote systems. Additi>he browser, and in network traffic to remote systems. Additi
    >onally, other applications on the targets machine might stor>onally, other applications on the targets machine might stor
    >e sensitive authentication cookies in memory (e.g. apps whic>e sensitive authentication cookies in memory (e.g. apps whic
    >h authenticate to cloud services). Session cookies can be us>h authenticate to cloud services). Session cookies can be us
    >ed to bypasses some multi-factor authentication protocols.(C>ed to bypasses some multi-factor authentication protocols.(C
    >itation: Pass The Cookie)  There are several examples of mal>itation: Pass The Cookie)  There are several examples of mal
    >ware targeting cookies from web browsers on the local system>ware targeting cookies from web browsers on the local system
    >.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42>.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42
    > Mac Crypto Cookies January 2019) There are also open source> Mac Crypto Cookies January 2019) There are also open source
    > frameworks such as Evilginx 2 and Muraena that can gather s> frameworks such as `Evilginx2` and `Muraena` that can gathe
    >ession cookies through a malicious proxy (ex: [Adversary-in->r session cookies through a malicious proxy (ex: [Adversary-
    >the-Middle](https://attack.mitre.org/techniques/T1557)) that>in-the-Middle](https://attack.mitre.org/techniques/T1557)) t
    > can be set up by an adversary and used in phishing campaign>hat can be set up by an adversary and used in phishing campa
    >s.(Citation: Github evilginx2)(Citation: GitHub Mauraena)  A>igns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
    >fter an adversary acquires a valid cookie, they can then per>  After an adversary acquires a valid cookie, they can then 
    >form a [Web Session Cookie](https://attack.mitre.org/techniq>perform a [Web Session Cookie](https://attack.mitre.org/tech
    >ues/T1550/004) technique to login to the corresponding web a>niques/T1550/004) technique to login to the corresponding we
    >pplication.>b application.
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    dictionary_item_removed
    STIX FieldOld valueNew Value
    x_mitre_permissions_required['User']
    values_changed
    STIX FieldOld valueNew Value
    modified2021-07-28 01:26:51.971000+00:002023-08-03 20:19:01.074000+00:00
    descriptionAn adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. + +Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) + +There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) + +After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. + +Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) + +There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) + +After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.

    [T1606.001] Forge Web Credentials: Web Cookies

    Current version: 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-09-20 16:48:28.041000+00:002023-09-19 21:25:10.511000+00:00
    x_mitre_contributors[0]Jen Burns, HubSpotJack Burns, HubSpot

    [T1550.004] Use Alternate Authentication Material: Web Session Cookie

    Current version: 1.3

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 21:01:51.836000+00:002023-09-19 21:26:24.725000+00:00
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsJack Burns, HubSpot
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_contributorsJen Burns, HubSpot

    mobile-attack

    New Techniques

    [T1661] Application Versioning

    Current version: 1.0

    Description: An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android_app_breaking_bad) + +This technique could also be accomplished by compromising a developer’s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves.

    [T1662] Data Destruction

    Current version: 1.0

    Description: Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. + +To achieve data destruction, adversaries may use the `pm uninstall` command to uninstall packages or the `rm` command to remove specific files. For example, adversaries may first use `pm uninstall` to uninstall non-system apps, and then use `rm (-f) ` to delete specific files, further hiding malicious activity.(Citation: rootnik_rooting_tool)(Citation: abuse_native_linux_tools)

    [T1658] Exploitation for Client Execution

    Current version: 1.0

    Description: Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. + +Adversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution. + +### SMS/iMessage Delivery + +SMS and iMessage in iOS are common targets through [Drive-By Compromise](https://attack.mitre.org/techniques/T1456), [Phishing](https://attack.mitre.org/techniques/T1660), etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required. + +### AirDrop + +Unique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user.

    [T1655] Masquerading

    Current version: 1.0

    Description: Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. + +Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655) +

    [T1655.001] Masquerading: Match Legitimate Name or Location

    Current version: 1.0

    Description: Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). + +Adversaries may also use the same icon of the file or application they are trying to mimic. +

    [T1660] Phishing

    Current version: 1.0

    Description: Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as “spearphishing”. Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages. + +Mobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. + +Mobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: + +- SMS messages: Adversaries may send SMS messages (known as “smishing”) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device. +- Quick Response (QR) Codes: Adversaries may use QR codes (known as “quishing”) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user’s desktop computer to their mobile device. +- Phone Calls: Adversaries may call victims (known as “vishing”) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer. +

    [T1663] Remote Access Software

    Current version: 1.0

    Description: Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices. + +Remote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.

    Minor Version Changes

    [T1481.002] Web Service: Bidirectional Communication

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-16 13:32:55.266000+00:002023-08-14 16:34:55.968000+00:00
    x_mitre_version1.11.2

    [T1616] Call Control

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0042: User Interface (System Notifications)

    Dropped Detections:

    • DS0041: Application Vetting (Permissions Requests)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-16 18:31:37.189000+00:002023-08-10 21:57:52.009000+00:00
    x_mitre_version1.11.2

    [T1623] Command and Scripting Interpreter

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0017: Command (Command Execution)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 15:16:19.547000+00:002023-08-07 22:15:34.693000+00:00
    x_mitre_version1.11.2

    [T1481.001] Web Service: Dead Drop Resolver

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0029: Network Traffic (Network Connection Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 15:56:04.790000+00:002023-08-14 16:33:56.861000+00:00
    x_mitre_version1.11.2

    [T1637.001] Dynamic Resolution: Domain Generation Algorithms

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    New Detections:

    • DS0041: Application Vetting (Network Communication)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-05 19:59:22.888000+00:002023-08-14 16:19:54.832000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.01.1

    [T1407] Download New Code at Runtime

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    New Detections:

    • DS0041: Application Vetting (Network Communication)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:21:59.494000+00:002023-08-08 16:23:41.271000+00:00
    x_mitre_version1.41.5

    [T1456] Drive-By Compromise

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:24:56.530000+00:002023-08-07 17:12:07.620000+00:00
    x_mitre_version2.12.2

    [T1637] Dynamic Resolution

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    New Detections:

    • DS0041: Application Vetting (Network Communication)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-05 19:57:15.734000+00:002023-08-14 16:19:34.225000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.01.1

    [T1639] Exfiltration Over Alternative Protocol

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-29 17:29:00.038000+00:002023-08-14 16:39:22.707000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_detectionExfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
    x_mitre_version1.01.1

    [T1646] Exfiltration Over C2 Channel

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-08 16:25:44.552000+00:002023-08-14 16:41:52+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_detectionExfiltration over C2 channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
    x_mitre_version1.01.1

    [T1639.001] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-06 13:23:10.087000+00:002023-08-14 16:40:40.166000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_detectionExfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
    x_mitre_version1.01.1

    [T1544] Ingress Tool Transfer

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:43:44.687000+00:002023-08-14 16:21:05.728000+00:00
    x_mitre_version2.12.2

    [T1516] Input Injection

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0042: User Interface (System Settings)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-24 15:09:07.609000+00:002023-08-08 22:50:32.775000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.11.2

    [T1461] Lockscreen Bypass

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1An adversary with physical access to a mobile device may seet1An adversary with physical access to a mobile device may see
    >k to bypass the device’s lockscreen. Several methods exist t>k to bypass the device’s lockscreen. Several methods exist t
    >o accomplish this, including:  * Biometric spoofing: If biom>o accomplish this, including:  * Biometric spoofing: If biom
    >etric authentication is used, an adversary could attempt to >etric authentication is used, an adversary could attempt to 
    >spoof a mobile device’s biometric authentication mechanism. >spoof a mobile device’s biometric authentication mechanism. 
    >Both iOS and Android partly mitigate this attack by requirin>Both iOS and Android partly mitigate this attack by requirin
    >g the device’s passcode rather than biometrics to unlock the>g the device’s passcode rather than biometrics to unlock the
    > device after every device restart, and after a set or rando> device after every device restart, and after a set or rando
    >m amount of time.(Citation: SRLabs-Fingerprint)(Citation: Th>m amount of time.(Citation: SRLabs-Fingerprint)(Citation: Th
    >eSun-FaceID) * Unlock code bypass: An adversaries could atte>eSun-FaceID) * Unlock code bypass: An adversary could attemp
    >mpt to brute-force or otherwise guess the lockscreen passcod>t to brute-force or otherwise guess the lockscreen passcode 
    >e (typically a PIN or password), including physically observ>(typically a PIN or password), including physically observin
    >ing (“shoulder surfing”) the device owner’s use of the locks>g (“shoulder surfing”) the device owner’s use of the lockscr
    >creen passcode. Mobile OS vendors partly mitigate this by im>een passcode. Mobile OS vendors partly mitigate this by impl
    >plementing incremental backoff timers after a set number of >ementing incremental backoff timers after a set number of fa
    >failed unlock attempts, as well as a configurable full devic>iled unlock attempts, as well as a configurable full device 
    >e wipe after several failed unlock attempts. * Vulnerability>wipe after several failed unlock attempts. * Vulnerability e
    > exploit: Techniques have been periodically demonstrated tha>xploit: Techniques have been periodically demonstrated that 
    >t exploit mobile devices to bypass the lockscreen. The vulne>exploit mobile devices to bypass the lockscreen. The vulnera
    >rabilities are generally patched by the device or OS vendor >bilities are generally patched by the device or OS vendor on
    >once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kas>ce disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspe
    >persky-iOSBypass) >rsky-iOSBypass) 

    New Detections:

    • DS0013: Sensor Health (Host Status)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-19 15:36:12.312000+00:002023-10-16 16:23:05.146000+00:00
    descriptionAn adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including: + +* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID) +* Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts. +* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass) +An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including: + +* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID) +* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts. +* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass) +
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.21.3

    [T1406] Obfuscated Files or Information

    Current version: 3.1

    Version changed from: 3.0 → 3.1

    New Detections:

    • DS0041: Application Vetting (API Calls)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-06 12:36:31.652000+00:002023-08-09 14:38:34.859000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version3.03.1

    [T1481.003] Web Service: One-Way Communication

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0029: Network Traffic (Network Connection Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:53:34.118000+00:002023-08-14 16:35:55.739000+00:00
    x_mitre_version1.11.2

    [T1629.001] Impair Defenses: Prevent Application Removal

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may abuse the Android device administration API t1Adversaries may abuse the Android device administration API 
    >to prevent the user from uninstalling a target application. >to prevent the user from uninstalling a target application. 
    >In earlier versions of Android, device administrator applica>In earlier versions of Android, device administrator applica
    >tions needed their administration capabilities explicitly de>tions needed their administration capabilities explicitly de
    >activated by the user before the application could be uninst>activated by the user before the application could be uninst
    >alled. This was later updated so the user could deactivate a>alled. This was later updated so the user could deactivate a
    >nd uninstall the administrator application in one step.  Adv>nd uninstall the administrator application in one step.  Adv
    >ersaries may also abuse the device accessibility APIs to pre>ersaries may also abuse the device accessibility APIs to pre
    >vent removal. This set of APIs allows the application to per>vent removal. This set of APIs allows the application to per
    >form certain actions on behalf of the user and programmatica>form certain actions on behalf of the user and programmatica
    >lly determine what is being shown on the screen. The malicio>lly determine what is being shown on the screen. The malicio
    >us application could monitor the device screen for certain m>us application could monitor the device screen for certain m
    >odals (e.g., the confirmation modal to uninstall an applicat>odals (e.g., the confirmation modal to uninstall an applicat
    >ion) and inject screen input or a back button tap to close t>ion) and inject screen input or a back button tap to close t
    >he modal.>he modal. For example, Android's `performGlobalAction(int)` 
     >API could be utilized to prevent the user from removing the 
     >malicious application from the device after installation. If
     > the user wants to uninstall the malicious application, two 
     >cases may occur, both preventing the user from removing the 
     >application.  * Case 1: If the integer argument passed to th
     >e API call is `2` or `GLOBAL_ACTION_HOME`, the malicious app
     >lication may direct the user to the home screen from setting
     >s screen   * Case 2: If the integer argument passed to the A
     >PI call is `1` or `GLOBAL_ACTION_BACK`, the malicious applic
     >ation may emulate the back press event 

    New Detections:

    • DS0041: Application Vetting (API Calls)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributors['Shankar Raman, Gen Digital and Abhinand, Amrita University']
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:54:36.502000+00:002023-09-28 15:38:41.106000+00:00
    descriptionAdversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step. + +Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step. + +Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application. + +* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen + +* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.11.2

    [T1458] Replication Through Removable Media

    Current version: 2.1

    Version changed from: 2.0 → 2.1

    New Detections:

    • DS0013: Sensor Health (Host Status)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-08 15:53:11.864000+00:002023-08-07 17:13:04.396000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version2.02.1

    [T1623.001] Command and Scripting Interpreter: Unix Shell

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Detections:

    • DS0009: Process (Process Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:41:18.389000+00:002023-08-07 22:48:30.418000+00:00
    x_mitre_version1.11.2

    [T1481] Web Service

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    New Detections:

    • DS0029: Network Traffic (Network Connection Creation)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:37:13.730000+00:002023-08-14 16:31:37.317000+00:00
    x_mitre_version1.21.3
    Patches

    [T1634] Credentials from Password Store

    Current version: 1.1

    + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may search common password storage locations to t1Adversaries may search common password storage locations to 
    >obtain user credentials. Passwords can be stored in several >obtain user credentials. Passwords can be stored in several 
    >places on a device, depending on the operating system or app>places on a device, depending on the operating system or app
    >lication holding the credentials. There are also specific ap>lication holding the credentials. There are also specific ap
    >plications that store passwords to make it easier for users >plications that store passwords to make it easier for users 
    >manage and maintain. Once credentials are obtained, they can>to manage and maintain. Once credentials are obtained, they 
    > be used to perform lateral movement and access restricted i>can be used to perform lateral movement and access restricte
    >nformation.>d information.
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 15:45:44.103000+00:002023-09-08 19:19:37.927000+00:00
    descriptionAdversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

    [T1404] Exploitation for Privilege Escalation

    Current version: 2.1

    + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may exploit software vulnerabilities in order tot1Adversaries may exploit software vulnerabilities in order to
    > to elevate privileges. Exploitation of a software vulnerabi> elevate privileges. Exploitation of a software vulnerabilit
    >lity occurs when an adversary takes advantage of a programmi>y occurs when an adversary takes advantage of a programming 
    >ng error in an application, service, within the operating sy>error in an application, service, within the operating syste
    >stem software, or kernel itself to execute adversary-control>m software, or kernel itself to execute adversary-controlled
    >led code. Security constructions, such as permission levels,> code. Security constructions, such as permission levels, wi
    > will often hinder access to information and use of certain >ll often hinder access to information and use of certain tec
    >techniques. Adversaries will likely need to perform privileg>hniques. Adversaries will likely need to perform privilege e
    >e escalation to include use of software exploitation to circ>scalation to include use of software exploitation to circumv
    >umvent those restrictions.   When initially gaining access t>ent those restrictions.   When initially gaining access to a
    >o a device, an adversary may be operating within a lower pri> device, an adversary may be operating within a lower privil
    >vileged process which will prevent them from accessing certa>eged process which will prevent them from accessing certain 
    >in resources on the system. Vulnerabilities may exist, usual>resources on the system. Vulnerabilities may exist, usually 
    >ly in operating system components and applications running a>in operating system components and applications running at h
    >t higher permissions, that can be exploited to gain higher l>igher permissions, that can be exploited to gain higher leve
    >evels of access on the system. This could enable someone to >ls of access on the system. This could enable someone to mov
    >move from unprivileged or user- level permission to root per>e from unprivileged or user- level permission to root permis
    >missions depending on the component that is vulnerable. >sions depending on the component that is vulnerable. 
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:49:53.301000+00:002023-09-08 19:20:13.836000+00:00
    descriptionAdversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. + +When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. + +When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable.

    [T1430.002] Location Tracking: Impersonate SS7 Nodes

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:41:45.256000+00:002023-08-15 15:06:03.427000+00:00
    external_references[2]['url']https://www.fcc.gov/files/csric5-wg10-finalreport031517pdfhttps://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf

    [T1509] Non-Standard Port

    Current version: 2.1

    + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may generate network traffic using a protocol ant1Adversaries may generate network traffic using a protocol an
    >d port paring that are typically not associated. For example>d port pairing that are typically not associated. For exampl
    >, HTTPS over port 8088 or port 587 as opposed to the traditi>e, HTTPS over port 8088 or port 587 as opposed to the tradit
    >onal port 443. Adversaries may make changes to the standard >ional port 443. Adversaries may make changes to the standard
    >port used by a protocol to bypass filtering or muddle analys> port used by a protocol to bypass filtering or muddle analy
    >is/parsing of network data.>sis/parsing of network data.
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:51:58.228000+00:002023-09-08 19:21:40.736000+00:00
    descriptionAdversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

    [T1625.001] Hijack Execution Flow: System Runtime API Hijacking

    Current version: 1.1

    + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1Adversaries may execute their own malicious payloads by hijat1Adversaries may execute their own malicious payloads by hija
    >cking the way an operating system run applications. Hijackin>cking the way an operating system runs applications. Hijacki
    >g execution flow can be for the purposes of persistence sinc>ng execution flow can be for the purposes of persistence sin
    >e this hijacked execution may reoccur at later points in tim>ce this hijacked execution may reoccur at later points in ti
    >e.    On Android, adversaries may overwrite the standard OS >me.    On Android, adversaries may overwrite the standard OS
    >API library with a malicious alternative to hook into core f> API library with a malicious alternative to hook into core 
    >unctions to achieve persistence. By doing this, the adversar>functions to achieve persistence. By doing this, the adversa
    >y’s code will be executed every time the overwritten API fun>ry’s code will be executed every time the overwritten API fu
    >ction is called by an app on the infected device.>nction is called by an app on the infected device.
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-20 18:46:08.412000+00:002023-09-08 19:20:51.220000+00:00
    descriptionAdversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. + + +On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. + + +On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.

    ics-attack

    Minor Version Changes

    [T0803] Block Command Message

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    x_mitre_detection
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-24 15:09:07.609000+00:002023-10-13 17:56:58.380000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.01.1
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsDevice Configuration/Parameters

    [T0821] Modify Controller Tasking

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Mitigations:

    • M0800: Authorization Enforcement
    • M0804: Human User Authentication
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:56:58.991000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.11.2
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0836] Modify Parameter

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    New Mitigations:

    • M0804: Human User Authentication
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-05 14:15:29.756000+00:002023-10-13 17:56:58.786000+00:00
    x_mitre_version1.21.3
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsSafety Instrumented System/Protection Relay
    x_mitre_platformsHuman-Machine Interface

    [T0889] Modify Program

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    New Mitigations:

    • M0800: Authorization Enforcement
    • M0804: Human User Authentication
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-20 17:01:10.138000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.11.2
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0881] Service Stop

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    x_mitre_detection
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-24 15:09:07.609000+00:002023-10-13 17:56:58.586000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.01.1
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Enterprise ATT&CK', 'description': 'Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 ', 'url': 'https://attack.mitre.org/techniques/T1489/'}
    x_mitre_platformsControl Server
    x_mitre_platformsData Historian
    x_mitre_platformsEngineering Workstation
    Patches

    [T0800] Activate Firmware Update Mode

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-24 15:09:07.609000+00:002023-10-13 17:56:59.593000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0830] Adversary-in-the-Middle

    Current version: 2.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:08.233000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsHuman-Machine Interface

    [T0878] Alarm Suppression

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:13:55.599000+00:002023-10-13 17:57:01.578000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay
    x_mitre_platformsDevice Configuration/Parameters

    [T0802] Automated Collection

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:04.179000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay
    x_mitre_platformsControl Server

    [T0804] Block Reporting Message

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-09-19 13:57:23.538000+00:002023-10-13 17:57:04.376000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsInput/Output Server
    x_mitre_platformsDevice Configuration/Parameters

    [T0805] Block Serial COM

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-20 21:02:54.674000+00:002023-10-13 17:57:00.184000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsInput/Output Server
    x_mitre_platformsDevice Configuration/Parameters

    [T0806] Brute Force I/O

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-29 16:17:27.903000+00:002023-10-13 17:57:08.037000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsField Controller/RTU/PLC/IED

    [T0892] Change Credential

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-07 13:40:53.842000+00:002023-10-13 17:57:14.123000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0858] Change Operating Mode

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:01.367000+00:00
    x_mitre_platforms[0]Safety Instrumented System/Protection RelayNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsField Controller/RTU/PLC/IED

    [T0807] Command-Line Interface

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:00.378000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsData Historian
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsInput/Output Server

    [T0885] Commonly Used Port

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:12.723000+00:00
    x_mitre_platforms[0]Safety Instrumented System/Protection RelayNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsControl Server
    x_mitre_platformsEngineering Workstation

    [T0884] Connection Proxy

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:11.730000+00:00

    [T0879] Damage to Property

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:14:42.829000+00:002023-10-13 17:57:06.993000+00:00

    [T0809] Data Destruction

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-09-19 14:12:22.878000+00:002023-10-13 17:57:04.784000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsField Controller/RTU/PLC/IED

    [T0811] Data from Information Repositories

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 19:09:43.744000+00:002023-10-13 17:57:03.187000+00:00
    x_mitre_platforms[0]Data HistorianNone

    [T0893] Data from Local System

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-05 14:14:48.109000+00:002023-10-13 17:57:13.921000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay
    x_mitre_platformsControl Server
    x_mitre_platformsInput/Output Server
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsEngineering Workstation

    [T0812] Default Credentials

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:07.653000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsSafety Instrumented System/Protection Relay
    x_mitre_platformsControl Server
    x_mitre_platformsEngineering Workstation

    [T0813] Denial of Control

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:15:14.260000+00:002023-10-13 17:57:12.329000+00:00

    [T0814] Denial of Service

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:16:01.922000+00:002023-10-13 17:56:59.992000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0815] Denial of View

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:16:25.031000+00:002023-10-13 17:57:05.576000+00:00

    [T0868] Detect Operating Mode

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:01.778000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0816] Device Restart/Shutdown

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-09-26 16:50:56.401000+00:002023-10-13 17:57:00.768000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0817] Drive-by Compromise

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:06.780000+00:00

    [T0871] Execution through API

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:05.776000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0819] Exploit Public-Facing Application

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:02.990000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone

    [T0820] Exploitation for Evasion

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:08.425000+00:00
    x_mitre_platforms[0]Safety Instrumented System/Protection RelayNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsField Controller/RTU/PLC/IED

    [T0890] Exploitation for Privilege Escalation

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-09-27 16:38:58.028000+00:002023-10-13 17:57:11.342000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0866] Exploitation of Remote Services

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:07.457000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsData Historian
    x_mitre_platformsEngineering Workstation

    [T0822] External Remote Services

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:16:55.602000+00:002023-10-13 17:57:07.840000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsInput/Output Server

    [T0823] Graphical User Interface

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:08.992000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone

    [T0891] Hardcoded Credentials

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:10.962000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay
    x_mitre_platformsControl Server
    x_mitre_platformsData Historian
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsEngineering Workstation

    [T0874] Hooking

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-13 13:32:08.619000+00:002023-10-13 17:57:08.803000+00:00
    x_mitre_platforms[0]Engineering WorkstationNone

    [T0877] I/O Image

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:05.375000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0872] Indicator Removal on Host

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:05.190000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0883] Internet Accessible Device

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:13.719000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsData Historian
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsInput/Output Server
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0867] Lateral Tool Transfer

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:13.327000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsControl Server
    x_mitre_platformsData Historian

    [T0826] Loss of Availability

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:09.581000+00:00

    [T0827] Loss of Control

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:08.613000+00:00

    [T0828] Loss of Productivity and Revenue

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:06.362000+00:00

    [T0837] Loss of Protection

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:01.994000+00:00

    [T0880] Loss of Safety

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:06.171000+00:00

    [T0829] Loss of View

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:56:59.396000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsEngineering Workstation

    [T0835] Manipulate I/O Image

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-20 20:46:11.459000+00:002023-10-13 17:57:03.589000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0831] Manipulation of Control

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:56:59.793000+00:00

    [T0832] Manipulation of View

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:04.993000+00:00
    x_mitre_platforms[0]Engineering WorkstationNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsField Controller/RTU/PLC/IED

    [T0849] Masquerading

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:10.181000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsControl Server

    [T0838] Modify Alarm Settings

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:17:43.803000+00:002023-10-13 17:57:12.528000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsControl Server
    x_mitre_platformsSafety Instrumented System/Protection Relay
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsDevice Configuration/Parameters

    [T0839] Module Firmware

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:13.531000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0801] Monitor Process State

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:02.197000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsControl Server
    x_mitre_platformsData Historian
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0834] Native API

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:09.388000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsData Historian
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsInput/Output Server
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0840] Network Connection Enumeration

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:13.131000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone

    [T0842] Network Sniffing

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:03.783000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0861] Point & Tag Identification

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:00.575000+00:00
    x_mitre_platforms[0]Data HistorianNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsControl Server
    x_mitre_platformsHuman-Machine Interface

    [T0843] Program Download

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:10.374000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0845] Program Upload

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:02.785000+00:00
    x_mitre_platforms[0]Safety Instrumented System/Protection RelayNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsField Controller/RTU/PLC/IED

    [T0873] Project File Infection

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-05-08 18:58:24.092000+00:002023-10-13 17:57:12.926000+00:00
    x_mitre_platforms[0]Engineering WorkstationNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsHuman-Machine Interface

    [T0886] Remote Services

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:12.125000+00:00
    x_mitre_platforms[0]Engineering WorkstationNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsControl Server

    [T0846] Remote System Discovery

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:11.536000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsData Historian
    x_mitre_platformsSafety Instrumented System/Protection Relay
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsHuman-Machine Interface

    [T0888] Remote System Information Discovery

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-17 15:14:31.276000+00:002023-10-13 17:57:02.595000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0847] Replication Through Removable Media

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:10.581000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsData Historian
    x_mitre_platformsControl Server

    [T0848] Rogue Master

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:18:41.277000+00:002023-10-13 17:57:09.193000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsControl Server
    x_mitre_platformsEngineering Workstation

    [T0851] Rootkit

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:03.989000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0852] Screen Capture

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:10.768000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone

    [T0853] Scripting

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:02.398000+00:00
    x_mitre_platforms[0]Engineering WorkstationNone

    [T0865] Spearphishing Attachment

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:06.577000+00:00
    x_mitre_platforms[0]Engineering WorkstationNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsControl Server
    x_mitre_platformsData Historian

    [T0856] Spoof Reporting Message

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:19:14.351000+00:002023-10-13 17:57:07.260000+00:00
    x_mitre_platforms[0]Control ServerNone

    [T0869] Standard Application Layer Protocol

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:11.924000+00:00
    x_mitre_platforms[0]Human-Machine InterfaceNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsControl Server
    x_mitre_platformsData Historian
    x_mitre_platformsEngineering Workstation

    [T0862] Supply Chain Compromise

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:05.975000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsData Historian
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsInput/Output Server
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0857] System Firmware

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:09.988000+00:00
    x_mitre_platforms[0]Safety Instrumented System/Protection RelayNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsInput/Output Server

    [T0882] Theft of Operational Information

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:09.780000+00:00

    [T0864] Transient Cyber Asset

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:19:41.272000+00:002023-10-13 17:57:03.395000+00:00
    external_references[1]['url']https://www.nerc.com/files/glossary_of_terms.pdfhttps://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_platforms[0]Engineering WorkstationNone

    [T0855] Unauthorized Command Message

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-05 14:16:02.811000+00:002023-10-13 17:57:04.582000+00:00
    x_mitre_platforms[0]Field Controller/RTU/PLC/IEDNone

    [T0863] User Execution

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:00.969000+00:00
    x_mitre_platforms[0]Engineering WorkstationNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsHuman-Machine Interface

    [T0859] Valid Accounts

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:57:11.152000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsData Historian
    x_mitre_platformsEngineering Workstation
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsHuman-Machine Interface
    x_mitre_platformsInput/Output Server
    x_mitre_platformsSafety Instrumented System/Protection Relay

    [T0860] Wireless Compromise

    Current version: 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:20:38.285000+00:002023-10-13 17:57:01.165000+00:00
    x_mitre_platforms[0]Control ServerNone
    iterable_item_removed
    STIX FieldOld valueNew Value
    x_mitre_platformsField Controller/RTU/PLC/IED
    x_mitre_platformsInput/Output Server

    [T0887] Wireless Sniffing

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-09 18:38:51.471000+00:002023-10-13 17:56:59.193000+00:00

    Software

    enterprise-attack

    New Software

    [S1074] ANDROMEDA

    Current version: 1.0

    Description: [ANDROMEDA](https://attack.mitre.org/software/S1074) is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://attack.mitre.org/campaigns/C0026) campaign, threat actors re-registered expired [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains to spread malware to select targets in Ukraine.(Citation: Mandiant Suspected Turla Campaign February 2023)

    [S1087] AsyncRAT

    Current version: 1.0

    Description: [AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)

    [S1081] BADHATCH

    Current version: 1.0

    Description: [BADHATCH](https://attack.mitre.org/software/S1081) is a backdoor that has been utilized by [FIN8](https://attack.mitre.org/groups/G0061) since at least 2019. [BADHATCH](https://attack.mitre.org/software/S1081) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

    [S1088] Disco

    Current version: 1.0

    Description: [Disco](https://attack.mitre.org/software/S1088) is a custom implant that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.(Citation: MoustachedBouncer ESET August 2023)

    [S1075] KOPILUWAK

    Current version: 1.0

    Description: [KOPILUWAK](https://attack.mitre.org/software/S1075) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.(Citation: Mandiant Suspected Turla Campaign February 2023)

    [S1090] NightClub

    Current version: 1.0

    Description: [NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)

    [S1091] Pacu

    Current version: 1.0

    Description: Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)

    [S1076] QUIETCANARY

    Current version: 1.0

    Description: [QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign February 2023)

    [S1084] QUIETEXIT

    Current version: 1.0

    Description: [QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

    [S1078] RotaJakiro

    Current version: 1.0

    Description: [RotaJakiro](https://attack.mitre.org/software/S1078) is a 64-bit Linux backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://attack.mitre.org/software/S1078) can determine it's permission level and execute according to access type (`root` or `user`).(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: netlab360 rotajakiro vs oceanlotus)

    [S1085] Sardonic

    Current version: 1.0

    Description: [Sardonic](https://attack.mitre.org/software/S1085) is a backdoor written in C and C++ that is known to be used by [FIN8](https://attack.mitre.org/groups/G0061), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://attack.mitre.org/software/S1085) has a plugin system that can load specially made DLLs and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)

    [S1089] SharpDisco

    Current version: 1.0

    Description: [SharpDisco](https://attack.mitre.org/software/S1089) is a dropper developed in C# that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 to load malicious plugins.(Citation: MoustachedBouncer ESET August 2023)

    [S1086] Snip3

    Current version: 1.0

    Description: [Snip3](https://attack.mitre.org/software/S1086) is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including [AsyncRAT](https://attack.mitre.org/software/S1087), [Revenge RAT](https://attack.mitre.org/software/S0379), [Agent Tesla](https://attack.mitre.org/software/S0331), and [NETWIRE](https://attack.mitre.org/software/S0198).(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)

    [S0508] ngrok

    Current version: 1.2

    Description: [ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)

    Major Version Changes

    [S0352] OSX_OCEANLOTUS.D

    Current version: 3.0

    Version changed from: 2.2 → 3.0

    + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) t1[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) 
    >is a MacOS backdoor with several variants that has been used>is a macOS backdoor used by [APT32](https://attack.mitre.org
    > by [APT32](https://attack.mitre.org/groups/G0050).(Citation>/groups/G0050). First discovered in 2015, [APT32](https://at
    >: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS B>tack.mitre.org/groups/G0050) has continued to make improveme
    >ackdoor November 2020)>nts using a plugin architecture to extend capabilities, spec
     >ifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://at
     >tack.mitre.org/software/S0352) can also determine it's permi
     >ssion level and execute according to access type (`root` or 
     >`user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMi
     >cro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor N
     >ovember 2020)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2022-01-14 21:53:00.543000+00:002023-10-12 20:21:08.235000+00:00
    description[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor with several variants that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version2.23.0
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Unit42 OceanLotus 2017', 'description': 'Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.', 'url': 'https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/'}

    [S0022] Uroburos

    Current version: 2.0

    Version changed from: 1.0 → 2.0

    + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1[Uroburos](https://attack.mitre.org/software/S0022) is a root1[Uroburos](https://attack.mitre.org/software/S0022) is a sop
    >tkit used by [Turla](https://attack.mitre.org/groups/G0010).>histicated cyber espionage tool written in C that has been u
    > (Citation: Kaspersky Turla)>sed by units within Russia's Federal Security Service (FSB) 
     >associated with the [Turla](https://attack.mitre.org/groups/
     >G0010) toolset to collect intelligence on sensitive targets 
     >worldwide. [Uroburos](https://attack.mitre.org/software/S002
     >2) has several variants and has undergone nearly constant up
     >grade since its initial development in 2003 to keep it viabl
     >e after public disclosures. [Uroburos](https://attack.mitre.
     >org/software/S0022) is typically deployed to external-facing
     > nodes on a targeted network and has the ability to leverage
     > additional tools and TTPs to further exploit an internal ne
     >twork. [Uroburos](https://attack.mitre.org/software/S0022) h
     >as interoperable implants for Windows, Linux, and macOS, emp
     >loys a high level of stealth in communications and architect
     >ure, and can easily incorporate new or replacement component
     >s.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Ma
     >lware May 2023)(Citation: Kaspersky Turla)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_aliases['Uroburos', 'Snake']
    x_mitre_deprecatedFalse
    x_mitre_platforms['Linux', 'Windows', 'macOS']
    values_changed
    STIX FieldOld valueNew Value
    modified2018-10-17 00:14:20.652000+00:002023-10-02 17:26:25.052000+00:00
    description[Uroburos](https://attack.mitre.org/software/S0022) is a rootkit used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)[Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)
    external_references[1]['source_name']UroburosSnake
    external_references[1]['description'](Citation: Kaspersky Turla)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.02.0
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023', 'description': 'FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.', 'url': 'https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf'}
    Minor Version Changes

    [S0552] AdFind

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-02 20:44:17.690000+00:002023-08-09 16:50:06.756000+00:00
    x_mitre_version1.21.3

    [S0331] Agent Tesla

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-04-21 02:04:30.060000+00:002023-09-11 20:13:18.738000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.21.3

    [S0099] Arp

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-12-07 18:27:04.603000+00:002023-07-25 19:24:08.305000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.11.2

    [S0190] BITSAdmin

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-13 18:56:28.568000+00:002023-08-03 18:31:04.851000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.31.4

    [S0089] BlackEnergy

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-12 17:33:00.482000+00:002023-10-06 14:08:40.134000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.31.4

    [S0521] BloodHound

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-02-16 18:51:10.090000+00:002023-08-09 18:00:13.178000+00:00
    x_mitre_version1.41.5

    [S0154] Cobalt Strike

    Current version: 1.11

    Version changed from: 1.10 → 1.11

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-07 13:05:11.028000+00:002023-08-09 16:47:36.538000+00:00
    x_mitre_version1.101.11

    [S0575] Conti

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-09-29 16:45:13.038000+00:002023-08-09 18:13:14.416000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version2.12.2

    [S0235] CrossRAT

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-03-30 15:26:42.369000+00:002023-09-28 21:03:22.526000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.11.2

    [S0384] Dridex

    Current version: 2.1

    Version changed from: 2.0 → 2.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-10-01 20:30:30.043000+00:002023-08-03 21:55:20.998000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version2.02.1
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsJennifer Kim Roman, CrowdStrike

    [S0367] Emotet

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-01-17 22:19:58.856000+00:002023-09-29 19:44:43.868000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.41.5

    [S0363] Empire

    Current version: 1.7

    Version changed from: 1.6 → 1.7

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-22 03:43:09.336000+00:002023-07-27 15:44:31.364000+00:00
    x_mitre_version1.61.7

    [S0410] Fysbis

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-11-06 15:24:20.400000+00:002023-10-01 16:58:20.224000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.21.3

    [S0588] GoldMax

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-27 19:46:46.532000+00:002023-08-30 16:31:52.140000+00:00
    x_mitre_version2.12.2

    [S0434] Imminent Monitor

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-07-10 13:39:26.417000+00:002023-10-03 19:35:03.646000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.01.1

    [S0357] Impacket

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-01-23 20:52:37.112000+00:002023-07-27 15:31:10.648000+00:00
    x_mitre_version1.41.5

    [S0607] KillDisk

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-08 22:13:42.357000+00:002023-10-06 14:09:52.833000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.11.2

    [S0349] LaZagne

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-02 20:48:02.590000+00:002023-08-03 18:35:09.021000+00:00
    x_mitre_version1.41.5

    [S0002] Mimikatz

    Current version: 1.8

    Version changed from: 1.7 → 1.8

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-07 13:04:10.731000+00:002023-07-27 15:33:07.594000+00:00
    x_mitre_version1.71.8

    [S0198] NETWIRE

    Current version: 1.6

    Version changed from: 1.5 → 1.6

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-26 19:24:00.073000+00:002023-09-20 20:04:20.149000+00:00
    x_mitre_version1.51.6

    [S0039] Net

    Current version: 2.5

    Version changed from: 2.4 → 2.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-03 16:49:41.059000+00:002023-07-25 19:25:59.767000+00:00
    x_mitre_version2.42.5

    [S0359] Nltest

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-10-07 16:41:18.760000+00:002023-08-09 18:03:17.167000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.11.2

    [S0402] OSX/Shlayer

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-19 16:35:18.493000+00:002023-08-30 16:28:36.699000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.31.4

    [S0097] Ping

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-01-04 21:59:04.229000+00:002023-09-06 15:12:11.358000+00:00
    x_mitre_version1.31.4

    [S0029] PsExec

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-02 20:43:41.287000+00:002023-08-09 18:07:11.859000+00:00
    x_mitre_version1.41.5

    [S0192] Pupy

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-05-13 22:57:00.921000+00:002023-09-28 21:08:47.128000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.21.3

    [S0481] Ragnar Locker

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-04-13 23:52:18.803000+00:002023-09-06 15:08:53.375000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.11.2

    [S0019] Regin

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-06-29 01:54:53.301000+00:002023-10-01 02:47:21.211000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.11.2

    [S0379] Revenge RAT

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-03-30 18:05:10.885000+00:002023-10-02 23:04:26.238000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.11.2

    [S1071] Rubeus

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-13 23:27:32.465000+00:002023-08-03 18:30:05.885000+00:00
    x_mitre_version1.01.1

    [S0446] Ryuk

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-05-24 21:10:44.381000+00:002023-08-09 18:11:35.634000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.31.4

    [S0266] TrickBot

    Current version: 2.1

    Version changed from: 2.0 → 2.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-02-23 19:45:50.419000+00:002023-08-09 16:44:56.511000+00:00
    x_mitre_version2.02.1

    [S0670] WarzoneRAT

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-04-15 14:24:50.745000+00:002023-10-03 19:33:26.976000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.01.1

    [S0160] certutil

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-03 00:40:22.280000+00:002023-07-27 15:28:27.482000+00:00
    x_mitre_version1.31.4

    [S0404] esentutl

    Current version: 1.3

    Version changed from: 1.2 → 1.3

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-10-01 17:48:10.492000+00:002023-09-28 03:45:36.045000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.21.3

    [S0283] jRAT

    Current version: 2.2

    Version changed from: 2.1 → 2.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-01-25 15:43:45.842000+00:002023-10-03 19:38:43.114000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version2.12.2

    [S0104] netstat

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-12 21:29:16.407000+00:002023-07-25 19:25:05.678000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.11.2

    [S0385] njRAT

    Current version: 1.5

    Version changed from: 1.4 → 1.5

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-09-16 19:33:56.130000+00:002023-09-20 20:03:22.206000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.41.5
    Patches

    [S1068] BlackCat

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-17 21:40:50.124000+00:002023-06-15 18:33:45.154000+00:00
    external_references[3]['url']https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcathttps://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat

    [S0274] Calisto

    Current version: 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-03-30 01:58:55.849000+00:002023-09-21 19:42:40.612000+00:00
    external_references[3]['url']https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30dayshttps://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days
    x_mitre_attack_spec_version2.1.03.1.0

    [S0030] Carbanak

    Current version: 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-04-01 16:03:31.574000+00:002023-08-17 19:51:14.195000+00:00
    x_mitre_attack_spec_version2.1.03.1.0

    [S0600] Doki

    Current version: 1.0

    + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1[Doki](https://attack.mitre.org/software/S0600) is a backdoot1[Doki](https://attack.mitre.org/software/S0600) is a backdoo
    >r that uses a unique Dogecoin-based Domain Generation Algori>r that uses a unique Dogecoin-based Domain Generation Algori
    >thm and was first observed in July 2020. [Doki](https://atta>thm and was first observed in July 2020. [Doki](https://atta
    >ck.mitre.org/software/S0600) was used in conjunction with th>ck.mitre.org/software/S0600) was used in conjunction with th
    >e [Ngrok](https://attack.mitre.org/software/S0508) Mining Bo>e [ngrok](https://attack.mitre.org/software/S0508) Mining Bo
    >tnet in a campaign that targeted Docker servers in cloud pla>tnet in a campaign that targeted Docker servers in cloud pla
    >tforms. (Citation: Intezer Doki July 20)>tforms. (Citation: Intezer Doki July 20)
    Details
    values_changed
    STIX FieldOld valueNew Value
    description[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [Ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)

    [S0604] Industroyer

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-20 20:37:50.556000+00:002023-10-17 20:09:38.062000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_contributors[1]Joe Slowik - DragosJoe Slowik - Dragos

    [S0372] LockerGoga

    Current version: 2.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-08 22:03:50.370000+00:002023-10-17 20:05:34.648000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_contributors[0]Joe Slowik - DragosJoe Slowik - Dragos

    [S0196] PUNCHBUGGY

    Current version: 2.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-02-09 14:07:10.907000+00:002023-09-19 13:31:34.134000+00:00
    external_references[4]['description']Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
    x_mitre_attack_spec_version2.1.03.1.0

    [S0197] PUNCHTRACK

    Current version: 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-03-17 14:48:43.852000+00:002023-09-19 13:31:34.134000+00:00
    external_references[3]['description']Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
    x_mitre_attack_spec_version2.1.03.1.0

    [S0194] PowerSploit

    Current version: 1.6

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-22 05:12:48.213000+00:002023-08-17 19:50:17.832000+00:00
    Revocations

    [S9000] Ngrok

    Current version: 1.1

    This object has been revoked by [S0508] ngrok

    Description for [S0508] ngrok: [ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-13 13:24:56.579000+00:002023-09-25 18:56:12.154000+00:00
    description[Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)
    revokedFalseTrue
    external_references[0]{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/software/S0508', 'external_id': 'S0508'}{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/software/S9000', 'external_id': 'S9000'}
    iterable_item_removed
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Zdnet Ngrok September 2018', 'description': 'Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.', 'url': 'https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/'}
    external_references{'source_name': 'Cyware Ngrok May 2019', 'description': 'Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020.', 'url': 'https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44'}
    external_references{'source_name': 'MalwareBytes LazyScripter Feb 2021', 'description': 'Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.', 'url': 'https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf'}
    external_references{'source_name': 'FireEye Maze May 2020', 'description': 'Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html'}

    mobile-attack

    New Software

    [S1079] BOULDSPY

    Current version: 1.0

    Description: [BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)

    [S1083] Chameleon

    Current version: 1.0

    Description: [Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)

    [S1092] Escobar

    Current version: 1.0

    Description: [Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)

    [S1080] Fakecalls

    Current version: 1.0

    Description: [Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422)

    [S1093] FlyTrap

    Current version: 1.0

    Description: [FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap)

    [S1077] Hornbill

    Current version: 1.0

    Description: [Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)

    [S1082] Sunbird

    Current version: 1.0

    Description: [Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)

    ics-attack

    Minor Version Changes

    [S0089] BlackEnergy

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-12 17:33:00.482000+00:002023-10-06 14:08:40.134000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.31.4

    [S0607] KillDisk

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-08 22:13:42.357000+00:002023-10-06 14:09:52.833000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.11.2

    [S0446] Ryuk

    Current version: 1.4

    Version changed from: 1.3 → 1.4

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-05-24 21:10:44.381000+00:002023-08-09 18:11:35.634000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.31.4
    Patches

    [S0604] Industroyer

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-20 20:37:50.556000+00:002023-10-17 20:09:38.062000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_contributors[1]Joe Slowik - DragosJoe Slowik - Dragos

    [S0372] LockerGoga

    Current version: 2.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-08 22:03:50.370000+00:002023-10-17 20:05:34.648000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_contributors[0]Joe Slowik - DragosJoe Slowik - Dragos

    Groups

    enterprise-attack

    New Groups

    [G0058] Charming Kitten

    Current version: 1.0

    Description: [Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [[Charming Kitten](https://attack.mitre.org/groups/G0058) often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities.(Citation: ClearSky Charming Kitten Dec 2017)

    [G1016] FIN13

    Current version: 1.0

    Description: [FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

    [G1019] MoustachedBouncer

    Current version: 1.0

    Description: [MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)

    [G1015] Scattered Spider

    Current version: 1.0

    Description: [Scattered Spider](https://attack.mitre.org/groups/G1015) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.(Citation: CrowdStrike Scattered Spider Profile)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)

    [G1018] TA2541

    Current version: 1.0

    Description: [TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)

    [G1017] Volt Typhoon

    Current version: 1.0

    Description: [Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://attack.mitre.org/groups/G1017) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)

    Major Version Changes

    [G0016] APT29

    Current version: 5.0

    Version changed from: 4.0 → 5.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-16 22:25:01.191000+00:002023-10-02 21:33:07.807000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version4.05.0
    iterable_item_added
    STIX FieldOld valueNew Value
    aliasesUNC3524
    external_references{'source_name': 'UNC3524', 'description': '(Citation: Mandiant APT29 Eye Spy Email Nov 22)'}
    external_references{'source_name': 'Mandiant APT29 Eye Spy Email Nov 22', 'description': 'Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.', 'url': 'https://www.mandiant.com/resources/blog/unc3524-eye-spy-email'}

    [G0046] FIN7

    Current version: 3.0

    Version changed from: 2.2 → 3.0

    + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1[FIN7](https://attack.mitre.org/groups/G0046) is a financialt1[FIN7](https://attack.mitre.org/groups/G0046) is a financial
    >ly-motivated threat group that has been active since 2013 pr>ly-motivated threat group that has been active since 2013. [
    >imarily targeting the U.S. retail, restaurant, and hospitali>FIN7](https://attack.mitre.org/groups/G0046) has primarily t
    >ty sectors, often using point-of-sale malware. A portion of >argeted the retail, restaurant, hospitality, software, consu
    >[FIN7](https://attack.mitre.org/groups/G0046) was run out of>lting, financial services, medical equipment, cloud services
    > a front company called Combi Security. Since 2020 [FIN7](ht>, media, food and beverage, transportation, and utilities in
    >tps://attack.mitre.org/groups/G0046) shifted operations to a>dustries in the U.S. A portion of [FIN7](https://attack.mitr
    > big game hunting (BGH) approach including use of [REvil](ht>e.org/groups/G0046) was run out of a front company called Co
    >tps://attack.mitre.org/software/S0496) ransomware and their >mbi Security and often used point-of-sale malware for target
    >own Ransomware as a Service (RaaS), Darkside. [FIN7](https:/>ing efforts. Since 2020, [FIN7](https://attack.mitre.org/gro
    >/attack.mitre.org/groups/G0046) may be linked to the [Carban>ups/G0046) shifted operations to a big game hunting (BGH) ap
    >ak](https://attack.mitre.org/groups/G0008) Group, but there >proach including use of [REvil](https://attack.mitre.org/sof
    >appears to be several groups using [Carbanak](https://attack>tware/S0496) ransomware and their own Ransomware as a Servic
    >.mitre.org/software/S0030) malware and are therefore tracked>e (RaaS), Darkside. FIN7 may be linked to the [Carbanak](htt
    > separately.(Citation: FireEye FIN7 March 2017)(Citation: Fi>ps://attack.mitre.org/groups/G0008) Group, but there appears
    >reEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)> to be several groups using [Carbanak](https://attack.mitre.
    >(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carb>org/software/S0030) malware and are therefore tracked separa
    >on Spider August 2021)>tely.(Citation: FireEye FIN7 March 2017)(Citation: FireEye F
     >IN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citati
     >on: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spid
     >er August 2021)(Citation: Mandiant FIN7 Apr 2022)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-22 03:51:04.185000+00:002023-10-04 18:10:49.054000+00:00
    description[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.23.0
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Mandiant FIN7 Apr 2022', 'description': 'Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.', 'url': 'https://www.mandiant.com/resources/evolution-of-fin7'}

    [G0061] FIN8

    Current version: 2.0

    Version changed from: 1.3 → 2.0

    + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1[FIN8](https://attack.mitre.org/groups/G0061) is a financialt1[FIN8](https://attack.mitre.org/groups/G0061) is a financial
    >ly motivated threat group known to launch tailored spearphis>ly motivated threat group that has been active since at leas
    >hing campaigns targeting the retail, restaurant, and hospita>t January 2016, and known for targeting organizations in the
    >lity industries. (Citation: FireEye Obfuscation June 2017) (> hospitality, retail, entertainment, insurance, technology, 
    >Citation: FireEye Fin8 May 2016)>chemical, and financial sectors. In June 2021, security rese
     >archers detected [FIN8](https://attack.mitre.org/groups/G006
     >1) switching from targeting point-of-sale (POS) devices to d
     >istributing a number of ransomware variants.(Citation: FireE
     >ye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(C
     >itation: Bitdefender Sardonic Aug 2021)(Citation: Symantec F
     >IN8 Jul 2023)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-22 03:52:13.089000+00:002023-09-19 14:08:59.296000+00:00
    description[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016)[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)
    external_references[3]['description']Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
    x_mitre_version1.32.0
    iterable_item_added
    STIX FieldOld valueNew Value
    aliasesSyssphinx
    external_references{'source_name': 'Syssphinx', 'description': '(Citation: Symantec FIN8 Jul 2023)'}
    external_references{'source_name': 'Bitdefender Sardonic Aug 2021', 'description': 'Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.', 'url': 'https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf'}
    external_references{'source_name': 'Symantec FIN8 Jul 2023', 'description': 'Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.', 'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor'}
    x_mitre_contributorsSerhii Melnyk, Trustwave SpiderLabs

    [G0119] Indrik Spider

    Current version: 3.0

    Version changed from: 2.1 → 3.0

    + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1[Indrik Spider](https://attack.mitre.org/groups/G0119) is a t1[Indrik Spider](https://attack.mitre.org/groups/G0119) is a 
    >Russia-based cybercriminal group that has been active since >Russia-based cybercriminal group that has been active since 
    >at least 2014. [Indrik Spider](https://attack.mitre.org/grou>at least 2014. [Indrik Spider](https://attack.mitre.org/grou
    >ps/G0119) initially started with the [Dridex](https://attack>ps/G0119) initially started with the [Dridex](https://attack
    >.mitre.org/software/S0384) banking Trojan, and then by 2017 >.mitre.org/software/S0384) banking Trojan, and then by 2017 
    >they began running ransomware operations using [BitPaymer](h>they began running ransomware operations using [BitPaymer](h
    >ttps://attack.mitre.org/software/S0570), [WastedLocker](http>ttps://attack.mitre.org/software/S0570), [WastedLocker](http
    >s://attack.mitre.org/software/S0612), and Hades ransomware.(>s://attack.mitre.org/software/S0612), and Hades ransomware
    >Citation: Crowdstrike Indrik November 2018)(Citation: Crowds>Following U.S. sanctions and an indictment in 2019, [Indrik 
    >trike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2>Spider](https://attack.mitre.org/groups/G0119) changed their
    >019)> tactics and diversified their toolset.(Citation: Crowdstrik
     >e Indrik November 2018)(Citation: Crowdstrike EvilCorp March
     > 2021)(Citation: Treasury EvilCorp Dec 2019)
    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributors['Jennifer Kim Roman, CrowdStrike']
    values_changed
    STIX FieldOld valueNew Value
    modified2022-09-15 19:49:18.799000+00:002023-08-03 21:39:36.666000+00:00
    description[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version2.13.0

    [G0010] Turla

    Current version: 4.0

    Version changed from: 3.1 → 4.0

    + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1[Turla](https://attack.mitre.org/groups/G0010) is a Russian-t1[Turla](https://attack.mitre.org/groups/G0010) is a cyber es
    >based threat group that has infected victims in over 45 coun>pionage threat group that has been attributed to Russia's Fe
    >tries, spanning a range of industries including government, >deral Security Service (FSB).  They have compromised victims
    >embassies, military, education, research and pharmaceutical > in over 50 countries since at least 2004, spanning a range 
    >companies since 2004. Heightened activity was seen in mid-20>of industries including government, embassies, military, edu
    >15. [Turla](https://attack.mitre.org/groups/G0010) is known >cation, research and pharmaceutical companies. [Turla](https
    >for conducting watering hole and spearphishing campaigns and>://attack.mitre.org/groups/G0010) is known for conducting wa
    > leveraging in-house tools and malware. [Turla](https://atta>tering hole and spearphishing campaigns, and leveraging in-h
    >ck.mitre.org/groups/G0010)’s espionage platform is mainly us>ouse tools and malware, such as [Uroburos](https://attack.mi
    >ed against Windows machines, but has also been seen used aga>tre.org/software/S0022).(Citation: Kaspersky Turla)(Citation
    >inst macOS and Linux machines.(Citation: Kaspersky Turla)(Ci>: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(
    >tation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS >Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybe
    >BEAR)(Citation: ESET Turla Mosquito Jan 2018)>rsecurity Advisory AA23-129A Snake Malware May 2023)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-22 05:41:28.428000+00:002023-08-02 19:48:08.774000+00:00
    description[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://attack.mitre.org/software/S0022).(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
    x_mitre_version3.14.0
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023', 'description': 'FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.', 'url': 'https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf'}

    [G0102] Wizard Spider

    Current version: 3.0

    Version changed from: 2.1 → 3.0

    + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1[Wizard Spider](https://attack.mitre.org/groups/G0102) is a t1[Wizard Spider](https://attack.mitre.org/groups/G0102) is a 
    >Russia-based financially motivated threat group originally k>Russia-based financially motivated threat group originally k
    >nown for the creation and deployment of [TrickBot](https://a>nown for the creation and deployment of [TrickBot](https://a
    >ttack.mitre.org/software/S0266) since at least 2016. [Wizard>ttack.mitre.org/software/S0266) since at least 2016. [Wizard
    > Spider](https://attack.mitre.org/groups/G0102) possesses a > Spider](https://attack.mitre.org/groups/G0102) possesses a 
    >diverse arsenal of tools and has conducted ransomware campai>diverse aresenal of tools and has conducted ransomware campa
    >gns against a variety of organizations, ranging from major c>igns against a variety of organizations, ranging from major 
    >orporations to hospitals.(Citation: CrowdStrike Ryuk January>corporations to hospitals.(Citation: CrowdStrike Ryuk Januar
    > 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare Oc>y 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare O
    >tober 2020)(Citation: CrowdStrike Wizard Spider October 2020>ctober 2020)(Citation: CrowdStrike Wizard Spider October 202
    >)>0)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-22 05:44:27.289000+00:002023-09-12 14:35:52.920000+00:00
    description[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)
    x_mitre_version2.13.0
    iterable_item_added
    STIX FieldOld valueNew Value
    aliasesFIN12
    aliasesGOLD BLACKBURN
    aliasesITG23
    aliasesPeriwinkle Tempest
    external_references{'source_name': 'ITG23', 'description': '(Citation: IBM X-Force ITG23 Oct 2021)'}
    external_references{'source_name': 'FIN12', 'description': '(Citation: Mandiant FIN12 Oct 2021)'}
    external_references{'source_name': 'GOLD BLACKBURN', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'}
    external_references{'source_name': 'Periwinkle Tempest', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'}
    external_references{'source_name': 'Secureworks Gold Blackburn Mar 2022', 'description': 'Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-blackburn'}
    external_references{'source_name': 'Mandiant FIN12 Oct 2021', 'description': 'Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.', 'url': 'https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf'}
    external_references{'source_name': 'IBM X-Force ITG23 Oct 2021', 'description': 'Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.', 'url': 'https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/'}
    Minor Version Changes

    [G0050] APT32

    Current version: 2.7

    Version changed from: 2.6 → 2.7

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-21 21:04:18.158000+00:002023-10-12 21:15:24.393000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.62.7

    [G0142] Confucius

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-06-30 20:15:32.697000+00:002023-09-22 20:43:16.504000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    x_mitre_version1.01.1
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_domainsmobile-attack

    [G0035] Dragonfly

    Current version: 3.2

    Version changed from: 3.1 → 3.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-08 22:03:28.170000+00:002023-10-01 02:45:48.973000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version3.13.2

    [G1004] LAPSUS$

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-11 00:01:29.232000+00:002023-10-20 17:06:10.335000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.11.2
    iterable_item_added
    STIX FieldOld valueNew Value
    x_mitre_contributorsCaio Silva

    [G0059] Magic Hound

    Current version: 5.2

    Version changed from: 5.1 → 5.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-01-13 21:18:18.077000+00:002023-09-11 20:43:14.739000+00:00
    x_mitre_version5.15.2

    [G0034] Sandworm Team

    Current version: 3.1

    Version changed from: 3.0 → 3.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-08 22:12:31.238000+00:002023-10-06 14:13:06.011000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version3.03.1

    [G0083] SilverTerrier

    Current version: 1.2

    Version changed from: 1.1 → 1.2

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2020-05-19 23:26:11.780000+00:002023-09-27 20:22:05.127000+00:00
    x_mitre_version1.11.2
    Patches

    [G0067] APT37

    Current version: 2.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-10-15 16:54:01.193000+00:002023-06-26 18:59:30.461000+00:00
    external_references[2]['source_name']Richochet ChollimaRicochet Chollima
    external_references[11]['description']CrowdStrike. (2021, September 30). Adversary Profile - Richochet Chollima. Retrieved September 30, 2021.CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021.
    external_references[11]['url']https://adversary.crowdstrike.com/en-US/adversary/ricochet-chollima/https://www.crowdstrike.com/adversaries/ricochet-chollima/
    iterable_item_added
    STIX FieldOld valueNew Value
    aliasesRicochet Chollima
    iterable_item_removed
    STIX FieldOld valueNew Value
    aliasesRichochet Chollima

    [G0130] Ajax Security Team

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2021-12-17 19:27:27.246000+00:002023-10-09 16:46:55.719000+00:00
    external_references[6]['url']https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdfhttps://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf

    [G0012] Darkhotel

    Current version: 2.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-10-19 22:07:30.243000+00:002023-10-17 20:21:44.687000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_contributors[0]Harry, CODEMIZEHarry Kim, CODEMIZE

    [G0094] Kimsuky

    Current version: 3.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2022-11-30 22:53:00.875000+00:002023-09-27 20:08:25.814000+00:00
    x_mitre_attack_spec_version3.1.03.2.0

    mobile-attack

    New Groups

    [G0142] Confucius

    Current version: 1.1

    Description: [Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)

    [G1019] MoustachedBouncer

    Current version: 1.0

    Description: [MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)

    Minor Version Changes

    [G0034] Sandworm Team

    Current version: 3.1

    Version changed from: 3.0 → 3.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-08 22:12:31.238000+00:002023-10-06 14:13:06.011000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version3.03.1

    ics-attack

    Major Version Changes

    [G0046] FIN7

    Current version: 3.0

    Version changed from: 2.2 → 3.0

    + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1[FIN7](https://attack.mitre.org/groups/G0046) is a financialt1[FIN7](https://attack.mitre.org/groups/G0046) is a financial
    >ly-motivated threat group that has been active since 2013 pr>ly-motivated threat group that has been active since 2013. [
    >imarily targeting the U.S. retail, restaurant, and hospitali>FIN7](https://attack.mitre.org/groups/G0046) has primarily t
    >ty sectors, often using point-of-sale malware. A portion of >argeted the retail, restaurant, hospitality, software, consu
    >[FIN7](https://attack.mitre.org/groups/G0046) was run out of>lting, financial services, medical equipment, cloud services
    > a front company called Combi Security. Since 2020 [FIN7](ht>, media, food and beverage, transportation, and utilities in
    >tps://attack.mitre.org/groups/G0046) shifted operations to a>dustries in the U.S. A portion of [FIN7](https://attack.mitr
    > big game hunting (BGH) approach including use of [REvil](ht>e.org/groups/G0046) was run out of a front company called Co
    >tps://attack.mitre.org/software/S0496) ransomware and their >mbi Security and often used point-of-sale malware for target
    >own Ransomware as a Service (RaaS), Darkside. [FIN7](https:/>ing efforts. Since 2020, [FIN7](https://attack.mitre.org/gro
    >/attack.mitre.org/groups/G0046) may be linked to the [Carban>ups/G0046) shifted operations to a big game hunting (BGH) ap
    >ak](https://attack.mitre.org/groups/G0008) Group, but there >proach including use of [REvil](https://attack.mitre.org/sof
    >appears to be several groups using [Carbanak](https://attack>tware/S0496) ransomware and their own Ransomware as a Servic
    >.mitre.org/software/S0030) malware and are therefore tracked>e (RaaS), Darkside. FIN7 may be linked to the [Carbanak](htt
    > separately.(Citation: FireEye FIN7 March 2017)(Citation: Fi>ps://attack.mitre.org/groups/G0008) Group, but there appears
    >reEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)> to be several groups using [Carbanak](https://attack.mitre.
    >(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carb>org/software/S0030) malware and are therefore tracked separa
    >on Spider August 2021)>tely.(Citation: FireEye FIN7 March 2017)(Citation: FireEye F
     >IN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citati
     >on: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spid
     >er August 2021)(Citation: Mandiant FIN7 Apr 2022)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-22 03:51:04.185000+00:002023-10-04 18:10:49.054000+00:00
    description[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version2.23.0
    iterable_item_added
    STIX FieldOld valueNew Value
    external_references{'source_name': 'Mandiant FIN7 Apr 2022', 'description': 'Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.', 'url': 'https://www.mandiant.com/resources/evolution-of-fin7'}

    [G0102] Wizard Spider

    Current version: 3.0

    Version changed from: 2.1 → 3.0

    + + + + + + + + + + + + + + + + + +

    		Old Description
    		New Description
    t1[Wizard Spider](https://attack.mitre.org/groups/G0102) is a t1[Wizard Spider](https://attack.mitre.org/groups/G0102) is a 
    >Russia-based financially motivated threat group originally k>Russia-based financially motivated threat group originally k
    >nown for the creation and deployment of [TrickBot](https://a>nown for the creation and deployment of [TrickBot](https://a
    >ttack.mitre.org/software/S0266) since at least 2016. [Wizard>ttack.mitre.org/software/S0266) since at least 2016. [Wizard
    > Spider](https://attack.mitre.org/groups/G0102) possesses a > Spider](https://attack.mitre.org/groups/G0102) possesses a 
    >diverse arsenal of tools and has conducted ransomware campai>diverse aresenal of tools and has conducted ransomware campa
    >gns against a variety of organizations, ranging from major c>igns against a variety of organizations, ranging from major 
    >orporations to hospitals.(Citation: CrowdStrike Ryuk January>corporations to hospitals.(Citation: CrowdStrike Ryuk Januar
    > 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare Oc>y 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare O
    >tober 2020)(Citation: CrowdStrike Wizard Spider October 2020>ctober 2020)(Citation: CrowdStrike Wizard Spider October 202
    >)>0)
    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-22 05:44:27.289000+00:002023-09-12 14:35:52.920000+00:00
    description[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)
    x_mitre_version2.13.0
    iterable_item_added
    STIX FieldOld valueNew Value
    aliasesFIN12
    aliasesGOLD BLACKBURN
    aliasesITG23
    aliasesPeriwinkle Tempest
    external_references{'source_name': 'ITG23', 'description': '(Citation: IBM X-Force ITG23 Oct 2021)'}
    external_references{'source_name': 'FIN12', 'description': '(Citation: Mandiant FIN12 Oct 2021)'}
    external_references{'source_name': 'GOLD BLACKBURN', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'}
    external_references{'source_name': 'Periwinkle Tempest', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'}
    external_references{'source_name': 'Secureworks Gold Blackburn Mar 2022', 'description': 'Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-blackburn'}
    external_references{'source_name': 'Mandiant FIN12 Oct 2021', 'description': 'Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.', 'url': 'https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf'}
    external_references{'source_name': 'IBM X-Force ITG23 Oct 2021', 'description': 'Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.', 'url': 'https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/'}
    Minor Version Changes

    [G0035] Dragonfly

    Current version: 3.2

    Version changed from: 3.1 → 3.2

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-08 22:03:28.170000+00:002023-10-01 02:45:48.973000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version3.13.2

    [G0034] Sandworm Team

    Current version: 3.1

    Version changed from: 3.0 → 3.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-08 22:12:31.238000+00:002023-10-06 14:13:06.011000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version3.03.1

    Campaigns

    enterprise-attack

    New Campaigns

    [C0028] 2015 Ukraine Electric Power Attack

    Current version: 1.0

    Description: [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.

    [C0026] C0026

    Current version: 1.0

    Description: [C0026](https://attack.mitre.org/campaigns/C0026) was a campaign identified in September 2022 that included the selective distribution of [KOPILUWAK](https://attack.mitre.org/software/S1075) and [QUIETCANARY](https://attack.mitre.org/software/S1076) malware to previous [ANDROMEDA](https://attack.mitre.org/software/S1074) malware victims in Ukraine through re-registered [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains. Several tools and tactics used during [C0026](https://attack.mitre.org/campaigns/C0026) were consistent with historic [Turla](https://attack.mitre.org/groups/G0010) operations.(Citation: Mandiant Suspected Turla Campaign February 2023)

    [C0027] C0027

    Current version: 1.0

    Description: [C0027](https://attack.mitre.org/campaigns/C0027) was a financially-motivated campaign linked to [Scattered Spider](https://attack.mitre.org/groups/G1015) that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During [C0027](https://attack.mitre.org/campaigns/C0027) [Scattered Spider](https://attack.mitre.org/groups/G1015) used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.(Citation: Crowdstrike TELCO BPO Campaign December 2022) +

    Minor Version Changes

    [C0022] Operation Dream Job

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-10 19:18:19.033000+00:002023-09-27 20:12:54.984000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.01.1

    ics-attack

    New Campaigns

    [C0028] 2015 Ukraine Electric Power Attack

    Current version: 1.0

    Description: [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.

    Assets

    ics-attack

    New Assets

    [A0008] Application Server

    Current version: 1.0

    Description: Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).

    [A0007] Control Server

    Current version: 1.0

    Description: Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.

    [A0009] Data Gateway

    Current version: 1.0

    Description: Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including: + + * Protocol Translation: Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. + * Media Converter: Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. + * Data Aggregation: Collect and combine data from different devices into one consistent format and protocol interface. + +Data gateways are often critical to the forwarding/transmission of critical control or monitoring data within the ICS. Further, these devices often have remote various network services that are used to communicate across different zones or networks. + +These assets may focus on a single function listed below or combinations of these functions to best fit the industry use-case. +

    [A0006] Data Historian

    Current version: 1.0

    Description: Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network.

    [A0013] Field I/O

    Current version: 1.0

    Description: Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes.

    [A0002] Human-Machine Interface (HMI)

    Current version: 1.0

    Description: Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.

    [A0005] Intelligent Electronic Device (IED)

    Current version: 1.0

    Description: An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.

    [A0012] Jump Host

    Current version: 1.0

    Description: Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts.

    [A0003] Programmable Logic Controller (PLC)

    Current version: 1.0

    Description: A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device’s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.

    [A0004] Remote Terminal Unit (RTU)

    Current version: 1.0

    Description: A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.

    [A0014] Routers

    Current version: 1.0

    Description: A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.(Citation: IETF RFC4949 2007)

    [A0010] Safety Controller

    Current version: 1.0

    Description: Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.

    [A0011] Virtual Private Network (VPN) Server

    Current version: 1.0

    Description: A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.

    [A0001] Workstation

    Current version: 1.0

    Description: Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.

    Mitigations

    enterprise-attack

    Minor Version Changes

    [M1013] Application Developer Guidance

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2018-10-17 00:14:20.652000+00:002023-09-27 20:18:19.004000+00:00
    x_mitre_version1.01.1

    mobile-attack

    New Mitigations

    [M1058] Antivirus/Antimalware

    Current version: 1.0

    Description: Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.

    Minor Version Changes

    [M1013] Application Developer Guidance

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.2.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2018-10-17 00:14:20.652000+00:002023-09-27 20:18:19.004000+00:00
    x_mitre_version1.01.1
    Patches

    [M1014] Interconnection Filtering

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_attack_spec_version3.1.0
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2018-10-17 00:14:20.652000+00:002023-08-15 15:06:03.428000+00:00
    external_references[1]['url']https://www.fcc.gov/files/csric5-wg10-finalreport031517pdfhttps://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf

    ics-attack

    Minor Version Changes

    [M0800] Authorization Enforcement

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:13.851000+00:002023-10-20 17:01:38.562000+00:00
    x_mitre_attack_spec_version2.1.03.2.0
    x_mitre_version1.01.1
    labels[2]NIST SP 800-53 Rev. 4 - AC-3NIST SP 800-53 Rev. 5 - AC-3

    [M0804] Human User Authentication

    Current version: 1.1

    Version changed from: 1.0 → 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:14.615000+00:002023-10-20 17:02:00.299000+00:00
    x_mitre_attack_spec_version3.1.03.2.0
    x_mitre_version1.01.1
    labels[2]NIST SP 800-53 Rev. 4 - IA-2NIST SP 800-53 Rev. 5 - IA-2
    Patches

    [M0801] Access Management

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:14.081000+00:002023-09-19 21:30:56.250000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - AC-3NIST SP 800-53 Rev. 5 - AC-3

    [M0936] Account Use Policies

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:19.383000+00:002023-09-19 21:31:48.809000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - IA-5NIST SP 800-53 Rev. 5 - IA-5

    [M0949] Antivirus/Antimalware

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:21.180000+00:002023-09-19 21:32:18.375000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    iterable_item_added
    STIX FieldOld valueNew Value
    labelsNIST SP 800-53 Rev. 5 - SI-3

    [M0913] Application Developer Guidance

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:16.730000+00:002023-09-19 21:32:48.390000+00:00
    x_mitre_attack_spec_version2.1.03.1.0

    [M0948] Application Isolation and Sandboxing

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:21.006000+00:002023-09-19 21:33:26.200000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - SI-3NIST SP 800-53 Rev. 5 - SI-3

    [M0947] Audit

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:20.836000+00:002023-09-19 21:34:08.571000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    iterable_item_added
    STIX FieldOld valueNew Value
    labelsNIST SP 800-53 Rev. 5 - SI-7

    [M0946] Boot Integrity

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:20.632000+00:002023-09-19 21:38:22.681000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[1]NIST SP 800-53 Rev. 4 - SI-7NIST SP 800-53 Rev. 5 - SI-7

    [M0945] Code Signing

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:20.464000+00:002023-09-19 21:39:41.056000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - SI-7NIST SP 800-53 Rev. 5 - SI-7

    [M0802] Communication Authenticity

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:14.263000+00:002023-09-19 21:40:49.135000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - SC-8; SC-23NIST SP 800-53 Rev. 5 - SC-8; SC-23

    [M0953] Data Backup

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:21.679000+00:002023-09-19 21:41:39.667000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - CP-9NIST SP 800-53 Rev. 5 - CP-9

    [M0942] Disable or Remove Feature or Program

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:20.110000+00:002023-09-19 21:42:11.231000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - CM-7NIST SP 800-53 Rev. 5 - CM-7

    [M0808] Encrypt Network Traffic

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:15.230000+00:002023-09-19 21:42:52.198000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - SC-8NIST SP 800-53 Rev. 5 - SC-8

    [M0941] Encrypt Sensitive Information

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:19.946000+00:002023-09-19 21:43:17.085000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - SC-28NIST SP 800-53 Rev. 5 - SC-28

    [M0938] Execution Prevention

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:19.774000+00:002023-09-19 21:43:44.551000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - SI-3NIST SP 800-53 Rev. 5 - SI-3

    [M0950] Exploit Protection

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:21.352000+00:002023-09-19 21:44:04.416000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - SI-16NIST SP 800-53 Rev. 5 - SI-16

    [M0937] Filter Network Traffic

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:19.604000+00:002023-09-19 21:44:59.425000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - AC-3; SC-7NIST SP 800-53 Rev. 5 - AC-3; SC-7

    [M0935] Limit Access to Resource Over Network

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:19.179000+00:002023-09-19 21:48:00.950000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - AC-3; SC-7NIST SP 800-53 Rev. 5 - AC-3; SC-7

    [M0934] Limit Hardware Installation

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:19.007000+00:002023-09-19 21:48:22.980000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - MP-7NIST SP 800-53 Rev. 5 - MP-7

    [M0806] Minimize Wireless Signal Propagation

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:14.800000+00:002023-09-19 21:48:44.925000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - SC-40NIST SP 800-53 Rev. 5 - SC-40

    [M0932] Multi-factor Authentication

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:18.842000+00:002023-09-19 21:49:12.466000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - IA-2NIST SP 800-53 Rev. 5 - IA-2

    [M0807] Network Allowlists

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:14.969000+00:002023-09-19 21:49:34.958000+00:00
    labels[0]NIST SP 800-53 Rev. 4 - AC-3NIST SP 800-53 Rev. 5 - AC-3

    [M0931] Network Intrusion Prevention

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:18.665000+00:002023-09-19 21:49:53.366000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - SI-4NIST SP 800-53 Rev. 5 - SI-4

    [M0930] Network Segmentation

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:18.480000+00:002023-09-19 21:50:12.354000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - AC-3NIST SP 800-53 Rev. 5 - AC-3

    [M0928] Operating System Configuration

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:18.276000+00:002023-09-19 21:50:30.709000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - CM-7NIST SP 800-53 Rev. 5 - CM-7

    [M0810] Out-of-Band Communications Channel

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:15.598000+00:002023-09-19 21:50:55.129000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[0]NIST SP 800-53 Rev. 4 - SC-37NIST SP 800-53 Rev. 5 - SC-37

    [M0927] Password Policies

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:18.097000+00:002023-09-19 21:51:14.526000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - IA-5NIST SP 800-53 Rev. 5 - IA-5

    [M0926] Privileged Account Management

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:17.929000+00:002023-09-19 21:51:40.366000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - AC-2NIST SP 800-53 Rev. 5 - AC-2

    [M0811] Redundancy of Service

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:15.773000+00:002023-09-19 21:52:11.728000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[0]NIST SP 800-53 Rev. 4 - CP-9NIST SP 800-53 Rev. 5 - CP-9

    [M0922] Restrict File and Directory Permissions

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:17.592000+00:002023-09-20 13:10:12.604000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - AC-6NIST SP 800-53 Rev. 5 - AC-6

    [M0944] Restrict Library Loading

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-11 20:51:32.610000+00:002023-09-20 13:10:52.949000+00:00
    labels[2]NIST SP 800-53 Rev. 4 - CM-7NIST SP 800-53 Rev. 5 - CM-7

    [M0924] Restrict Registry Permissions

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:17.759000+00:002023-09-20 13:11:12.773000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - AC-6NIST SP 800-53 Rev. 5 - AC-6

    [M0921] Restrict Web-Based Content

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:17.426000+00:002023-09-20 13:11:35.668000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - SC-18NIST SP 800-53 Rev. 5 - SC-18

    [M0954] Software Configuration

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:21.915000+00:002023-09-20 13:12:04.727000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - CM-7NIST SP 800-53 Rev. 5 - CM-7

    [M0813] Software Process and Device Authentication

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:15.949000+00:002023-09-20 13:12:24.527000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - IA-9NIST SP 800-53 Rev. 5 - IA-9

    [M0814] Static Network Configuration

    Current version: 1.1

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-04-05 14:21:27.977000+00:002023-09-20 13:12:51.139000+00:00
    labels[2]NIST SP 800-53 Rev. 4 - CM-7NIST SP 800-53 Rev. 5 - CM-7

    [M0817] Supply Chain Management

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:16.556000+00:002023-09-20 13:13:12.169000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    iterable_item_added
    STIX FieldOld valueNew Value
    labelsNIST SP 800-53 Rev. 5 - SR-1

    [M0951] Update Software

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:21.512000+00:002023-09-20 13:13:41.305000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[1]NIST SP 800-53 Rev. 4 - SI-2NIST SP 800-53 Rev. 5 - SI-2

    [M0918] User Account Management

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:17.252000+00:002023-09-20 13:14:10.061000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[2]NIST SP 800-53 Rev. 4 - AC-2NIST SP 800-53 Rev. 5 - AC-2

    [M0917] User Training

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:17.076000+00:002023-09-20 13:14:30.311000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[0]NIST SP 800-53 Rev. 4 - AT-2NIST SP 800-53 Rev. 5 - AT-2

    [M0818] Validate Program Inputs

    Current version: 1.0

    Details
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-31 19:16:54.636000+00:002023-09-20 13:14:57.819000+00:00
    iterable_item_added
    STIX FieldOld valueNew Value
    labelsNIST SP 800-53 Rev. 5 - SI-10
    iterable_item_removed
    STIX FieldOld valueNew Value
    labelsNIST SP 800-53 Rev. 4 - SI-10

    [M0916] Vulnerability Scanning

    Current version: 1.0

    Details
    dictionary_item_added
    STIX FieldOld valueNew Value
    x_mitre_deprecatedFalse
    values_changed
    STIX FieldOld valueNew Value
    modified2023-03-30 20:55:16.897000+00:002023-09-20 13:15:23.350000+00:00
    x_mitre_attack_spec_version2.1.03.1.0
    labels[0]NIST SP 800-53 Rev. 4 - RA-5NIST SP 800-53 Rev. 5 - RA-5
    + + + \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v13.1-v14.0/changelog.json b/modules/resources/docs/changelogs/v13.1-v14.0/changelog.json new file mode 100644 index 00000000000..1205897a377 --- /dev/null +++ b/modules/resources/docs/changelogs/v13.1-v14.0/changelog.json @@ -0,0 +1,31982 @@ +{ + "enterprise-attack": { + "techniques": { + "additions": [ + { + "type": "attack-pattern", + "id": "attack-pattern--6fa224c7-5091-4595-bf15-3fc9fe2f2c7c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-10 16:37:15.672000+00:00", + "modified": "2023-10-03 17:38:56.602000+00:00", + "name": "Temporary Elevated Cloud Access", + "description": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. \n\nJust-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Google Cloud Just in Time Access 2023)(Citation: Azure Just in Time Access 2023)\n\nAccount impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account.(Citation: Google Cloud Service Account Authentication Roles) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) \n\nMany cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)\n\nWhile users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)\n\n**Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1548/005", + "external_id": "T1548.005" + }, + { + "source_name": "AWS PassRole", + "description": "AWS. (n.d.). Granting a user permissions to pass a role to an AWS service. Retrieved July 10, 2023.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html" + }, + { + "source_name": "CrowdStrike StellarParticle January 2022", + "description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.", + "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" + }, + { + "source_name": "Google Cloud Just in Time Access 2023", + "description": "Google Cloud. (n.d.). Manage just-in-time privileged access to projects. Retrieved September 21, 2023.", + "url": "https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project" + }, + { + "source_name": "Google Cloud Service Account Authentication Roles", + "description": "Google Cloud. (n.d.). Roles for service account authentication. Retrieved July 10, 2023.", + "url": "https://cloud.google.com/iam/docs/service-account-permissions" + }, + { + "source_name": "Microsoft Impersonation and EWS in Exchange", + "description": "Microsoft. (2022, September 13). Impersonation and EWS in Exchange. Retrieved July 10, 2023.", + "url": "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange" + }, + { + "source_name": "Azure Just in Time Access 2023", + "description": "Microsoft. (2023, August 29). Configure and approve just-in-time access for Azure Managed Applications. Retrieved September 21, 2023.", + "url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access" + }, + { + "source_name": "Rhino Security Labs AWS Privilege Escalation", + "description": "Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation \u2013 Methods and Mitigation. Retrieved May 27, 2022.", + "url": "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/" + }, + { + "source_name": "Rhino Google Cloud Privilege Escalation", + "description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform \u2013 Part 1 (IAM). Retrieved September 21, 2023.", + "url": "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Arad Inbar, Fidelis Security" + ], + "x_mitre_data_sources": [ + "User Account: User Account Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS", + "Azure AD", + "Office 365" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--35d30338-5bfa-41b0-a170-ec06dfd75f64", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-14 14:01:50.806000+00:00", + "modified": "2023-10-16 17:51:35.865000+00:00", + "name": "Additional Container Cluster Roles", + "description": "An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC)\n \nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. \n\nNote that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.(Citation: Google Cloud Kubernetes IAM)(Citation: AWS EKS IAM Roles for Service Accounts)(Citation: Microsoft Azure Kubernetes Service Service Accounts) In these cases, this technique may be used in conjunction with [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1098/006", + "external_id": "T1098.006" + }, + { + "source_name": "AWS EKS IAM Roles for Service Accounts", + "description": "Amazon Web Services. (n.d.). IAM roles for service accounts. Retrieved July 14, 2023.", + "url": "https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html" + }, + { + "source_name": "Google Cloud Kubernetes IAM", + "description": "Google Cloud. (n.d.). Create IAM policies. Retrieved July 14, 2023.", + "url": "https://cloud.google.com/kubernetes-engine/docs/how-to/iam" + }, + { + "source_name": "Kuberentes ABAC", + "description": "Kuberenets. (n.d.). Using ABAC Authorization. Retrieved July 14, 2023.", + "url": "https://kubernetes.io/docs/reference/access-authn-authz/abac/" + }, + { + "source_name": "Kubernetes RBAC", + "description": "Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023.", + "url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/" + }, + { + "source_name": "Aquasec Kubernetes Attack 2023", + "description": "Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.", + "url": "https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters" + }, + { + "source_name": "Microsoft Azure Kubernetes Service Service Accounts", + "description": "Microsoft Azure. (2023, April 28). Access and identity options for Azure Kubernetes Service (AKS). Retrieved July 14, 2023.", + "url": "https://learn.microsoft.com/en-us/azure/aks/concepts-identity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "User Account: User Account Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Containers" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-01 21:03:13.406000+00:00", + "modified": "2023-10-01 02:28:45.147000+00:00", + "name": "Content Injection", + "description": "Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)\n\nAdversaries may inject content to victim systems in various ways, including:\n\n* From the middle, where the adversary is in-between legitimate online client-server communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM)\n* From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)\n\nContent injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with \"lawful interception.\"(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1659", + "external_id": "T1659" + }, + { + "source_name": "EFF China GitHub Attack", + "description": "Budington, B. (2015, April 2). China Uses Unencrypted Websites to Hijack Browsers in GitHub Attack. Retrieved September 1, 2023.", + "url": "https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack" + }, + { + "source_name": "ESET MoustachedBouncer", + "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 1, 2023.", + "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + }, + { + "source_name": "Kaspersky Encyclopedia MiTM", + "description": "Kaspersky IT Encyclopedia. (n.d.). Man-in-the-middle attack. Retrieved September 1, 2023.", + "url": "https://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/" + }, + { + "source_name": "Kaspersky ManOnTheSide", + "description": "Starikova, A. (2023, February 14). Man-on-the-side \u2013 peculiar attack. Retrieved September 1, 2023.", + "url": "https://usa.kaspersky.com/blog/man-on-the-side/27854/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Process: Process Creation", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--cfb525cc-5494-401d-a82b-2539ca46a561", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-25 12:41:26.501000+00:00", + "modified": "2023-09-30 20:24:19.357000+00:00", + "name": "Cloud Secrets Management Stores", + "description": "Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. \n\nSecrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables. \n\nIf an adversary is able to gain sufficient privileges in a cloud environment \u2013 for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets \u2013 they may be able to request secrets from the secrets manager. This can be accomplished via commands such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)\n\n**Note:** this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1555/006", + "external_id": "T1555.006" + }, + { + "source_name": "Sysdig ScarletEel 2.0 2023", + "description": "Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.", + "url": "https://sysdig.com/blog/scarleteel-2-0/" + }, + { + "source_name": "AWS Secrets Manager", + "description": "AWS. (n.d.). Retrieve secrets from AWS Secrets Manager. Retrieved September 25, 2023.", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html" + }, + { + "source_name": "Google Cloud Secrets", + "description": "Google Cloud. (n.d.). List secrets and view secret details. Retrieved September 25, 2023.", + "url": "https://cloud.google.com/secret-manager/docs/view-secret-details" + }, + { + "source_name": "Permiso Scattered Spider 2023", + "description": "Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.", + "url": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + }, + { + "source_name": "Microsoft Azure Key Vault", + "description": "Microsoft. (2023, January 13). Quickstart: Set and retrieve a secret from Azure Key Vault using Azure CLI. Retrieved September 25, 2023.", + "url": "https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Martin McCloskey, Datadog" + ], + "x_mitre_data_sources": [ + "Cloud Service: Cloud Service Enumeration" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--43f2776f-b4bd-4118-94b8-fee47e69676d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-20 15:30:55.763000+00:00", + "modified": "2023-10-12 05:22:59.079000+00:00", + "name": "Exfiltration Over Webhook", + "description": "Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application. \n\nAdversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated [Automated Exfiltration](https://attack.mitre.org/techniques/T1020) of emails, chat messages, and other data.(Citation: Push Security SaaS Attacks Repository Webhooks) Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.(Citation: Microsoft SQL Server)\n\nAccess to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.(Citation: CyberArk Labs Discord)(Citation: Talos Discord Webhook Abuse)(Citation: Checkmarx Webhooks)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1567/004", + "external_id": "T1567.004" + }, + { + "source_name": "Checkmarx Webhooks", + "description": " Jossef Harush Kadouri. (2022, March 7). Webhook Party \u2014 Malicious packages caught exfiltrating data via legit webhook services. Retrieved July 20, 2023.", + "url": "https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191" + }, + { + "source_name": "CyberArk Labs Discord", + "description": "CyberArk Labs. (2023, April 13). The (Not so) Secret War on Discord. Retrieved July 20, 2023.", + "url": "https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord" + }, + { + "source_name": "Discord Intro to Webhooks", + "description": "D. (n.d.). Intro to Webhooks. Retrieved July 20, 2023.", + "url": "https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks" + }, + { + "source_name": "Microsoft SQL Server", + "description": "Microsoft Threat Intelligence. (2023, October 3). Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement. Retrieved October 3, 2023.", + "url": "https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/" + }, + { + "source_name": "Talos Discord Webhook Abuse", + "description": "Nick Biasini, Edmund Brumaghin, Chris Neal, and Paul Eubanks. (2021, April 7). https://blog.talosintelligence.com/collab-app-abuse/. Retrieved July 20, 2023.", + "url": "https://blog.talosintelligence.com/collab-app-abuse/" + }, + { + "source_name": "Push Security SaaS Attacks Repository Webhooks", + "description": "Push Security. (2023, July 31). Webhooks. Retrieved August 4, 2023.", + "url": "https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md" + }, + { + "source_name": "RedHat Webhooks", + "description": "RedHat. (2022, June 1). What is a webhook?. Retrieved July 20, 2023.", + "url": "https://www.redhat.com/en/topics/automation/what-is-a-webhook" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Yossi Weizman, Microsoft Threat Intelligence", + "Sunders Bruskin, Microsoft Threat Intelligence" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Command: Command Execution", + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content", + "File: File Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux", + "SaaS", + "Office 365", + "Google Workspace" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--851e071f-208d-4c79-adc6-5974c85c78f3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-08-18 20:50:04.222000+00:00", + "modified": "2023-09-30 19:54:11.916000+00:00", + "name": "Financial Theft", + "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1657", + "external_id": "T1657" + }, + { + "source_name": "VEC", + "description": "CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved September 12, 2023.", + "url": "https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers." + }, + { + "source_name": "Mandiant-leaks", + "description": "DANIEL KAPELLMANN ZAFRA, COREY HIDELBRANDT, NATHAN BRUBAKER, KEITH LUNDEN. (2022, January 31). 1 in 7 OT Ransomware Extortion Attacks Leak Critical Operational Technology Information. Retrieved August 18, 2023.", + "url": "https://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs" + }, + { + "source_name": "DOJ-DPRK Heist", + "description": "Department of Justice. (2021). 3 North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyber-attacks and Financial Crimes Across the Globe. Retrieved August 18, 2023.", + "url": "https://www.justice.gov/usao-cdca/pr/3-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyber-attacks-and" + }, + { + "source_name": "FBI-BEC", + "description": "FBI. (2022). FBI 2022 Congressional Report on BEC and Real Estate Wire Fraud. Retrieved August 18, 2023.", + "url": "https://www.fbi.gov/file-repository/fy-2022-fbi-congressional-report-business-email-compromise-and-real-estate-wire-fraud-111422.pdf/view" + }, + { + "source_name": "FBI-ransomware", + "description": "FBI. (n.d.). Ransomware. Retrieved August 18, 2023.", + "url": "https://www.cisa.gov/sites/default/files/Ransomware_Trifold_e-version.pdf" + }, + { + "source_name": "AP-NotPetya", + "description": "FRANK BAJAK AND RAPHAEL SATTER. (2017, June 30). Companies still hobbled from fearsome cyberattack. Retrieved August 18, 2023.", + "url": "https://apnews.com/article/russia-ukraine-technology-business-europe-hacking-ce7a8aca506742ab8e8873e7f9f229c2" + }, + { + "source_name": "Internet crime report 2022", + "description": "IC3. (2022). 2022 Internet Crime Report. Retrieved August 18, 2023.", + "url": "https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf" + }, + { + "source_name": "BBC-Ronin", + "description": "Joe Tidy. (2022, March 30). Ronin Network: What a $600m hack says about the state of crypto. Retrieved August 18, 2023.", + "url": "https://www.bbc.com/news/technology-60933174" + }, + { + "source_name": "wired-pig butchering", + "description": "Lily Hay Newman. (n.d.). \u2018Pig Butchering\u2019 Scams Are Now a $3 Billion Threat. Retrieved August 18, 2023.", + "url": "https://www.wired.com/story/pig-butchering-fbi-ic3-2022-report/" + }, + { + "source_name": "NYT-Colonial", + "description": "Nicole Perlroth. (2021, May 13). Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers.. Retrieved August 18, 2023.", + "url": "https://www.nytimes.com/2021/05/13/technology/colonial-pipeline-ransom.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Blake Strom, Microsoft Threat Intelligence", + "Pawel Partyka, Microsoft Threat Intelligence" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_impact_type": [ + "Availability" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-08-24 17:23:34.470000+00:00", + "modified": "2023-09-06 20:17:26.167000+00:00", + "name": "Ignore Process Interrupts", + "description": "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. \n\nAdversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.\n\nHiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1564/011", + "external_id": "T1564.011" + }, + { + "source_name": "Linux Signal Man", + "description": "Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023.", + "url": "https://man7.org/linux/man-pages/man7/signal.7.html" + }, + { + "source_name": "nohup Linux Man", + "description": "Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.", + "url": "https://linux.die.net/man/1/nohup" + }, + { + "source_name": "Microsoft PowerShell SilentlyContinue", + "description": "Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023.", + "url": "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--562e9b64-7239-493d-80f4-2bff900d9054", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-05-24 19:03:03.855000+00:00", + "modified": "2023-10-03 03:44:46.935000+00:00", + "name": "Disable or Modify Linux Audit System", + "description": "Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.\n\nOften referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`, containing a sequence of `auditctl` commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)\n\nWith root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1562/012", + "external_id": "T1562.012" + }, + { + "source_name": "IzyKnows auditd threat detection 2022", + "description": "IzySec. (2022, January 26). Linux auditd for Threat Detection. Retrieved September 29, 2023.", + "url": "https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505" + }, + { + "source_name": "Red Hat System Auditing", + "description": "Jahoda, M. et al.. (2017, March 14). Red Hat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.", + "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing" + }, + { + "source_name": "ESET Ebury Feb 2014", + "description": "M.L\u00e9veill\u00e9, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.", + "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" + }, + { + "source_name": "Trustwave Honeypot SkidMap 2023", + "description": "Radoslaw Zdonczyk. (2023, July 30). Honeypot Recon: New Variant of SkidMap Targeting Redis. Retrieved September 29, 2023.", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Tim (Wadhwa-)Brown" + ], + "x_mitre_data_sources": [ + "Process: OS API Execution", + "File: File Modification", + "Command: Command Execution", + "File: File Deletion", + "Process: Process Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c9e0c59e-162e-40a4-b8b1-78fab4329ada", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-08-08 15:42:18.906000+00:00", + "modified": "2023-09-30 19:45:05.886000+00:00", + "name": "Impersonation", + "description": "Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary\u2019s ultimate goals, possibly against multiple victims. \n \nIn many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657).\n\nAdversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as `payment`, `request`, or `urgent` to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary\u2019s goal.\u202f\u202f \n \nImpersonation is typically preceded by reconnaissance techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589) and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591) as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001)) to substantiate their false identity.(Citation: CrowdStrike-BEC)\n \nThere is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1656", + "external_id": "T1656" + }, + { + "source_name": "CrowdStrike-BEC", + "description": "Bart Lenaerts-Bergmans. (2023, March 10). What is Business Email Compromise?. Retrieved August 8, 2023.", + "url": "https://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/" + }, + { + "source_name": "VEC", + "description": "CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved September 12, 2023.", + "url": "https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pawel Partyka, Microsoft Threat Intelligence", + "Blake Strom, Microsoft Threat Intelligence" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--866d0d6d-02c6-42bd-aa2f-02907fdc0969", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-10 16:50:57.587000+00:00", + "modified": "2023-09-30 22:18:46.711000+00:00", + "name": "Log Enumeration", + "description": "Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).\n\nHost binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent\u2019s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)\n\nAdversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1654", + "external_id": "T1654" + }, + { + "source_name": "SIM Swapping and Abuse of the Microsoft Azure Serial Console", + "description": "Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023.", + "url": "https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial" + }, + { + "source_name": "Cadet Blizzard emerges as novel threat actor", + "description": "Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" + }, + { + "source_name": "WithSecure Lazarus-NoPineapple Threat Intel Report 2023", + "description": "Ruohonen, S. & Robinson, S. (2023, February 2). No Pineapple! -DPRK Targeting of Medical Research and Technology Sector. Retrieved July 10, 2023.", + "url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Bilal Bahad\u0131r Yenici" + ], + "x_mitre_data_sources": [ + "File: File Access", + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "IaaS" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--34a80bc4-80f2-46e6-94ff-f3265a4b657c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-27 19:49:40.815000+00:00", + "modified": "2023-10-03 04:06:42.256000+00:00", + "name": "Break Process Trees", + "description": "An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the \u201cparent-child\" relationship for detection, breaking this relationship could result in the adversary\u2019s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022) \n\nOn Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the `fork()` API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the `init` system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree.\n\nAnother example is using the \u201cdaemon\u201d syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1036/009", + "external_id": "T1036.009" + }, + { + "source_name": "3OHA double-fork 2022", + "description": "Juan Tapiador. (2022, April 11). UNIX daemonization and the double fork. Retrieved September 29, 2023.", + "url": "https://0xjet.github.io/3OHA/2022/04/11/post.html" + }, + { + "source_name": "Microsoft XorDdos Linux Stealth 2022", + "description": "Microsoft Threat Intelligence. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/" + }, + { + "source_name": "Sandfly BPFDoor 2022", + "description": "The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.", + "url": "https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Tim (Wadhwa-)Brown" + ], + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ca00366b-83a1-4c7b-a0ce-8ff950a7c87f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-05 14:19:17.486000+00:00", + "modified": "2023-10-02 22:17:54.968000+00:00", + "name": "Modify Cloud Compute Configurations", + "description": "Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim\u2019s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.\n\nFor example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim\u2019s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1578/005", + "external_id": "T1578.005" + }, + { + "source_name": "Microsoft Subscription Hijacking 2022", + "description": "Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.", + "url": "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121" + }, + { + "source_name": "Microsoft Cryptojacking 2023", + "description": "Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/" + }, + { + "source_name": "Microsoft Peach Sandstorm 2023", + "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" + }, + { + "source_name": "Microsoft Azure Policy", + "description": "Microsoft. (2023, August 30). Azure Policy built-in policy definitions. Retrieved September 5, 2023.", + "url": "https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Blake Strom, Microsoft Threat Intelligence", + "Amir Gharib, Microsoft Threat Intelligence" + ], + "x_mitre_data_sources": [ + "Cloud Service: Cloud Service Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--887274fc-2d63-4bdc-82f3-fae56d1d5fdc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-29 15:28:42.409000+00:00", + "modified": "2023-10-17 02:12:05.242000+00:00", + "name": "LNK Icon Smuggling", + "description": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. \n\nAdversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)\n\nLNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads. \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1027/012", + "external_id": "T1027.012" + }, + { + "source_name": "Unprotect Shortcut", + "description": "Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved October 3, 2023.", + "url": "https://unprotect.it/technique/shortcut-hiding/" + }, + { + "source_name": "Booby Trap Shortcut 2017", + "description": "Weyne, F. (2017, April). Booby trap a shortcut with a backdoor. Retrieved October 3, 2023.", + "url": "https://www.uperesia.com/booby-trapped-shortcut" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Michael Raggi @aRtAGGI", + "Andrew Northern, @ex_raritas", + "Gregory Lesnewich, @greglesnewich" + ], + "x_mitre_data_sources": [ + "File: File Metadata", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "\n", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--bb5e59c4-abe7-40c7-8196-e373cb1e5974", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-07 21:50:08.827000+00:00", + "modified": "2023-10-15 11:49:40.990000+00:00", + "name": "Spearphishing Voice", + "description": "Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.\n\nAll forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Software](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth)\n\nAdversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1566/004", + "external_id": "T1566.004" + }, + { + "source_name": "CISA Remote Monitoring and Management Software", + "description": "CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa23-025a" + }, + { + "source_name": "Unit42 Luna Moth", + "description": "Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.", + "url": "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/" + }, + { + "source_name": "sygnia Luna Month", + "description": "Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.", + "url": "https://blog.sygnia.co/luna-moth-false-subscription-scams" + }, + { + "source_name": "Proofpoint Vishing", + "description": "Proofpoint. (n.d.). What Is Vishing?. Retrieved September 8, 2023.", + "url": "https://www.proofpoint.com/us/threat-reference/vishing" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--6a5d222a-a7e0-4656-b110-782c33098289", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-07 21:48:39.516000+00:00", + "modified": "2023-09-08 21:03:35.477000+00:00", + "name": "Spearphishing Voice", + "description": "Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.\n\nAll forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or \"vishing\"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams)\n\nVictims may also receive phishing messages that direct them to call a phone number (\"callback phishing\") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)\n\nAdversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to tailor pretexts to be even more persuasive and believable for the victim.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1598/004", + "external_id": "T1598.004" + }, + { + "source_name": "Avertium callback phishing", + "description": "Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.", + "url": "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing" + }, + { + "source_name": "BOA Telephone Scams", + "description": "Bank of America. (n.d.). How to avoid telephone scams. Retrieved September 8, 2023.", + "url": "https://business.bofa.com/en-us/content/what-is-vishing.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ea071aa0-8f17-416f-ab0d-2bab7e79003d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-06-05 15:52:52.467000+00:00", + "modified": "2023-09-30 21:28:45.038000+00:00", + "name": "Power Settings", + "description": "Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)\n\nAdversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.(Citation: Microsoft: Powercfg command-line options)(Citation: systemdsleep Linux)\n\nFor example, `powercfg` controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.(Citation: Two New Monero Malware Attacks Target Windows and Android Users) Adversaries may also extend system lock screen timeout settings.(Citation: BATLOADER: The Evasive Downloader Malware) Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.(Citation: CoinLoader: A Sophisticated Malware Loader Campaign)\n\nAware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.(Citation: Condi-Botnet-binaries)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1653", + "external_id": "T1653" + }, + { + "source_name": "Sleep, shut down, hibernate", + "description": "AVG. (n.d.). Should You Shut Down, Sleep or Hibernate Your PC or Mac Laptop?. Retrieved June 8, 2023.", + "url": "https://www.avg.com/en/signal/should-you-shut-down-sleep-or-hibernate-your-pc-or-mac-laptop" + }, + { + "source_name": "CoinLoader: A Sophisticated Malware Loader Campaign", + "description": "Avira. (2019, November 28). CoinLoader: A Sophisticated Malware Loader Campaign. Retrieved June 5, 2023.", + "url": "https://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign" + }, + { + "source_name": "BATLOADER: The Evasive Downloader Malware", + "description": "Bethany Hardin, Lavine Oluoch, Tatiana Vollbrecht. (2022, November 14). BATLOADER: The Evasive Downloader Malware. Retrieved June 5, 2023.", + "url": "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html" + }, + { + "source_name": "Two New Monero Malware Attacks Target Windows and Android Users", + "description": "Douglas Bonderud. (2018, September 17). Two New Monero Malware Attacks Target Windows and Android Users. Retrieved June 5, 2023.", + "url": "https://securityintelligence.com/news/two-new-monero-malware-attacks-target-windows-and-android-users/" + }, + { + "source_name": "Condi-Botnet-binaries", + "description": "Joie Salvio and Roy Tay. (2023, June 20). Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389. Retrieved September 5, 2023.", + "url": "https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389" + }, + { + "source_name": "systemdsleep Linux", + "description": "Man7. (n.d.). systemd-sleep.conf(5) \u2014 Linux manual page. Retrieved June 7, 2023.", + "url": "https://man7.org/linux/man-pages/man5/systemd-sleep.conf.5.html" + }, + { + "source_name": "Microsoft: Powercfg command-line options", + "description": "Microsoft. (2021, December 15). Powercfg command-line options. Retrieved June 5, 2023.", + "url": "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options?adlt=strict" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Goldstein Menachem", + "Juan Tapiador" + ], + "x_mitre_data_sources": [ + "File: File Modification", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Command-line invocation of tools capable of modifying services may be unusual and can be monitored for and alerted on, depending on how systems are typically used in a particular environment. \n", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--45241b9e-9bbc-4826-a2cc-78855e51ca09", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-06-02 15:27:55.412000+00:00", + "modified": "2023-10-27 18:32:11.219000+00:00", + "name": "Direct Cloud VM Connections", + "description": "Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager).\n\nMethods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access. \n\nAdversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., [Cloud Administration Command](https://attack.mitre.org/techniques/T1651)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1021/008", + "external_id": "T1021.008" + }, + { + "source_name": "EC2 Instance Connect", + "description": "AWS. (2023, June 2). Connect using EC2 Instance Connect. Retrieved June 2, 2023.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html" + }, + { + "source_name": "AWS System Manager", + "description": "AWS. (2023, June 2). What is AWS System Manager?. Retrieved June 2, 2023.", + "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html" + }, + { + "source_name": "lucr-3: Getting SaaS-y in the cloud", + "description": "Ian Ahl. (2023, September 20). LUCR-3: Scattered Spider Getting SaaS-y In The Cloud. Retrieved September 20, 2023.", + "url": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + }, + { + "source_name": "SIM Swapping and Abuse of the Microsoft Azure Serial Console", + "description": "Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023.", + "url": "https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial" + }, + { + "source_name": "Azure Serial Console", + "description": "Microsoft. (2022, October 17). Azure Serial Console. Retrieved June 2, 2023.", + "url": "https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Thanabodi Phrakhun, @naikordian" + ], + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--494ab9f0-36e0-4b06-b10d-57285b040a06", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-08 15:39:50.269000+00:00", + "modified": "2023-10-05 11:35:30.887000+00:00", + "name": "Wi-Fi Discovery", + "description": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.\n\nAdversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile \u201cWi-Fi name\u201d key=clear` to show a Wi-Fi network\u2019s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)\n\nOn Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1016/002", + "external_id": "T1016.002" + }, + { + "source_name": "Binary Defense Emotes Wi-Fi Spreader", + "description": "Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.", + "url": "https://www.binarydefense.com/resources/blog/emotet-evolves-with-new-wi-fi-spreader/" + }, + { + "source_name": "Check Point APT35 CharmPower January 2022", + "description": "Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.", + "url": "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" + }, + { + "source_name": "Wi-Fi Password of All Connected Networks in Windows/Linux", + "description": "Geeks for Geeks. (n.d.). Wi-Fi Password of All Connected Networks in Windows/Linux. Retrieved September 8, 2023.", + "url": "https://www.geeksforgeeks.org/wi-fi-password-connected-networks-windowslinux/" + }, + { + "source_name": "Malware Bytes New AgentTesla variant steals WiFi credentials", + "description": "Hossein Jazi. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved September 8, 2023.", + "url": "https://www.malwarebytes.com/blog/news/2020/04/new-agenttesla-variant-steals-wifi-credentials" + }, + { + "source_name": "Find Wi-Fi Password on Mac", + "description": "Ruslana Lishchuk. (2021, March 26). How to Find a Saved Wi-Fi Password on a Mac. Retrieved September 8, 2023.", + "url": "https://mackeeper.com/blog/find-wi-fi-password-on-mac/" + }, + { + "source_name": "BleepingComputer Agent Tesla steal wifi passwords", + "description": "Sergiu Gatlan. (2020, April 16). Hackers steal WiFi passwords using upgraded Agent Tesla malware. Retrieved September 8, 2023.", + "url": "https://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Christopher Peacock", + "Uriel Kosayev", + "Liran Ravich, CardinalOps", + "Alex Spivakovsky, Pentera" + ], + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.0" + } + ], + "major_version_changes": [ + { + "type": "attack-pattern", + "id": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-23 22:02:48.566000+00:00", + "modified": "2023-10-16 09:08:22.319000+00:00", + "name": "Registry Run Keys / Startup Folder", + "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run automatically for the currently logged-on user.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1547/001", + "external_id": "T1547.001" + }, + { + "source_name": "Malwarebytes Wow6432Node 2016", + "description": "Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020.", + "url": "https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/" + }, + { + "source_name": "Microsoft Wow6432Node 2018", + "description": "Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.", + "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry" + }, + { + "source_name": "Microsoft Run Key", + "description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.", + "url": "http://msdn.microsoft.com/en-us/library/aa376977" + }, + { + "source_name": "Oddvar Moe RunOnceEx Mar 2018", + "description": "Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.", + "url": "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/" + }, + { + "source_name": "TechNet Autoruns", + "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.", + "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Oddvar Moe, @oddvarmoe", + "Dray Agha, @Purp1eW0lf, Huntress Labs", + "Harun K\u00fc\u00dfner" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "File: File Modification", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "Administrator", + "User" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 09:08:22.319000+00:00\", \"old_value\": \"2023-03-30 21:01:52.183000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \\\"run keys\\\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\\n\\nThe following run keys are created by default on Windows systems:\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n\\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \\\"Depend\\\" key with RunOnceEx: reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend /v 1 /d \\\"C:\\\\temp\\\\evil[.]dll\\\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\\n\\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\\\Users\\\\\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup. The startup folder path for all users is C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp.\\n\\nThe following Registry keys can be used to set startup folder items for persistence:\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\n* HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\n* HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\n\\nThe following Registry keys can control automatic startup of services during boot:\\n\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\n\\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\\n\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n\\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows run automatically for the currently logged-on user.\\n\\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\\n\\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.\", \"old_value\": \"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \\\"run keys\\\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\\n\\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\\\Users\\\\\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup. The startup folder path for all users is C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp.\\n\\nThe following run keys are created by default on Windows systems:\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n\\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \\\"Depend\\\" key with RunOnceEx: reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend /v 1 /d \\\"C:\\\\temp\\\\evil[.]dll\\\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\\n\\nThe following Registry keys can be used to set startup folder items for persistence:\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\n* HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\n* HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\n\\nThe following Registry keys can control automatic startup of services during boot:\\n\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\n\\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\\n\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n\\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit and HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell subkeys can automatically launch programs.\\n\\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows run when any user logs on.\\n\\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\\n\\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,4 @@\\n Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \\\"run keys\\\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\\n-\\n-Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\\\Users\\\\\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup. The startup folder path for all users is C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp.\\n \\n The following run keys are created by default on Windows systems:\\n \\n@@ -10,6 +8,8 @@\\n * HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n \\n Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \\\"Depend\\\" key with RunOnceEx: reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend /v 1 /d \\\"C:\\\\temp\\\\evil[.]dll\\\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\\n+\\n+Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\\\Users\\\\\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup. The startup folder path for all users is C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp.\\n \\n The following Registry keys can be used to set startup folder items for persistence:\\n \\n@@ -30,9 +30,7 @@\\n * HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n * HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n \\n-The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit and HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell subkeys can automatically launch programs.\\n-\\n-Programs listed in the load value of the registry key HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows run when any user logs on.\\n+Programs listed in the load value of the registry key HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows run automatically for the currently logged-on user.\\n \\n By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][2]\": \"Harun K\\u00fc\\u00dfner\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 2.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may achieve persistence by adding a program to at1Adversaries may achieve persistence by adding a program to a
    > startup folder or referencing it with a Registry run key. A> startup folder or referencing it with a Registry run key. A
    >dding an entry to the \"run keys\" in the Registry or startup >dding an entry to the \"run keys\" in the Registry or startup 
    >folder will cause the program referenced to be executed when>folder will cause the program referenced to be executed when
    > a user logs in.(Citation: Microsoft Run Key) These programs> a user logs in.(Citation: Microsoft Run Key) These programs
    > will be executed under the context of the user and will hav> will be executed under the context of the user and will hav
    >e the account's associated permissions level.  Placing a pro>e the account's associated permissions level.  The following
    >gram within a startup folder will also cause that program to> run keys are created by default on Windows systems:  * <cod
    > execute when a user logs in. There is a startup folder loca>e>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersio
    >tion for individual user accounts as well as a system-wide s>n\\Run</code> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Wi
    >tartup folder that will be checked regardless of which user >ndows\\CurrentVersion\\RunOnce</code> * <code>HKEY_LOCAL_MACHI
    >account logs in. The startup folder path for the current use>NE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code> * <c
    >r is <code>C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Wi>ode>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVer
    >ndows\\Start Menu\\Programs\\Startup</code>. The startup folder>sion\\RunOnce</code>  Run keys may exist under multiple hives
    > path for all users is <code>C:\\ProgramData\\Microsoft\\Window>.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebyt
    >s\\Start Menu\\Programs\\StartUp</code>.  The following run key>es Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\\Software\\M
    >s are created by default on Windows systems:  * <code>HKEY_C>icrosoft\\Windows\\CurrentVersion\\RunOnceEx</code> is also ava
    >URRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</c>ilable but is not created by default on Windows Vista and ne
    >ode> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Cu>wer. Registry run key entries can reference programs directl
    >rrentVersion\\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\\Softw>y or list them as a dependency.(Citation: Microsoft Run Key)
    >are\\Microsoft\\Windows\\CurrentVersion\\Run</code> * <code>HKEY> For example, it is possible to load a DLL at logon using a 
    >_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run>\"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Mic
    >Once</code>  Run keys may exist under multiple hives.(Citati>rosoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d 
    >on: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow64>\"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx 
    >32Node 2016) The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft>Mar 2018)  Placing a program within a startup folder will al
    >\\Windows\\CurrentVersion\\RunOnceEx</code> is also available b>so cause that program to execute when a user logs in. There 
    >ut is not created by default on Windows Vista and newer. Reg>is a startup folder location for individual user accounts as
    >istry run key entries can reference programs directly or lis> well as a system-wide startup folder that will be checked r
    >t them as a dependency.(Citation: Microsoft Run Key) For exa>egardless of which user account logs in. The startup folder 
    >mple, it is possible to load a DLL at logon using a \"Depend\">path for the current user is <code>C:\\Users\\\\[Username]\\AppD
    > key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\W>ata\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup</c
    >indows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp>ode>. The startup folder path for all users is <code>C:\\Prog
    >\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018>ramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp</code>
    >)  The following Registry keys can be used to set startup fo>.  The following Registry keys can be used to set startup fo
    >lder items for persistence:  * <code>HKEY_CURRENT_USER\\Softw>lder items for persistence:  * <code>HKEY_CURRENT_USER\\Softw
    >are\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Fol>are\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Fol
    >ders</code> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Win>ders</code> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Win
    >dows\\CurrentVersion\\Explorer\\Shell Folders</code> * <code>HK>dows\\CurrentVersion\\Explorer\\Shell Folders</code> * <code>HK
    >EY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\E>EY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\E
    >xplorer\\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\\SOFT>xplorer\\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\\SOFT
    >WARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Fo>WARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Fo
    >lders</code>  The following Registry keys can control automa>lders</code>  The following Registry keys can control automa
    >tic startup of services during boot:  * <code>HKEY_LOCAL_MAC>tic startup of services during boot:  * <code>HKEY_LOCAL_MAC
    >HINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOn>HINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOn
    >ce</code> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windo>ce</code> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windo
    >ws\\CurrentVersion\\RunServicesOnce</code> * <code>HKEY_LOCAL_>ws\\CurrentVersion\\RunServicesOnce</code> * <code>HKEY_LOCAL_
    >MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunService>MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunService
    >s</code> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Window>s</code> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Window
    >s\\CurrentVersion\\RunServices</code>  Using policy settings t>s\\CurrentVersion\\RunServices</code>  Using policy settings t
    >o specify startup programs creates corresponding values in e>o specify startup programs creates corresponding values in e
    >ither of two Registry keys:  * <code>HKEY_LOCAL_MACHINE\\Soft>ither of two Registry keys:  * <code>HKEY_LOCAL_MACHINE\\Soft
    >ware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run<>ware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run<
    >/code> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\>/code> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\
    >CurrentVersion\\Policies\\Explorer\\Run</code>  The Winlogon ke>CurrentVersion\\Policies\\Explorer\\Run</code>  Programs listed
    >y controls actions that occur when a user logs on to a compu> in the load value of the registry key <code>HKEY_CURRENT_US
    >ter running Windows 7. Most of these actions are under the c>ER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</cod
    >ontrol of the operating system, but you can also add custom >e> run automatically for the currently logged-on user.  By d
    >actions here. The <code>HKEY_LOCAL_MACHINE\\Software\\Microsof>efault, the multistring <code>BootExecute</code> value of th
    >t\\Windows NT\\CurrentVersion\\Winlogon\\Userinit</code> and <co>e registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentContro
    >de>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentV>lSet\\Control\\Session Manager</code> is set to <code>autochec
    >ersion\\Winlogon\\Shell</code> subkeys can automatically launc>k autochk *</code>. This value causes Windows, at startup, t
    >h programs.  Programs listed in the load value of the regist>o check the file-system integrity of the hard disks if the s
    >ry key <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT>ystem has been shut down abnormally. Adversaries can add oth
    >\\CurrentVersion\\Windows</code> run when any user logs on.  B>er programs or processes to this registry value which will a
    >y default, the multistring <code>BootExecute</code> value of>utomatically launch at boot.  Adversaries can use these conf
    > the registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentCon>iguration locations to execute malware, such as remote acces
    >trolSet\\Control\\Session Manager</code> is set to <code>autoc>s tools, to maintain persistence through system reboots. Adv
    >heck autochk *</code>. This value causes Windows, at startup>ersaries may also use [Masquerading](https://attack.mitre.or
    >, to check the file-system integrity of the hard disks if th>g/techniques/T1036) to make the Registry entries look as if 
    >e system has been shut down abnormally. Adversaries can add >they are associated with legitimate programs.
    >other programs or processes to this registry value which wil 
    >l automatically launch at boot.  Adversaries can use these c 
    >onfiguration locations to execute malware, such as remote ac 
    >cess tools, to maintain persistence through system reboots.  
    >Adversaries may also use [Masquerading](https://attack.mitre 
    >.org/techniques/T1036) to make the Registry entries look as  
    >if they are associated with legitimate programs. 
    ", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Creation)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-12 13:52:32.846000+00:00", + "modified": "2023-10-15 10:47:17.305000+00:00", + "name": "Disable or Modify Cloud Logs", + "description": "An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.\n\nFor example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality \u2013 for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user\u2019s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1562/008", + "external_id": "T1562.008" + }, + { + "source_name": "Stopping CloudTrail from Sending Events to CloudWatch Logs", + "description": "Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html" + }, + { + "source_name": "AWS Update Trail", + "description": "AWS. (n.d.). update-trail. Retrieved August 4, 2023.", + "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html" + }, + { + "source_name": "Following the CloudTrail: Generating strong AWS security signals with Sumo Logic", + "description": "Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020.", + "url": "https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/" + }, + { + "source_name": "Configuring Data Access audit logs", + "description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.", + "url": "https://cloud.google.com/logging/docs/audit/configure-data-access" + }, + { + "source_name": "Dark Reading Microsoft 365 Attacks 2021", + "description": "Kelly Sheridan. (2021, August 5). Incident Responders Explore Microsoft 365 Attacks in the Wild. Retrieved March 17, 2023.", + "url": "https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591" + }, + { + "source_name": "az monitor diagnostic-settings", + "description": "Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.", + "url": "https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete" + }, + { + "source_name": "Pacu Detection Disruption Module", + "description": "Rhino Security Labs. (2021, April 29). Pacu Detection Disruption Module. Retrieved August 4, 2023.", + "url": "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Syed Ummar Farooqh, McAfee", + "Prasad Somasamudram, McAfee", + "Sekhar Sarukkai, McAfee", + "Ibrahim Ali Khan", + "Alex Soler, AttackIQ", + "Janantha Marasinghe", + "Matt Snyder, VMware", + "Joe Gumke, U.S. Bank" + ], + "x_mitre_data_sources": [ + "Cloud Service: Cloud Service Modification", + "User Account: User Account Modification", + "Cloud Service: Cloud Service Disable" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs) In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS", + "SaaS", + "Google Workspace", + "Azure AD", + "Office 365" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-15 10:47:17.305000+00:00\", \"old_value\": \"2023-04-20 18:13:50.277000+00:00\"}, \"root['name']\": {\"new_value\": \"Disable or Modify Cloud Logs\", \"old_value\": \"Disable Cloud Logs\"}, \"root['description']\": {\"new_value\": \"An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.\\n\\nFor example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality \\u2013 for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user\\u2019s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)\", \"old_value\": \"An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.\\n\\nFor example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user\\u2019s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.\\n+An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.\\n \\n-For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user\\u2019s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)\\n+For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality \\u2013 for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user\\u2019s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"AWS Update Trail\", \"description\": \"AWS. (n.d.). update-trail. Retrieved August 4, 2023.\", \"url\": \"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\"}, \"root['external_references'][7]\": {\"source_name\": \"Pacu Detection Disruption Module\", \"description\": \"Rhino Security Labs. (2021, April 29). Pacu Detection Disruption Module. Retrieved August 4, 2023.\", \"url\": \"https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 2.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1An adversary may disable cloud logging capabilities and intet1An adversary may disable or modify cloud logging capabilitie
    >grations to limit what data is collected on their activities>s and integrations to limit what data is collected on their 
    > and avoid detection. Cloud environments allow for collectio>activities and avoid detection. Cloud environments allow for
    >n and analysis of audit and application logs that provide in> collection and analysis of audit and application logs that 
    >sight into what activities a user does within the environmen>provide insight into what activities a user does within the 
    >t. If an adversary has sufficient permissions, they can disa>environment. If an adversary has sufficient permissions, the
    >ble logging to avoid detection of their activities.  For exa>y can disable or modify logging to avoid detection of their 
    >mple, in AWS an adversary may disable CloudWatch/CloudTrail >activities.  For example, in AWS an adversary may disable Cl
    >integrations prior to conducting further malicious activity.>oudWatch/CloudTrail integrations prior to conducting further
    >(Citation: Following the CloudTrail: Generating strong AWS s> malicious activity.(Citation: Following the CloudTrail: Gen
    >ecurity signals with Sumo Logic) In Office 365, an adversary>erating strong AWS security signals with Sumo Logic) They ma
    > may disable logging on mail collection activities for speci>y alternatively tamper with logging functionality \u2013 for exam
    >fic users by using the `Set-MailboxAuditBypassAssociation` c>ple, by removing any associated SNS topics, disabling multi-
    >mdlet, by disabling M365 Advanced Auditing for the user, or >region logging, or disabling settings that validate and/or e
    >by downgrading the user\u2019s license from an Enterprise E5 to a>ncrypt log files.(Citation: AWS Update Trail)(Citation: Pacu
    >n Enterprise E3 license.(Citation: Dark Reading Microsoft 36> Detection Disruption Module) In Office 365, an adversary ma
    >5 Attacks 2021)>y disable logging on mail collection activities for specific
     > users by using the `Set-MailboxAuditBypassAssociation` cmdl
     >et, by disabling M365 Advanced Auditing for the user, or by 
     >downgrading the user\u2019s license from an Enterprise E5 to an E
     >nterprise E3 license.(Citation: Dark Reading Microsoft 365 A
     >ttacks 2021)
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Modification)", + "DS0025: Cloud Service (Cloud Service Disable)", + "DS0025: Cloud Service (Cloud Service Modification)" + ], + "new": [], + "dropped": [] + } + } + ], + "minor_version_changes": [ + { + "type": "attack-pattern", + "id": "attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-30 13:58:14.373000+00:00", + "modified": "2023-10-02 00:47:11.369000+00:00", + "name": "Abuse Elevation Control Mechanism", + "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1548", + "external_id": "T1548" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "User Account: User Account Modification", + "Command: Command Execution", + "Process: OS API Execution", + "File: File Modification", + "Process: Process Metadata", + "File: File Metadata", + "Windows Registry: Windows Registry Key Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).\n\nConsider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.\n\nOn Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.\n\nThere are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "Administrator", + "User" + ], + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "IaaS", + "Google Workspace", + "Azure AD" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 00:47:11.369000+00:00\", \"old_value\": \"2023-04-21 12:35:07.744000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][1]\": \"User Account: User Account Modification\", \"root['x_mitre_platforms'][3]\": \"Office 365\", \"root['x_mitre_platforms'][4]\": \"IaaS\", \"root['x_mitre_platforms'][5]\": \"Google Workspace\", \"root['x_mitre_platforms'][6]\": \"Azure AD\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1026: Privileged Account Management", + "M1028: Operating System Configuration", + "M1038: Execution Prevention", + "M1047: Audit", + "M1052: User Account Control" + ], + "new": [ + "M1018: User Account Management" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0009: Process (Process Metadata)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Metadata)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [ + "DS0002: User Account (User Account Modification)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-18 16:39:06.289000+00:00", + "modified": "2023-09-29 21:08:45.174000+00:00", + "name": "Token Impersonation/Theft", + "description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\n\nAn adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.\n\nWhen an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1134/001", + "external_id": "T1134.001" + }, + { + "source_name": "Microsoft Command-line Logging", + "description": "Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.", + "url": "https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jonny Johnson" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "x_mitre_defense_bypassed": [ + "Windows User Account Control", + "System access controls", + "File system access controls" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nAnalysts can also monitor for use of Windows APIs such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 21:08:45.174000+00:00\", \"old_value\": \"2023-04-11 21:19:05.544000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:12.196000+00:00", + "modified": "2023-10-16 17:45:54.884000+00:00", + "name": "Account Manipulation", + "description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1098", + "external_id": "T1098" + }, + { + "source_name": "Microsoft Security Event 4670", + "description": "Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. Retrieved November 4, 2019.", + "url": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670" + }, + { + "source_name": "Microsoft User Modified Event", + "description": "Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account was changed. Retrieved June 30, 2017.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738" + }, + { + "source_name": "InsiderThreat ChangeNTLM July 2017", + "description": "Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.", + "url": "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM" + }, + { + "source_name": "GitHub Mimikatz Issue 92 June 2017", + "description": "Warren, J. (2017, June 22). lsadump::changentlm and lsadump::setntlm work, but generate Windows events #92. Retrieved December 4, 2017.", + "url": "https://github.com/gentilkiwi/mimikatz/issues/92" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)", + "Praetorian", + "Tim MalcomVetter", + "Wojciech Lesicki", + "Arad Inbar, Fidelis Security" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Active Directory: Active Directory Object Modification", + "File: File Modification", + "Group: Group Modification", + "User Account: User Account Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\n\nMonitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365", + "IaaS", + "Linux", + "macOS", + "Google Workspace", + "SaaS", + "Network", + "Containers" + ], + "x_mitre_version": "2.6", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 17:45:54.884000+00:00\", \"old_value\": \"2023-04-12 23:29:30.966000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \\n\\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).\", \"old_value\": \"Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \\n\\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \\n+Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \\n \\n In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.6\", \"old_value\": \"2.5\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}, \"root['x_mitre_contributors'][4]\": \"Arad Inbar, Fidelis Security\", \"root['x_mitre_platforms'][9]\": \"Containers\"}}", + "previous_version": "2.5", + "version_change": "2.5 \u2192 2.6", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may manipulate accounts to maintain access to vit1Adversaries may manipulate accounts to maintain and/or eleva
    >ctim systems. Account manipulation may consist of any action>te access to victim systems. Account manipulation may consis
    > that preserves adversary access to a compromised account, s>t of any action that preserves or modifies adversary access 
    >uch as modifying credentials or permission groups. These act>to a compromised account, such as modifying credentials or p
    >ions could also include account activity designed to subvert>ermission groups. These actions could also include account a
    > security policies, such as performing iterative password up>ctivity designed to subvert security policies, such as perfo
    >dates to bypass password duration policies and preserve the >rming iterative password updates to bypass password duration
    >life of compromised credentials.   In order to create or man> policies and preserve the life of compromised credentials. 
    >ipulate accounts, the adversary must already have sufficient>  In order to create or manipulate accounts, the adversary m
    > permissions on systems or the domain. However, account mani>ust already have sufficient permissions on systems or the do
    >pulation may also lead to privilege escalation where modific>main. However, account manipulation may also lead to privile
    >ations grant access to additional roles, permissions, or hig>ge escalation where modifications grant access to additional
    >her-privileged [Valid Accounts](https://attack.mitre.org/tec> roles, permissions, or higher-privileged [Valid Accounts](h
    >hniques/T1078).>ttps://attack.mitre.org/techniques/T1078).
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1028: Operating System Configuration", + "M1030: Network Segmentation", + "M1032: Multi-factor Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Modification)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Modification)", + "DS0026: Active Directory (Active Directory Object Modification)", + "DS0036: Group (Group Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-19 16:10:15.008000+00:00", + "modified": "2023-10-03 17:37:24.011000+00:00", + "name": "Additional Cloud Credentials", + "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal\u2019s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \n\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account\u2019s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1098/001", + "external_id": "T1098.001" + }, + { + "source_name": "Crowdstrike AWS User Federation Persistence", + "description": " Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023.", + "url": "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" + }, + { + "source_name": "Expel IO Evil in AWS", + "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.", + "url": "https://expel.io/blog/finding-evil-in-aws/" + }, + { + "source_name": "SpecterOps Azure Privilege Escalation", + "description": "Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.", + "url": "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5" + }, + { + "source_name": "Demystifying Azure AD Service Principals", + "description": "Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020.", + "url": "https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/" + }, + { + "source_name": "GCP SSH Key Add", + "description": "Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020.", + "url": "https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add" + }, + { + "source_name": "Blue Cloud of Death Video", + "description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.", + "url": "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" + }, + { + "source_name": "Blue Cloud of Death", + "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.", + "url": "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1" + }, + { + "source_name": "Microsoft SolarWinds Customer Guidance", + "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.", + "url": "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + }, + { + "source_name": "Expel Behind the Scenes", + "description": "S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.", + "url": "https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/" + }, + { + "source_name": "Sysdig ScarletEel 2.0", + "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.", + "url": "https://sysdig.com/blog/scarleteel-2-0/" + }, + { + "source_name": "Rhino Security Labs AWS Privilege Escalation", + "description": "Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation \u2013 Methods and Mitigation. Retrieved May 27, 2022.", + "url": "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Expel", + "Oleg Kolesnikov, Securonix", + "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)", + "Zur Ulianitzky, XM Cyber", + "Alex Soler, AttackIQ", + "Dylan Silva, AWS Security", + "Arad Inbar, Fidelis Security" + ], + "x_mitre_data_sources": [ + "User Account: User Account Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS", + "Azure AD", + "SaaS" + ], + "x_mitre_version": "2.6", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 17:37:24.011000+00:00\", \"old_value\": \"2023-05-04 18:03:36.622000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\\n\\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\\n\\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\\n\\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal\\u2019s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \\n\\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account\\u2019s API credentials are deactivated.\\n(Citation: Crowdstrike AWS User Federation Persistence)\", \"old_value\": \"Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\\n\\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\\n\\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\\n\\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)\\n\\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account\\u2019s API credentials are deactivated.\\n(Citation: Crowdstrike AWS User Federation Persistence)\", \"diff\": \"--- \\n+++ \\n@@ -4,7 +4,7 @@\\n \\n In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\\n \\n-Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)\\n+Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal\\u2019s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \\n \\n In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account\\u2019s API credentials are deactivated.\\n (Citation: Crowdstrike AWS User Federation Persistence)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.6\", \"old_value\": \"2.5\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}, \"root['external_references'][3]\": {\"source_name\": \"SpecterOps Azure Privilege Escalation\", \"description\": \"Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.\", \"url\": \"https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5\"}, \"root['external_references'][10]\": {\"source_name\": \"Sysdig ScarletEel 2.0\", \"description\": \"SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.\", \"url\": \"https://sysdig.com/blog/scarleteel-2-0/\"}, \"root['x_mitre_contributors'][6]\": \"Arad Inbar, Fidelis Security\"}}", + "previous_version": "2.5", + "version_change": "2.5 \u2192 2.6", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may add adversary-controlled credentials to a clt1Adversaries may add adversary-controlled credentials to a cl
    >oud account to maintain persistent access to victim accounts>oud account to maintain persistent access to victim accounts
    > and instances within the environment.  For example, adversa> and instances within the environment.  For example, adversa
    >ries may add credentials for Service Principals and Applicat>ries may add credentials for Service Principals and Applicat
    >ions in addition to existing legitimate credentials in Azure>ions in addition to existing legitimate credentials in Azure
    > AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat> AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat
    >ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide>ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide
    >o) These credentials include both x509 keys and passwords.(C>o) These credentials include both x509 keys and passwords.(C
    >itation: Microsoft SolarWinds Customer Guidance) With suffic>itation: Microsoft SolarWinds Customer Guidance) With suffic
    >ient permissions, there are a variety of ways to add credent>ient permissions, there are a variety of ways to add credent
    >ials including the Azure Portal, Azure command line interfac>ials including the Azure Portal, Azure command line interfac
    >e, and Azure or Az PowerShell modules.(Citation: Demystifyin>e, and Azure or Az PowerShell modules.(Citation: Demystifyin
    >g Azure AD Service Principals)  In infrastructure-as-a-servi>g Azure AD Service Principals)  In infrastructure-as-a-servi
    >ce (IaaS) environments, after gaining access through [Cloud >ce (IaaS) environments, after gaining access through [Cloud 
    >Accounts](https://attack.mitre.org/techniques/T1078/004), ad>Accounts](https://attack.mitre.org/techniques/T1078/004), ad
    >versaries may generate or import their own SSH keys using ei>versaries may generate or import their own SSH keys using ei
    >ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</>ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</
    >code> API in AWS or the <code>gcloud compute os-login ssh-ke>code> API in AWS or the <code>gcloud compute os-login ssh-ke
    >ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi>ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi
    >s allows persistent access to instances within the cloud env>s allows persistent access to instances within the cloud env
    >ironment without further usage of the compromised cloud acco>ironment without further usage of the compromised cloud acco
    >unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind>unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind
    > the Scenes)  Adversaries may also use the <code>CreateAcces> the Scenes)  Adversaries may also use the <code>CreateAcces
    >sKey</code> API in AWS or the <code>gcloud iam service-accou>sKey</code> API in AWS or the <code>gcloud iam service-accou
    >nts keys create</code> command in GCP to add access keys to >nts keys create</code> command in GCP to add access keys to 
    >an account. If the target account has different permissions >an account. If the target account has different permissions 
    >from the requesting account, the adversary may also be able >from the requesting account, the adversary may also be able 
    >to escalate their privileges in the environment (i.e. [Cloud>to escalate their privileges in the environment (i.e. [Cloud
    > Accounts](https://attack.mitre.org/techniques/T1078/004)).(> Accounts](https://attack.mitre.org/techniques/T1078/004)).(
    >Citation: Rhino Security Labs AWS Privilege Escalation)  In >Citation: Rhino Security Labs AWS Privilege Escalation)(Cita
    >AWS environments, adversaries with the appropriate permissio>tion: Sysdig ScarletEel 2.0) For example, in Azure AD enviro
    >ns may also use the `sts:GetFederationToken` API call to cre>nments, an adversary with the Application Administrator role
    >ate a temporary set of credentials tied to the permissions o> can add a new set of credentials to their application's ser
    >f the original user account. These credentials may remain va>vice principal. In doing so the adversary would be able to a
    >lid for the duration of their lifetime even if the original >ccess the service principal\u2019s roles and permissions, which m
    >account\u2019s API credentials are deactivated. (Citation: Crowds>ay be different from those of the Application Administrator.
    >trike AWS User Federation Persistence)>(Citation: SpecterOps Azure Privilege Escalation)   In AWS e
     >nvironments, adversaries with the appropriate permissions ma
     >y also use the `sts:GetFederationToken` API call to create a
     > temporary set of credentials tied to the permissions of the
     > original user account. These credentials may remain valid f
     >or the duration of their lifetime even if the original accou
     >nt\u2019s API credentials are deactivated. (Citation: Crowdstrike
     > AWS User Federation Persistence)
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1030: Network Segmentation", + "M1032: Multi-factor Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-19 16:59:45.362000+00:00", + "modified": "2023-10-03 17:37:41.250000+00:00", + "name": "Additional Cloud Roles", + "description": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\n(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1098/003", + "external_id": "T1098.003" + }, + { + "source_name": "Expel AWS Attacker", + "description": " Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett. (2022, April 5). Incident report: From CLI to console, chasing an attacker in AWS. Retrieved April 7, 2022.", + "url": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + }, + { + "source_name": "Microsoft O365 Admin Roles", + "description": "Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.", + "url": "https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide" + }, + { + "source_name": "AWS IAM Policies and Permissions", + "description": "AWS. (n.d.). Policies and permissions in IAM. Retrieved April 1, 2022.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html" + }, + { + "source_name": "Google Cloud IAM Policies", + "description": "Google Cloud. (2022, March 31). Understanding policies. Retrieved April 1, 2022.", + "url": "https://cloud.google.com/iam/docs/policies" + }, + { + "source_name": "Microsoft Support O365 Add Another Admin, October 2019", + "description": "Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.", + "url": "https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d" + }, + { + "source_name": "Rhino Security Labs AWS Privilege Escalation", + "description": "Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation \u2013 Methods and Mitigation. Retrieved May 27, 2022.", + "url": "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Microsoft Threat Intelligence Center (MSTIC)", + "Alex Parsons, Crowdstrike", + "Chris Romano, Crowdstrike", + "Wojciech Lesicki", + "Pi\u00e0 Consigny, Tenable", + "Cl\u00e9ment Notin, Tenable", + "Praetorian", + "Alex Soler, AttackIQ", + "Arad Inbar, Fidelis Security" + ], + "x_mitre_data_sources": [ + "User Account: User Account Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Collect activity logs from IAM services and cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Office 365", + "IaaS", + "SaaS", + "Google Workspace", + "Azure AD" + ], + "x_mitre_version": "2.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 17:37:41.250000+00:00\", \"old_value\": \"2023-04-14 22:48:50.142000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\\n(Citation: Microsoft O365 Admin Roles) \\n\\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\\n\\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\", \"old_value\": \"An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\\n(Citation: Microsoft O365 Admin Roles) \\n\\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\\n\\nFor example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal\\u2019s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\\n\\nSimilarly, an adversary with the Azure AD Global Administrator role can toggle the \\u201cAccess management for Azure resources\\u201d option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) \", \"diff\": \"--- \\n+++ \\n@@ -3,6 +3,4 @@\\n \\n This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\\n \\n-For example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal\\u2019s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\\n-\\n-Similarly, an adversary with the Azure AD Global Administrator role can toggle the \\u201cAccess management for Azure resources\\u201d option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) \\n+For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}, \"root['x_mitre_contributors'][8]\": \"Arad Inbar, Fidelis Security\"}, \"iterable_item_removed\": {\"root['external_references'][3]\": {\"source_name\": \"SpecterOps Azure Privilege Escalation\", \"description\": \"Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.\", \"url\": \"https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5\"}, \"root['external_references'][7]\": {\"source_name\": \"Azure AD to AD\", \"description\": \"Sean Metcalf. (2020, May 27). From Azure AD to Active Directory (via Azure) \\u2013 An Unanticipated Attack Path. Retrieved September 28, 2022.\", \"url\": \"https://adsecurity.org/?p=4277\"}}}", + "previous_version": "2.2", + "version_change": "2.2 \u2192 2.3", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1An adversary may add additional roles or permissions to an at1An adversary may add additional roles or permissions to an a
    >dversary-controlled cloud account to maintain persistent acc>dversary-controlled cloud account to maintain persistent acc
    >ess to a tenant. For example, adversaries may update IAM pol>ess to a tenant. For example, adversaries may update IAM pol
    >icies in cloud-based environments or add a new global admini>icies in cloud-based environments or add a new global admini
    >strator in Office 365 environments.(Citation: AWS IAM Polici>strator in Office 365 environments.(Citation: AWS IAM Polici
    >es and Permissions)(Citation: Google Cloud IAM Policies)(Cit>es and Permissions)(Citation: Google Cloud IAM Policies)(Cit
    >ation: Microsoft Support O365 Add Another Admin, October 201>ation: Microsoft Support O365 Add Another Admin, October 201
    >9)(Citation: Microsoft O365 Admin Roles) With sufficient per>9)(Citation: Microsoft O365 Admin Roles) With sufficient per
    >missions, a compromised account can gain almost unlimited ac>missions, a compromised account can gain almost unlimited ac
    >cess to data and settings (including the ability to reset th>cess to data and settings (including the ability to reset th
    >e passwords of other admins).(Citation: Expel AWS Attacker) >e passwords of other admins).(Citation: Expel AWS Attacker) 
    >(Citation: Microsoft O365 Admin Roles)   This account modifi>(Citation: Microsoft O365 Admin Roles)   This account modifi
    >cation may immediately follow [Create Account](https://attac>cation may immediately follow [Create Account](https://attac
    >k.mitre.org/techniques/T1136) or other malicious account act>k.mitre.org/techniques/T1136) or other malicious account act
    >ivity. Adversaries may also modify existing [Valid Accounts]>ivity. Adversaries may also modify existing [Valid Accounts]
    >(https://attack.mitre.org/techniques/T1078) that they have c>(https://attack.mitre.org/techniques/T1078) that they have c
    >ompromised. This could lead to privilege escalation, particu>ompromised. This could lead to privilege escalation, particu
    >larly if the roles added allow for lateral movement to addit>larly if the roles added allow for lateral movement to addit
    >ional accounts.  For example, in Azure AD environments, an a>ional accounts.  For example, in AWS environments, an advers
    >dversary with the Application Administrator role can add [Ad>ary with appropriate permissions may be able to use the <cod
    >ditional Cloud Credentials](https://attack.mitre.org/techniq>e>CreatePolicyVersion</code> API to define a new version of 
    >ues/T1098/001) to their application's service principal. In >an IAM policy or the <code>AttachUserPolicy</code> API to at
    >doing so the adversary would be able to gain the service pri>tach an IAM policy with additional or distinct permissions t
    >ncipal\u2019s roles and permissions, which may be different from >o a compromised user account.(Citation: Rhino Security Labs 
    >those of the Application Administrator.(Citation: SpecterOps>AWS Privilege Escalation)
    > Azure Privilege Escalation) Similarly, in AWS environments, 
    > an adversary with appropriate permissions may be able to us 
    >e the <code>CreatePolicyVersion</code> API to define a new v 
    >ersion of an IAM policy or the <code>AttachUserPolicy</code> 
    > API to attach an IAM policy with additional or distinct per 
    >missions to a compromised user account.(Citation: Rhino Secu 
    >rity Labs AWS Privilege Escalation)  Similarly, an adversary 
    > with the Azure AD Global Administrator role can toggle the  
    >\u201cAccess management for Azure resources\u201d option to gain the a 
    >bility to assign privileged access to Azure subscriptions an 
    >d virtual machines to Azure AD users, including themselves.( 
    >Citation: Azure AD to AD)  
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1032: Multi-factor Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e74de37c-a829-446c-937d-56a44f0e9306", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-19 16:54:28.516000+00:00", + "modified": "2023-10-03 17:38:00.554000+00:00", + "name": "Additional Email Delegate Permissions", + "description": "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. \n\nFor example, the Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe) \n\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user\u2019s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\n\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1098/002", + "external_id": "T1098.002" + }, + { + "source_name": "Bienstock, D. - Defending O365 - 2019", + "description": "Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved September 13, 2019.", + "url": "https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365" + }, + { + "source_name": "Crowdstrike Hiding in Plain Sight 2018", + "description": "Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises. Retrieved January 19, 2020.", + "url": "https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/" + }, + { + "source_name": "Google Ensuring Your Information is Safe", + "description": "Google. (2011, June 1). Ensuring your information is safe online. Retrieved April 1, 2022.", + "url": "https://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html" + }, + { + "source_name": "Gmail Delegation", + "description": "Google. (n.d.). Turn Gmail delegation on or off. Retrieved April 1, 2022.", + "url": "https://support.google.com/a/answer/7223765?hl=en" + }, + { + "source_name": "FireEye APT35 2018", + "description": "Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.", + "url": "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" + }, + { + "source_name": "Microsoft - Add-MailboxPermission", + "description": "Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September 13, 2019.", + "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps" + }, + { + "source_name": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452", + "description": "Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Microsoft Detection and Response Team (DART)", + "Mike Burns, Mandiant", + "Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)", + "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)", + "Arad Inbar, Fidelis Security" + ], + "x_mitre_data_sources": [ + "Group: Group Modification", + "Application Log: Application Log Content", + "User Account: User Account Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. \n\nA larger than normal volume of emails sent from an account and similar phishing emails sent from \u202freal accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Office 365", + "Google Workspace" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 17:38:00.554000+00:00\", \"old_value\": \"2022-04-19 14:55:26.110000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}, \"root['x_mitre_contributors'][4]\": \"Arad Inbar, Fidelis Security\"}}", + "previous_version": "2.0", + "version_change": "2.0 \u2192 2.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1032: Multi-factor Authentication", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Modification)", + "DS0015: Application Log (Application Log Content)", + "DS0036: Group (Group Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--7decb26c-715c-40cf-b7e0-026f7d7cc215", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-03-04 18:30:38.989000+00:00", + "modified": "2023-10-03 17:38:39.065000+00:00", + "name": "Device Registration", + "description": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.\n\nMFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user\u2019s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1098/005", + "external_id": "T1098.005" + }, + { + "source_name": "CISA MFA PrintNightmare", + "description": "Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability. Retrieved March 16, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" + }, + { + "source_name": "Mandiant APT29 Microsoft 365 2022", + "description": "Douglas Bienstock. (2022, August 18). You Can\u2019t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.", + "url": "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" + }, + { + "source_name": "AADInternals - Conditional Access Bypass", + "description": "Dr. Nestori Syynimaa. (2020, September 6). Bypassing conditional access by faking device compliance. Retrieved March 4, 2022.", + "url": "https://o365blog.com/post/mdm" + }, + { + "source_name": "AADInternals - BPRT", + "description": "Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022.", + "url": "https://o365blog.com/post/bprt/" + }, + { + "source_name": "AADInternals - Device Registration", + "description": "Dr. Nestori Syynimaa. (2021, March 3). Deep-dive to Azure AD device join. Retrieved March 9, 2022.", + "url": "https://o365blog.com/post/devices/" + }, + { + "source_name": "DarkReading FireEye SolarWinds", + "description": "Kelly Jackson Higgins. (2021, January 7). FireEye's Mandia: 'Severity-Zero Alert' Led to Discovery of SolarWinds Attack. Retrieved April 18, 2022.", + "url": "https://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack" + }, + { + "source_name": "Microsoft - Device Registration", + "description": "Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers\u2019 toolbox for victims without MFA. Retrieved March 4, 2022.", + "url": "https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa" + }, + { + "source_name": "Microsoft DEV-0537", + "description": "Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.", + "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pawel Partyka, Microsoft 365 Defender", + "Mike Moran", + "Joe Gumke, U.S. Bank", + "Arad Inbar, Fidelis Security" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Active Directory: Active Directory Object Creation", + "User Account: User Account Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Azure AD", + "Windows", + "SaaS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 17:38:39.065000+00:00\", \"old_value\": \"2023-04-20 18:14:17.197000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}, \"root['x_mitre_contributors'][3]\": \"Arad Inbar, Fidelis Security\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1032: Multi-factor Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Modification)", + "DS0015: Application Log (Application Log Content)", + "DS0026: Active Directory (Active Directory Object Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-24 12:42:35.144000+00:00", + "modified": "2023-10-03 17:38:21.121000+00:00", + "name": "SSH Authorized Keys", + "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system\u2019s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value \u201cyes\u201d to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\u2019s \u201cadd-metadata\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.\n\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \n\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1098/004", + "external_id": "T1098.004" + }, + { + "source_name": "Venafi SSH Key Abuse", + "description": "Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020.", + "url": "https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities" + }, + { + "source_name": "Google Cloud Privilege Escalation", + "description": "Chris Moberly. (2020, February 12). Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments. Retrieved April 1, 2022.", + "url": "https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/" + }, + { + "source_name": "cisco_ip_ssh_pubkey_ch_cmd", + "description": "Cisco. (2021, August 23). ip ssh pubkey-chain. Retrieved July 13, 2022.", + "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478" + }, + { + "source_name": "Cybereason Linux Exim Worm", + "description": "Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020.", + "url": "https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability" + }, + { + "source_name": "Google Cloud Add Metadata", + "description": "Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022.", + "url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata" + }, + { + "source_name": "Azure Update Virtual Machines", + "description": "Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022.", + "url": "https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update" + }, + { + "source_name": "SSH Authorized Keys", + "description": "ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.", + "url": "https://www.ssh.com/ssh/authorized_keys/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Tony Lambert, Red Canary", + "Dror Alon, Palo Alto Networks", + "Or Kliger, Palo Alto Networks", + "Austin Clark, @c2defense", + "Arad Inbar, Fidelis Security" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file. In cloud environments, monitor instances for modification of metadata and configurations.\n\nMonitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.\n\nFor network infrastructure devices, collect AAA logging to monitor for rogue SSH keys being added to accounts.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "IaaS", + "Network" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 17:38:21.121000+00:00\", \"old_value\": \"2023-04-12 23:28:34.599000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system\\u2019s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value \\u201cyes\\u201d to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\\n\\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\\u2019s \\u201cadd-metadata\\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.\\n\\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \\n\\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)\", \"old_value\": \"Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system\\u2019s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value \\u201cyes\\u201d to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\\n\\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\\u2019s \\u201cadd-metadata\\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) \\n\\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \\n\\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system\\u2019s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value \\u201cyes\\u201d to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\\n \\n-Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\\u2019s \\u201cadd-metadata\\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) \\n+Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\\u2019s \\u201cadd-metadata\\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.\\n \\n Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}, \"root['x_mitre_contributors'][4]\": \"Arad Inbar, Fidelis Security\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may modify the SSH <code>authorized_keys</code> t1Adversaries may modify the SSH <code>authorized_keys</code> 
    >file to maintain persistence on a victim host. Linux distrib>file to maintain persistence on a victim host. Linux distrib
    >utions and macOS commonly use key-based authentication to se>utions and macOS commonly use key-based authentication to se
    >cure the authentication process of SSH sessions for remote m>cure the authentication process of SSH sessions for remote m
    >anagement. The <code>authorized_keys</code> file in SSH spec>anagement. The <code>authorized_keys</code> file in SSH spec
    >ifies the SSH keys that can be used for logging into the use>ifies the SSH keys that can be used for logging into the use
    >r account for which the file is configured. This file is usu>r account for which the file is configured. This file is usu
    >ally found in the user's home directory under <code>&lt;user>ally found in the user's home directory under <code>&lt;user
    >-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authori>-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authori
    >zed Keys) Users may edit the system\u2019s SSH config file to mod>zed Keys) Users may edit the system\u2019s SSH config file to mod
    >ify the directives PubkeyAuthentication and RSAAuthenticatio>ify the directives PubkeyAuthentication and RSAAuthenticatio
    >n to the value \u201cyes\u201d to ensure public key and RSA authentica>n to the value \u201cyes\u201d to ensure public key and RSA authentica
    >tion are enabled. The SSH config file is usually located und>tion are enabled. The SSH config file is usually located und
    >er <code>/etc/ssh/sshd_config</code>.  Adversaries may modif>er <code>/etc/ssh/sshd_config</code>.  Adversaries may modif
    >y SSH <code>authorized_keys</code> files directly with scrip>y SSH <code>authorized_keys</code> files directly with scrip
    >ts or shell commands to add their own adversary-supplied pub>ts or shell commands to add their own adversary-supplied pub
    >lic keys. In cloud environments, adversaries may be able to >lic keys. In cloud environments, adversaries may be able to 
    >modify the SSH authorized_keys file of a particular virtual >modify the SSH authorized_keys file of a particular virtual 
    >machine via the command line interface or rest API. For exam>machine via the command line interface or rest API. For exam
    >ple, by using the Google Cloud CLI\u2019s \u201cadd-metadata\u201d command >ple, by using the Google Cloud CLI\u2019s \u201cadd-metadata\u201d command 
    >an adversary may add SSH keys to a user account.(Citation: G>an adversary may add SSH keys to a user account.(Citation: G
    >oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E>oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E
    >scalation) Similarly, in Azure, an adversary may update the >scalation) Similarly, in Azure, an adversary may update the 
    >authorized_keys file of a virtual machine via a PATCH reques>authorized_keys file of a virtual machine via a PATCH reques
    >t to the API.(Citation: Azure Update Virtual Machines) This >t to the API.(Citation: Azure Update Virtual Machines) This 
    >ensures that an adversary possessing the corresponding priva>ensures that an adversary possessing the corresponding priva
    >te key may log in as an existing user via SSH.(Citation: Ven>te key may log in as an existing user via SSH.(Citation: Ven
    >afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)   W>afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It 
    >here authorized_keys files are modified via cloud APIs or co>may also lead to privilege escalation where the virtual mach
    >mmand line interfaces, an adversary may achieve privilege es>ine or instance has distinct permissions from the requesting
    >calation on the target virtual machine if they add a key to > user.  Where authorized_keys files are modified via cloud A
    >a higher-privileged user.   SSH keys can also be added to ac>PIs or command line interfaces, an adversary may achieve pri
    >counts on network devices, such as with the `ip ssh pubkey-c>vilege escalation on the target virtual machine if they add 
    >hain` [Network Device CLI](https://attack.mitre.org/techniqu>a key to a higher-privileged user.   SSH keys can also be ad
    >es/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)>ded to accounts on network devices, such as with the `ip ssh
     > pubkey-chain` [Network Device CLI](https://attack.mitre.org
     >/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubke
     >y_ch_cmd)
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1022: Restrict File and Directory Permissions", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-30 16:37:40.271000+00:00", + "modified": "2023-10-02 01:10:09.833000+00:00", + "name": "Acquire Infrastructure", + "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1583", + "external_id": "T1583" + }, + { + "source_name": "amnesty_nso_pegasus", + "description": "Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group\u2019s Pegasus. Retrieved February 22, 2022.", + "url": "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/" + }, + { + "source_name": "Mandiant APT29 Microsoft 365 2022", + "description": "Douglas Bienstock. (2022, August 18). You Can\u2019t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.", + "url": "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" + }, + { + "source_name": "FBI Proxies Credential Stuffing", + "description": "FBI. (2022, August 18). Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts . Retrieved July 6, 2023.", + "url": "https://www.ic3.gov/Media/News/2022/220818.pdf" + }, + { + "source_name": "Koczwara Beacon Hunting Sep 2021", + "description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.", + "url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2" + }, + { + "source_name": "TrendmicroHideoutsLease", + "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.", + "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf" + }, + { + "source_name": "Mandiant SCANdalous Jul 2020", + "description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.", + "url": "https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation" + }, + { + "source_name": "ThreatConnect Infrastructure Dec 2020", + "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.", + "url": "https://threatconnect.com/blog/infrastructure-research-hunting/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Shailesh Tiwary (Indian Army)", + "Goldstein Menachem" + ], + "x_mitre_data_sources": [ + "Internet Scan: Response Metadata", + "Internet Scan: Response Content", + "Domain Name: Active DNS", + "Domain Name: Passive DNS", + "Domain Name: Domain Registration" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. \n\nOnce adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 01:10:09.833000+00:00\", \"old_value\": \"2023-03-02 21:34:46.139000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\\n\\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.\", \"old_value\": \"Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\\n\\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\\n \\n-Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.\\n+Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Mandiant APT29 Microsoft 365 2022\", \"description\": \"Douglas Bienstock. (2022, August 18). You Can\\u2019t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft\"}, \"root['external_references'][3]\": {\"source_name\": \"FBI Proxies Credential Stuffing\", \"description\": \"FBI. (2022, August 18). Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts . Retrieved July 6, 2023.\", \"url\": \"https://www.ic3.gov/Media/News/2022/220818.pdf\"}, \"root['x_mitre_contributors'][1]\": \"Goldstein Menachem\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may buy, lease, or rent infrastructure that can t1Adversaries may buy, lease, or rent infrastructure that can 
    >be used during targeting. A wide variety of infrastructure e>be used during targeting. A wide variety of infrastructure e
    >xists for hosting and orchestrating adversary operations. In>xists for hosting and orchestrating adversary operations. In
    >frastructure solutions include physical or cloud servers, do>frastructure solutions include physical or cloud servers, do
    >mains, and third-party web services.(Citation: TrendmicroHid>mains, and third-party web services.(Citation: TrendmicroHid
    >eoutsLease) Additionally, botnets are available for rent or >eoutsLease) Additionally, botnets are available for rent or 
    >purchase.  Use of these infrastructure solutions allows adve>purchase.  Use of these infrastructure solutions allows adve
    >rsaries to stage, launch, and execute operations. Solutions >rsaries to stage, launch, and execute operations. Solutions 
    >may help adversary operations blend in with traffic that is >may help adversary operations blend in with traffic that is 
    >seen as normal, such as contacting third-party web services >seen as normal, such as contacting third-party web services 
    >or acquiring infrastructure to support [Proxy](https://attac>or acquiring infrastructure to support [Proxy](https://attac
    >k.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus>k.mitre.org/techniques/T1090), including from residential pr
    >) Depending on the implementation, adversaries may use infra>oxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI P
    >structure that makes it difficult to physically tie back to >roxies Credential Stuffing)(Citation: Mandiant APT29 Microso
    >them as well as utilize infrastructure that can be rapidly p>ft 365 2022) Depending on the implementation, adversaries ma
    >rovisioned, modified, and shut down.>y use infrastructure that makes it difficult to physically t
     >ie back to them as well as utilize infrastructure that can b
     >e rapidly provisioned, modified, and shut down.
    ", + "changelog_mitigations": { + "shared": [ + "M1056: Pre-compromise" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0035: Internet Scan (Response Content)", + "DS0035: Internet Scan (Response Metadata)", + "DS0038: Domain Name (Active DNS)", + "DS0038: Domain Name (Domain Registration)", + "DS0038: Domain Name (Passive DNS)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 19:07:12.114000+00:00", + "modified": "2023-09-27 20:27:50.792000+00:00", + "name": "Adversary-in-the-Middle", + "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1557", + "external_id": "T1557" + }, + { + "source_name": "dns_changer_trojans", + "description": "Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021.", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats" + }, + { + "source_name": "volexity_0day_sophos_FW", + "description": "Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.", + "url": "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/" + }, + { + "source_name": "taxonomy_downgrade_att_tls", + "description": "Alashwali, E. S., Rasmussen, K. (2019, January 26). What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021.", + "url": "https://arxiv.org/abs/1809.05681" + }, + { + "source_name": "ad_blocker_with_miner", + "description": "Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021.", + "url": "https://securelist.com/ad-blocker-with-miner-included/101105/" + }, + { + "source_name": "mitm_tls_downgrade_att", + "description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.", + "url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/" + }, + { + "source_name": "Rapid7 MiTM Basics", + "description": "Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.", + "url": "https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/" + }, + { + "source_name": "tlseminar_downgrade_att", + "description": "Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.", + "url": "https://tlseminar.github.io/downgrade-attacks/" + }, + { + "source_name": "ttint_rat", + "description": "Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021.", + "url": "https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Mayuresh Dani, Qualys", + "Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project", + "NEC" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Windows Registry: Windows Registry Key Modification", + "Network Traffic: Network Traffic Flow", + "Service: Service Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux", + "Network" + ], + "x_mitre_version": "2.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-27 20:27:50.792000+00:00\", \"old_value\": \"2023-03-30 21:01:37.568000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n\\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\\n\\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\", \"old_value\": \"Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n\\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\\n\\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n+Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n \\n For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}}", + "previous_version": "2.2", + "version_change": "2.2 \u2192 2.3", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may attempt to position themselves between two ot1Adversaries may attempt to position themselves between two o
    >r more networked devices using an adversary-in-the-middle (A>r more networked devices using an adversary-in-the-middle (A
    >iTM) technique to support follow-on behaviors such as [Netwo>iTM) technique to support follow-on behaviors such as [Netwo
    >rk Sniffing](https://attack.mitre.org/techniques/T1040) or [>rk Sniffing](https://attack.mitre.org/techniques/T1040), [Tr
    >Transmitted Data Manipulation](https://attack.mitre.org/tech>ansmitted Data Manipulation](https://attack.mitre.org/techni
    >niques/T1565/002). By abusing features of common networking >ques/T1565/002), or replay attacks ([Exploitation for Creden
    >protocols that can determine the flow of network traffic (e.>tial Access](https://attack.mitre.org/techniques/T1212)). By
    >g. ARP, DNS, LLMNR, etc.), adversaries may force a device to> abusing features of common networking protocols that can de
    > communicate through an adversary controlled system so they >termine the flow of network traffic (e.g. ARP, DNS, LLMNR, e
    >can collect information or perform additional actions.(Citat>tc.), adversaries may force a device to communicate through 
    >ion: Rapid7 MiTM Basics)  For example, adversaries may manip>an adversary controlled system so they can collect informati
    >ulate victim DNS settings to enable other malicious activiti>on or perform additional actions.(Citation: Rapid7 MiTM Basi
    >es such as preventing/redirecting users from accessing legit>cs)  For example, adversaries may manipulate victim DNS sett
    >imate sites and/or pushing additional malware.(Citation: tti>ings to enable other malicious activities such as preventing
    >nt_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_>/redirecting users from accessing legitimate sites and/or pu
    >with_miner) Adversaries may also manipulate DNS and leverage>shing additional malware.(Citation: ttint_rat)(Citation: dns
    > their position in order to intercept user credentials and s>_changer_trojans)(Citation: ad_blocker_with_miner) Adversari
    >ession cookies.(Citation: volexity_0day_sophos_FW) [Downgrad>es may also manipulate DNS and leverage their position in or
    >e Attack](https://attack.mitre.org/techniques/T1562/010)s ca>der to intercept user credentials and session cookies.(Citat
    >n also be used to establish an AiTM position, such as by neg>ion: volexity_0day_sophos_FW) [Downgrade Attack](https://att
    >otiating a less secure, deprecated, or weaker version of com>ack.mitre.org/techniques/T1562/010)s can also be used to est
    >munication protocol (SSL/TLS) or encryption algorithm.(Citat>ablish an AiTM position, such as by negotiating a less secur
    >ion: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_at>e, deprecated, or weaker version of communication protocol (
    >t_tls)(Citation: tlseminar_downgrade_att)  Adversaries may a>SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgra
    >lso leverage the AiTM position to attempt to monitor and/or >de_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlse
    >modify traffic, such as in [Transmitted Data Manipulation](h>minar_downgrade_att)  Adversaries may also leverage the AiTM
    >ttps://attack.mitre.org/techniques/T1565/002). Adversaries c> position to attempt to monitor and/or modify traffic, such 
    >an setup a position similar to AiTM to prevent traffic from >as in [Transmitted Data Manipulation](https://attack.mitre.o
    >flowing to the appropriate destination, potentially to [Impa>rg/techniques/T1565/002). Adversaries can setup a position s
    >ir Defenses](https://attack.mitre.org/techniques/T1562) and/>imilar to AiTM to prevent traffic from flowing to the approp
    >or in support of a [Network Denial of Service](https://attac>riate destination, potentially to [Impair Defenses](https://
    >k.mitre.org/techniques/T1498).>attack.mitre.org/techniques/T1562) and/or in support of a [N
     >etwork Denial of Service](https://attack.mitre.org/technique
     >s/T1498).
    ", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1030: Network Segmentation", + "M1031: Network Intrusion Prevention", + "M1035: Limit Access to Resource Over Network", + "M1037: Filter Network Traffic", + "M1041: Encrypt Sensitive Information", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0019: Service (Service Creation)", + "DS0024: Windows Registry (Windows Registry Key Modification)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-15 16:16:25.763000+00:00", + "modified": "2023-10-01 02:42:15.473000+00:00", + "name": "File Transfer Protocols", + "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1071/002", + "external_id": "T1071.002" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 02:42:15.473000+00:00\", \"old_value\": \"2020-08-21 14:41:22.911000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n\\nProtocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \", \"old_value\": \"Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n\\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n \\n-Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \\n+Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may communicate using application layer protocolt1Adversaries may communicate using application layer protocol
    >s associated with transferring files to avoid detection/netw>s associated with transferring files to avoid detection/netw
    >ork filtering by blending in with existing traffic. Commands>ork filtering by blending in with existing traffic. Commands
    > to the remote system, and often the results of those comman> to the remote system, and often the results of those comman
    >ds, will be embedded within the protocol traffic between the>ds, will be embedded within the protocol traffic between the
    > client and server.   Protocols such as FTP, FTPS, and TFTP > client and server.   Protocols such as SMB, FTP, FTPS, and 
    >that transfer files may be very common in environments.  Pac>TFTP that transfer files may be very common in environments.
    >kets produced from these protocols may have many fields and >  Packets produced from these protocols may have many fields
    >headers in which data can be concealed. Data could also be c> and headers in which data can be concealed. Data could also
    >oncealed within the transferred files. An adversary may abus> be concealed within the transferred files. An adversary may
    >e these protocols to communicate with systems under their co> abuse these protocols to communicate with systems under the
    >ntrol within a victim network while also mimicking normal, e>ir control within a victim network while also mimicking norm
    >xpected traffic. >al, expected traffic. 
    ", + "changelog_mitigations": { + "shared": [ + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-15 16:13:46.151000+00:00", + "modified": "2023-09-29 20:22:37.414000+00:00", + "name": "Web Protocols", + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1071/001", + "external_id": "T1071.001" + }, + { + "source_name": "CrowdStrike Putter Panda", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + }, + { + "source_name": "Brazking-Websockets", + "description": "Shahar Tavor. (n.d.). BrazKing Android Malware Upgraded and Targeting Brazilian Banks. Retrieved March 24, 2023.", + "url": "https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "TruKno" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for web traffic to/from known-bad or suspicious domains. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 20:22:37.414000+00:00\", \"old_value\": \"2023-04-11 15:21:27.965000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-20 21:01:25.428000+00:00", + "modified": "2023-09-15 19:02:53.995000+00:00", + "name": "Archive via Utility", + "description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. \n\nOn Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. \n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1560/001", + "external_id": "T1560.001" + }, + { + "source_name": "WinRAR Homepage", + "description": "A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.", + "url": "https://www.rarlab.com/" + }, + { + "source_name": "WinZip Homepage", + "description": "Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.", + "url": "https://www.winzip.com/win/en/" + }, + { + "source_name": "7zip Homepage", + "description": "I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.", + "url": "https://www.7-zip.org/" + }, + { + "source_name": "diantz.exe_lolbas", + "description": "Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Diantz/" + }, + { + "source_name": "Wikipedia File Header Signatures", + "description": "Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.", + "url": "https://en.wikipedia.org/wiki/List_of_file_signatures" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Mayan Arora aka Mayan Mohan", + "Mark Wee" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-15 19:02:53.995000+00:00\", \"old_value\": \"2023-04-14 19:28:21.394000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-05 13:24:49.780000+00:00", + "modified": "2023-10-04 14:16:17.655000+00:00", + "name": "Print Processors", + "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)\n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry key that points to the DLL.\n\nFor the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)\n\nThe print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1547/012", + "external_id": "T1547.012" + }, + { + "source_name": "Microsoft AddPrintProcessor May 2018", + "description": "Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved October 5, 2020.", + "url": "https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor" + }, + { + "source_name": "Microsoft Intro Print Processors", + "description": "Microsoft. (2023, June 26). Introduction to print processors. Retrieved September 27, 2023.", + "url": "https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors" + }, + { + "source_name": "ESET PipeMon May 2020", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020.", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Mathieu Tartare, ESET", + "Tahseen Bin Taj" + ], + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Modification", + "File: File Creation", + "Driver: Driver Load", + "Module: Module Load", + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\\\Driver or HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\Driver as they pertain to print processor installations.\n\nMonitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "Administrator", + "SYSTEM" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-04 14:16:17.655000+00:00\", \"old_value\": \"2020-10-09 16:05:36.344000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)\\n\\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\\\SYSTEM\\\\\\\\[CurrentControlSet or ControlSet001]\\\\Control\\\\Print\\\\Environments\\\\\\\\[Windows architecture: e.g., Windows x64]\\\\Print Processors\\\\\\\\[user defined]\\\\Driver Registry key that points to the DLL.\\n\\nFor the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)\\n\\nThe print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.\", \"old_value\": \"Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \\n\\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\\\SYSTEM\\\\\\\\[CurrentControlSet or ControlSet001]\\\\Control\\\\Print\\\\Environments\\\\\\\\[Windows architecture: e.g., Windows x64]\\\\Print Processors\\\\\\\\[user defined]\\\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,7 @@\\n-Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \\n+Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)\\n \\n-Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\\\SYSTEM\\\\\\\\[CurrentControlSet or ControlSet001]\\\\Control\\\\Print\\\\Environments\\\\\\\\[Windows architecture: e.g., Windows x64]\\\\Print Processors\\\\\\\\[user defined]\\\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.\\n+Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\\\SYSTEM\\\\\\\\[CurrentControlSet or ControlSet001]\\\\Control\\\\Print\\\\Environments\\\\\\\\[Windows architecture: e.g., Windows x64]\\\\Print Processors\\\\\\\\[user defined]\\\\Driver Registry key that points to the DLL.\\n+\\n+For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)\\n+\\n+The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Microsoft Intro Print Processors\", \"description\": \"Microsoft. (2023, June 26). Introduction to print processors. Retrieved September 27, 2023.\", \"url\": \"https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors\"}, \"root['x_mitre_contributors'][1]\": \"Tahseen Bin Taj\"}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may abuse print processors to run malicious DLLst1Adversaries may abuse print processors to run malicious DLLs
    > during system boot for persistence and/or privilege escalat> during system boot for persistence and/or privilege escalat
    >ion. Print processors are DLLs that are loaded by the print >ion. Print processors are DLLs that are loaded by the print 
    >spooler service, spoolsv.exe, during boot.   Adversaries may>spooler service, `spoolsv.exe`, during boot.(Citation: Micro
    > abuse the print spooler service by adding print processors >soft Intro Print Processors)  Adversaries may abuse the prin
    >that load malicious DLLs at startup. A print processor can b>t spooler service by adding print processors that load malic
    >e installed through the <code>AddPrintProcessor</code> API c>ious DLLs at startup. A print processor can be installed thr
    >all with an account that has <code>SeLoadDriverPrivilege</co>ough the <code>AddPrintProcessor</code> API call with an acc
    >de> enabled. Alternatively, a print processor can be registe>ount that has <code>SeLoadDriverPrivilege</code> enabled. Al
    >red to the print spooler service by adding the <code>HKLM\\SY>ternatively, a print processor can be registered to the prin
    >STEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Env>t spooler service by adding the <code>HKLM\\SYSTEM\\\\[CurrentC
    >ironments\\\\[Windows architecture: e.g., Windows x64]\\Print P>ontrolSet or ControlSet001]\\Control\\Print\\Environments\\\\[Win
    >rocessors\\\\[user defined]\\Driver</code> Registry key that po>dows architecture: e.g., Windows x64]\\Print Processors\\\\[use
    >ints to the DLL. For the print processor to be correctly ins>r defined]\\Driver</code> Registry key that points to the DLL
    >talled, it must be located in the system print-processor dir> For the malicious print processor to be correctly install
    >ectory that can be found with the <code>GetPrintProcessorDir>ed, the payload must be located in the dedicated system prin
    >ectory</code> API call.(Citation: Microsoft AddPrintProcesso>t-processor directory, that can be found with the <code>GetP
    >r May 2018) After the print processors are installed, the pr>rintProcessorDirectory</code> API call, or referenced via a 
    >int spooler service, which starts during boot, must be resta>relative path from this directory.(Citation: Microsoft AddPr
    >rted in order for them to run.(Citation: ESET PipeMon May 20>intProcessor May 2018) After the print processors are instal
    >20) The print spooler service runs under SYSTEM level permis>led, the print spooler service, which starts during boot, mu
    >sions, therefore print processors installed by an adversary >st be restarted in order for them to run.(Citation: ESET Pip
    >may run under elevated privileges.>eMon May 2020)  The print spooler service runs under SYSTEM 
     >level permissions, therefore print processors installed by a
     >n adversary may run under elevated privileges.
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0011: Module (Module Load)", + "DS0022: File (File Creation)", + "DS0024: Windows Registry (Windows Registry Key Modification)", + "DS0027: Driver (Driver Load)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-24 16:59:59.688000+00:00", + "modified": "2023-08-14 15:11:30.220000+00:00", + "name": "Winlogon Helper DLL", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013) \n\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\n\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1547/004", + "external_id": "T1547.004" + }, + { + "source_name": "Cylance Reg Persistence Sept 2013", + "description": "Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.", + "url": "https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order" + }, + { + "source_name": "TechNet Autoruns", + "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.", + "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Praetorian" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Module: Module Load", + "Windows Registry: Windows Registry Key Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "SYSTEM", + "Administrator" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 15:11:30.220000+00:00\", \"old_value\": \"2023-03-30 21:01:47.069000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0011: Module (Module Load)", + "DS0017: Command (Command Execution)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e0232cb0-ded5-4c2e-9dc7-2893142a5c11", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-10 18:13:12.195000+00:00", + "modified": "2023-10-16 16:35:12.501000+00:00", + "name": "XDG Autostart Entries", + "description": "Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user\u2019s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user\u2019s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)\n\nAdversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user\u2019s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory.\n\nAdversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1547/013", + "external_id": "T1547.013" + }, + { + "source_name": "Free Desktop Application Autostart Feb 2006", + "description": "Free Desktop. (2006, February 13). Desktop Application Autostart Specification. Retrieved September 12, 2019.", + "url": "https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html" + }, + { + "source_name": "Free Desktop Entry Keys", + "description": "Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved September 12, 2019.", + "url": "https://specifications.freedesktop.org/desktop-entry-spec/1.2/ar01s06.html" + }, + { + "source_name": "Red Canary Netwire Linux 2022", + "description": "TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.", + "url": "https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Tony Lambert, Red Canary" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "Command: Command Execution", + "Process: Process Creation", + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Malicious XDG autostart entries may be detected by auditing file creation and modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.\n \nSuspicious processes or scripts spawned in this manner will have a parent process of the desktop component implementing the XDG specification and will execute as the logged on user.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User", + "root" + ], + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 16:35:12.501000+00:00\", \"old_value\": \"2020-11-10 15:55:10.103000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user\\u2019s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user\\u2019s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)\\n\\nAdversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user\\u2019s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory.\\n\\nAdversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)\", \"old_value\": \"Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\\n\\nWithin an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\\n\\nAdversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\\n+Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user\\u2019s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user\\u2019s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)\\n \\n-Within an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\\n+Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user\\u2019s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory.\\n \\n-Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.\\n+Adversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Red Canary Netwire Linux 2022\", \"description\": \"TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.\", \"url\": \"https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may modify XDG autostart entries to execute progt1Adversaries may add or modify XDG Autostart Entries to execu
    >rams or commands during system boot. Linux desktop environme>te malicious programs or commands when a user\u2019s desktop envi
    >nts that are XDG compliant implement functionality for XDG a>ronment is loaded at login. XDG Autostart entries are availa
    >utostart entries. These entries will allow an application to>ble for any XDG-compliant Linux system. XDG Autostart entrie
    > automatically start during the startup of a desktop environ>s use Desktop Entry files (`.desktop`) to configure the user
    >ment after user logon. By default, XDG autostart entries are>\u2019s desktop environment upon user login. These configuration 
    > stored within the <code>/etc/xdg/autostart</code> or <code>>files determine what applications launch upon user login, de
    >~/.config/autostart</code> directories and have a .desktop f>fine associated applications to open specific file types, an
    >ile extension.(Citation: Free Desktop Application Autostart >d define applications used to open removable media.(Citation
    >Feb 2006)  Within an XDG autostart entry file, the <code>Typ>: Free Desktop Application Autostart Feb 2006)(Citation: Fre
    >e</code> key specifies if the entry is an application (type >e Desktop Entry Keys)  Adversaries may abuse this feature to
    >1), link (type 2) or directory (type 3). The <code>Name</cod> establish persistence by adding a path to a malicious binar
    >e> key indicates an arbitrary name assigned by the creator a>y or command to the `Exec` directive in the `.desktop` confi
    >nd the <code>Exec</code> key indicates the application and c>guration file. When the user\u2019s desktop environment is loaded
    >ommand line arguments to execute.(Citation: Free Desktop Ent> at user login, the `.desktop` files located in the XDG Auto
    >ry Keys)  Adversaries may use XDG autostart entries to maint>start directories are automatically executed. System-wide Au
    >ain persistence by executing malicious commands and payloads>tostart entries are located in the `/etc/xdg/autostart` dire
    >, such as remote access tools, during the startup of a deskt>ctory while the user entries are located in the `~/.config/a
    >op environment. Commands included in XDG autostart entries w>utostart` directory.  Adversaries may combine this technique
    >ith execute after user logon in the context of the currently> with [Masquerading](https://attack.mitre.org/techniques/T10
    > logged on user. Adversaries may also use [Masquerading](htt>36) to blend malicious Autostart entries with legitimate pro
    >ps://attack.mitre.org/techniques/T1036) to make XDG autostar>grams.(Citation: Red Canary Netwire Linux 2022)
    >t entries look as if they are associated with legitimate pro 
    >grams. 
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1022: Restrict File and Directory Permissions", + "M1033: Limit Software Installation" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:38.910000+00:00", + "modified": "2023-08-11 20:54:55.991000+00:00", + "name": "Boot or Logon Initialization Scripts", + "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1037", + "external_id": "T1037" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "File: File Modification", + "Windows Registry: Windows Registry Key Creation", + "Command: Command Execution", + "File: File Creation", + "Process: Process Creation", + "Active Directory: Active Directory Object Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS", + "Windows", + "Linux" + ], + "x_mitre_version": "2.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 20:54:55.991000+00:00\", \"old_value\": \"2023-03-30 21:01:38.295000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1024: Restrict Registry Permissions" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Creation)", + "DS0026: Active Directory (Active Directory Object Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:39:59.959000+00:00", + "modified": "2023-10-16 16:53:12.789000+00:00", + "name": "Credential Stuffing", + "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1110/004", + "external_id": "T1110.004" + }, + { + "source_name": "US-CERT TA18-068A 2018", + "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Diogo Fernandes", + "Anastasios Pingios" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "User Account: User Account Authentication" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Linux", + "macOS", + "Google Workspace", + "Containers" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 16:53:12.789000+00:00\", \"old_value\": \"2023-04-14 23:05:16.857000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1027: Password Policies", + "M1032: Multi-factor Authentication", + "M1036: Account Use Policies" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0015: Application Log (Application Log Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:38:22.617000+00:00", + "modified": "2023-10-16 16:57:41.743000+00:00", + "name": "Password Guessing", + "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n* SNMP (161/UDP and 162/TCP/UDP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as `wlanAPI`) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1110/001", + "external_id": "T1110.001" + }, + { + "source_name": "Trend Micro Emotet 2020", + "description": "Cybercrime & Digital Threat Team. (2020, February 13). Emotet Now Spreads via Wi-Fi. Retrieved February 16, 2022.", + "url": "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-now-spreads-via-wi-fi" + }, + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + }, + { + "source_name": "US-CERT TA18-068A 2018", + "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Microsoft Threat Intelligence Center (MSTIC)", + "Mohamed Kmal" + ], + "x_mitre_data_sources": [ + "User Account: User Account Authentication", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Linux", + "macOS", + "Google Workspace", + "Containers", + "Network" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 16:57:41.743000+00:00\", \"old_value\": \"2023-04-14 23:04:08.394000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5", + "changelog_mitigations": { + "shared": [ + "M1027: Password Policies", + "M1032: Multi-factor Authentication", + "M1036: Account Use Policies", + "M1051: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0015: Application Log (Application Log Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:39:25.122000+00:00", + "modified": "2023-10-16 16:55:18.014000+00:00", + "name": "Password Spraying", + "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1110/003", + "external_id": "T1110.003" + }, + { + "source_name": "Trimarc Detecting Password Spraying", + "description": "Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.", + "url": "https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing" + }, + { + "source_name": "BlackHillsInfosec Password Spraying", + "description": "Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.", + "url": "http://www.blackhillsinfosec.com/?p=4645" + }, + { + "source_name": "US-CERT TA18-068A 2018", + "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Microsoft Threat Intelligence Center (MSTIC)", + "John Strand" + ], + "x_mitre_data_sources": [ + "User Account: User Account Authentication", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nConsider the following event IDs:(Citation: Trimarc Detecting Password Spraying)\n\n* Domain Controllers: \"Audit Logon\" (Success & Failure) for event ID 4625.\n* Domain Controllers: \"Audit Kerberos Authentication Service\" (Success & Failure) for event ID 4771.\n* All systems: \"Audit Logon\" (Success & Failure) for event ID 4648.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Linux", + "macOS", + "Google Workspace", + "Containers" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 16:55:18.014000+00:00\", \"old_value\": \"2023-04-14 23:04:38.816000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1027: Password Policies", + "M1032: Multi-factor Authentication", + "M1036: Account Use Policies" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0015: Application Log (Application Log Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e49920b0-6c54-40c1-9571-73723653205f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-08-30 18:11:24.582000+00:00", + "modified": "2023-10-16 16:51:02.852000+00:00", + "name": "Cloud Service Dashboard", + "description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)\n\nDepending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1538", + "external_id": "T1538" + }, + { + "source_name": "AWS Console Sign-in Events", + "description": "Amazon. (n.d.). AWS Console Sign-in Events. Retrieved October 23, 2019.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html" + }, + { + "source_name": "Google Command Center Dashboard", + "description": "Google. (2019, October 3). Quickstart: Using the dashboard. Retrieved October 8, 2019.", + "url": "https://cloud.google.com/security-command-center/docs/quickstart-scc-dashboard" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Praetorian" + ], + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "User Account: User Account Authentication" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor account activity logs to see actions performed and activity associated with the cloud service management console. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.(Citation: AWS Console Sign-in Events)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Azure AD", + "Office 365", + "IaaS", + "Google Workspace" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 16:51:02.852000+00:00\", \"old_value\": \"2021-03-16 12:56:36.098000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0028: Logon Session (Logon Session Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-09 14:12:31.196000+00:00", + "modified": "2023-07-28 17:50:21.947000+00:00", + "name": "Windows Command Shell", + "description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1059/003", + "external_id": "T1059.003" + }, + { + "source_name": "SSH in Windows", + "description": "Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_remote_support": true, + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-28 17:50:21.947000+00:00\", \"old_value\": \"2021-07-26 17:13:07.345000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:18:34.279000+00:00", + "modified": "2023-10-03 04:18:40.956000+00:00", + "name": "Compromise Client Software Binary", + "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary\u2019s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)\n\nSince these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1554", + "external_id": "T1554" + }, + { + "source_name": "Unit42 Banking Trojans Hooking 2022", + "description": "Or Chechik. (2022, October 31). Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure. Retrieved September 27, 2023.", + "url": "https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n" + }, + { + "source_name": "ESET FontOnLake Analysis 2021", + "description": "Vladislav Hr\u010dka. (2021, January 1). FontOnLake. Retrieved September 27, 2023.", + "url": "https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "CrowdStrike Falcon OverWatch" + ], + "x_mitre_data_sources": [ + "File: File Deletion", + "File: File Modification", + "File: File Metadata", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles. \n\nConsider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 04:18:40.956000+00:00\", \"old_value\": \"2021-10-19 03:18:43.648000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\\n\\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary\\u2019s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)\\n\\nSince these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.\", \"old_value\": \"Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\\n\\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\\n \\n-Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.\\n+Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary\\u2019s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)\\n+\\n+Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Unit42 Banking Trojans Hooking 2022\", \"description\": \"Or Chechik. (2022, October 31). Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure. Retrieved September 27, 2023.\", \"url\": \"https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\"}, \"root['external_references'][2]\": {\"source_name\": \"ESET FontOnLake Analysis 2021\", \"description\": \"Vladislav Hr\\u010dka. (2021, January 1). FontOnLake. Retrieved September 27, 2023.\", \"url\": \"https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may modify client software binaries to establisht1Adversaries may modify client software binaries to establish
    > persistent access to systems. Client software enables users> persistent access to systems. Client software enables users
    > to access services provided by a server. Common client soft> to access services provided by a server. Common client soft
    >ware types are SSH clients, FTP clients, email clients, and >ware types are SSH clients, FTP clients, email clients, and 
    >web browsers.  Adversaries may make modifications to client >web browsers.  Adversaries may make modifications to client 
    >software binaries to carry out malicious tasks when those ap>software binaries to carry out malicious tasks when those ap
    >plications are in use. For example, an adversary may copy so>plications are in use. For example, an adversary may copy so
    >urce code for the client software, add a backdoor, compile f>urce code for the client software, add a backdoor, compile f
    >or the target, and replace the legitimate application binary>or the target, and replace the legitimate application binary
    > (or support files) with the backdoored one. Since these app> (or support files) with the backdoored one. An adversary ma
    >lications may be routinely executed by the user, the adversa>y also modify an existing binary by patching in malicious fu
    >ry can leverage this for persistent access to the host.>nctionality (e.g., IAT Hooking/Entry point patching)(Citatio
     >n: Unit42 Banking Trojans Hooking 2022) prior to the binary\u2019
     >s legitimate execution. For example, an adversary may modify
     > the entry point of a binary to point to malicious code patc
     >hed in by the adversary before resuming normal execution flo
     >w.(Citation: ESET FontOnLake Analysis 2021)  Since these app
     >lications may be routinely executed by the user, the adversa
     >ry can leverage this for persistent access to the host.
    ", + "changelog_mitigations": { + "shared": [ + "M1045: Code Signing" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Creation)", + "DS0022: File (File Deletion)", + "DS0022: File (File Metadata)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-01 00:36:30.759000+00:00", + "modified": "2023-10-02 01:10:49.053000+00:00", + "name": "Compromise Infrastructure", + "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1584", + "external_id": "T1584" + }, + { + "source_name": "amnesty_nso_pegasus", + "description": "Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group\u2019s Pegasus. Retrieved February 22, 2022.", + "url": "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/" + }, + { + "source_name": "Sysdig Proxyjacking", + "description": "Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.", + "url": "https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/" + }, + { + "source_name": "FireEye DNS Hijack 2019", + "description": "Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html" + }, + { + "source_name": "ICANNDomainNameHijacking", + "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.", + "url": "https://www.icann.org/groups/ssac/documents/sac-007-en" + }, + { + "source_name": "Koczwara Beacon Hunting Sep 2021", + "description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.", + "url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + }, + { + "source_name": "Talos DNSpionage Nov 2018", + "description": "Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020.", + "url": "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" + }, + { + "source_name": "NSA NCSC Turla OilRig", + "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.", + "url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf" + }, + { + "source_name": "Mandiant SCANdalous Jul 2020", + "description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.", + "url": "https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation" + }, + { + "source_name": "ThreatConnect Infrastructure Dec 2020", + "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.", + "url": "https://threatconnect.com/blog/infrastructure-research-hunting/" + }, + { + "source_name": "FireEye EPS Awakens Part 2", + "description": "Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", + "url": "https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jeremy Galloway", + "Shailesh Tiwary (Indian Army)", + "Goldstein Menachem" + ], + "x_mitre_data_sources": [ + "Internet Scan: Response Content", + "Domain Name: Domain Registration", + "Domain Name: Active DNS", + "Domain Name: Passive DNS", + "Internet Scan: Response Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. \n\nOnce adversaries have provisioned compromised infrastructure (ex: a server for use in command and control), internet scans may help proactively discover compromised infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 01:10:49.053000+00:00\", \"old_value\": \"2023-04-12 13:32:15.704000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\\n\\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)\\n\\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)\", \"old_value\": \"Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\\n\\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus)\\n\\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\\n \\n-Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus)\\n+Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)\\n \\n By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Sysdig Proxyjacking\", \"description\": \"Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.\", \"url\": \"https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\"}, \"root['x_mitre_contributors'][2]\": \"Goldstein Menachem\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may compromise third-party infrastructure that ct1Adversaries may compromise third-party infrastructure that c
    >an be used during targeting. Infrastructure solutions includ>an be used during targeting. Infrastructure solutions includ
    >e physical or cloud servers, domains, and third-party web an>e physical or cloud servers, domains, and third-party web an
    >d DNS services. Instead of buying, leasing, or renting infra>d DNS services. Instead of buying, leasing, or renting infra
    >structure an adversary may compromise infrastructure and use>structure an adversary may compromise infrastructure and use
    > it during other phases of the adversary lifecycle.(Citation> it during other phases of the adversary lifecycle.(Citation
    >: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio>: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio
    >n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens >n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens 
    >Part 2) Additionally, adversaries may compromise numerous ma>Part 2) Additionally, adversaries may compromise numerous ma
    >chines to form a botnet they can leverage.  Use of compromis>chines to form a botnet they can leverage.  Use of compromis
    >ed infrastructure allows adversaries to stage, launch, and e>ed infrastructure allows adversaries to stage, launch, and e
    >xecute operations. Compromised infrastructure can help adver>xecute operations. Compromised infrastructure can help adver
    >sary operations blend in with traffic that is seen as normal>sary operations blend in with traffic that is seen as normal
    >, such as contact with high reputation or trusted sites. For>, such as contact with high reputation or trusted sites. For
    > example, adversaries may leverage compromised infrastructur> example, adversaries may leverage compromised infrastructur
    >e (potentially also in conjunction with [Digital Certificate>e (potentially also in conjunction with [Digital Certificate
    >s](https://attack.mitre.org/techniques/T1588/004)) to furthe>s](https://attack.mitre.org/techniques/T1588/004)) to furthe
    >r blend in and support staged information gathering and/or [>r blend in and support staged information gathering and/or [
    >Phishing](https://attack.mitre.org/techniques/T1566) campaig>Phishing](https://attack.mitre.org/techniques/T1566) campaig
    >ns.(Citation: FireEye DNS Hijack 2019) Additionally, adversa>ns.(Citation: FireEye DNS Hijack 2019) Additionally, adversa
    >ries may also compromise infrastructure to support [Proxy](h>ries may also compromise infrastructure to support [Proxy](h
    >ttps://attack.mitre.org/techniques/T1090).(Citation: amnesty>ttps://attack.mitre.org/techniques/T1090) and/or proxyware s
    >_nso_pegasus)  By using compromised infrastructure, adversar>ervices.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Pro
    >ies may make it difficult to tie their actions back to them.>xyjacking)  By using compromised infrastructure, adversaries
    > Prior to targeting, adversaries may compromise the infrastr> may make it difficult to tie their actions back to them. Pr
    >ucture of other adversaries.(Citation: NSA NCSC Turla OilRig>ior to targeting, adversaries may compromise the infrastruct
    >)>ure of other adversaries.(Citation: NSA NCSC Turla OilRig)
    ", + "changelog_mitigations": { + "shared": [ + "M1056: Pre-compromise" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0035: Internet Scan (Response Content)", + "DS0035: Internet Scan (Response Metadata)", + "DS0038: Domain Name (Active DNS)", + "DS0038: Domain Name (Domain Registration)", + "DS0038: Domain Name (Passive DNS)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e01be9c5-e763-4caf-aeb7-000b416aef67", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2023-10-16 17:42:28.207000+00:00", + "name": "Create Account", + "description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1136", + "external_id": "T1136" + }, + { + "source_name": "Microsoft User Creation Event", + "description": "Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Microsoft Threat Intelligence Center (MSTIC)", + "Praetorian", + "Austin Clark, @c2defense" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution", + "User Account: User Account Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.\n\nCollect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365", + "IaaS", + "Linux", + "macOS", + "Google Workspace", + "Network", + "Containers", + "SaaS" + ], + "x_mitre_version": "2.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 17:42:28.207000+00:00\", \"old_value\": \"2023-04-12 23:24:48.840000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.4\", \"old_value\": \"2.3\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][8]\": \"Containers\", \"root['x_mitre_platforms'][9]\": \"SaaS\"}}", + "previous_version": "2.3", + "version_change": "2.3 \u2192 2.4", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1028: Operating System Configuration", + "M1030: Network Segmentation", + "M1032: Multi-factor Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Creation)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--a009cb25-4801-4116-9105-80a91cf15c1b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-29 17:32:30.711000+00:00", + "modified": "2023-10-16 17:34:42.544000+00:00", + "name": "Cloud Account", + "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.\n\nOnce an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1136/003", + "external_id": "T1136.003" + }, + { + "source_name": "Microsoft O365 Admin Roles", + "description": "Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.", + "url": "https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide" + }, + { + "source_name": "AWS Create IAM User", + "description": "AWS. (n.d.). Creating an IAM User in Your AWS Account. Retrieved January 29, 2020.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html" + }, + { + "source_name": "GCP Create Cloud Identity Users", + "description": "Google. (n.d.). Create Cloud Identity user accounts. Retrieved January 29, 2020.", + "url": "https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554" + }, + { + "source_name": "Microsoft Azure AD Users", + "description": "Microsoft. (2019, November 11). Add or delete users using Azure Active Directory. Retrieved January 30, 2020.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory" + }, + { + "source_name": "Microsoft Support O365 Add Another Admin, October 2019", + "description": "Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.", + "url": "https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Praetorian", + "Microsoft Threat Intelligence Center (MSTIC)" + ], + "x_mitre_data_sources": [ + "User Account: User Account Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Azure AD", + "Office 365", + "IaaS", + "Google Workspace", + "SaaS" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 17:34:42.544000+00:00\", \"old_value\": \"2023-03-06 21:24:56.669000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1030: Network Segmentation", + "M1032: Multi-factor Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--7610cada-1499-41a4-b3dd-46467b68d177", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-28 14:05:17.825000+00:00", + "modified": "2023-10-16 17:36:37.600000+00:00", + "name": "Domain Account", + "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1136/002", + "external_id": "T1136.002" + }, + { + "source_name": "Microsoft User Creation Event", + "description": "Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution", + "User Account: User Account Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for processes and command-line parameters associated with domain account creation, such as net user /add /domain. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain accounts to detect suspicious accounts that may have been created by an adversary.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 17:36:37.600000+00:00\", \"old_value\": \"2020-03-23 18:12:36.696000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1028: Operating System Configuration", + "M1030: Network Segmentation", + "M1032: Multi-factor Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Creation)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--635cbe30-392d-4e27-978e-66774357c762", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-28 13:50:22.506000+00:00", + "modified": "2023-10-16 17:40:37.995000+00:00", + "name": "Local Account", + "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. \n\nFor example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1136/001", + "external_id": "T1136.001" + }, + { + "source_name": "cisco_username_cmd", + "description": "Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022.", + "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630" + }, + { + "source_name": "Kubernetes Service Accounts Security", + "description": "Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.", + "url": "https://kubernetes.io/docs/concepts/security/service-accounts/" + }, + { + "source_name": "Microsoft User Creation Event", + "description": "Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Austin Clark, @c2defense" + ], + "x_mitre_data_sources": [ + "User Account: User Account Creation", + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary. For network infrastructure devices, collect AAA logging to monitor for account creations.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network", + "Containers" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 17:40:37.995000+00:00\", \"old_value\": \"2023-04-12 23:23:35.209000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. \\n\\nFor example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\\n\\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\", \"old_value\": \"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username.(Citation: cisco_username_cmd)\\n\\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username.(Citation: cisco_username_cmd)\\n+Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. \\n+\\n+For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\\n \\n Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Kubernetes Service Accounts Security\", \"description\": \"Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.\", \"url\": \"https://kubernetes.io/docs/concepts/security/service-accounts/\"}, \"root['x_mitre_platforms'][4]\": \"Containers\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may create a local account to maintain access tot1Adversaries may create a local account to maintain access to
    > victim systems. Local accounts are those configured by an o> victim systems. Local accounts are those configured by an o
    >rganization for use by users, remote support, services, or f>rganization for use by users, remote support, services, or f
    >or administration on a single system or service. With a suff>or administration on a single system or service.   For examp
    >icient level of access, the <code>net user /add</code> comma>le, with a sufficient level of access, the Windows <code>net
    >nd can be used to create a local account. On macOS systems t> user /add</code> command can be used to create a local acco
    >he <code>dscl -create</code> command can be used to create a>unt. On macOS systems the <code>dscl -create</code> command 
    > local account. Local accounts may also be added to network >can be used to create a local account. Local accounts may al
    >devices, often via common [Network Device CLI](https://attac>so be added to network devices, often via common [Network De
    >k.mitre.org/techniques/T1059/008) commands such as <code>use>vice CLI](https://attack.mitre.org/techniques/T1059/008) com
    >rname</code>.(Citation: cisco_username_cmd)  Such accounts m>mands such as <code>username</code>, or to Kubernetes cluste
    >ay be used to establish secondary credentialed access that d>rs using the `kubectl` utility.(Citation: cisco_username_cmd
    >o not require persistent remote access tools to be deployed >)(Citation: Kubernetes Service Accounts Security)  Such acco
    >on the system.>unts may be used to establish secondary credentialed access 
     >that do not require persistent remote access tools to be dep
     >loyed on the system.
    ", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1032: Multi-factor Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Creation)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-17 16:15:19.870000+00:00", + "modified": "2023-10-09 16:19:01.408000+00:00", + "name": "Systemd Service", + "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \n\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) \n\nInside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. \n\nAdversaries have created new service files, altered the commands a `.service` file\u2019s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1543/002", + "external_id": "T1543.002" + }, + { + "source_name": "airwalk backdoor unix systems", + "description": "airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.", + "url": "http://www.ouah.org/backdoors.html" + }, + { + "source_name": "Anomali Rocke March 2019", + "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.", + "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" + }, + { + "source_name": "freedesktop systemd.service", + "description": "Free Desktop. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 20, 2023.", + "url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html" + }, + { + "source_name": "Linux man-pages: systemd January 2014", + "description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.", + "url": "http://man7.org/linux/man-pages/man1/systemd.1.html" + }, + { + "source_name": "Berba hunting linux systemd", + "description": "Pepe Berba. (2022, January 30). Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023.", + "url": "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + }, + { + "source_name": "Rapid7 Service Persistence 22JUNE2016", + "description": "Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.", + "url": "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence" + }, + { + "source_name": "lambert systemd 2022", + "description": "Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding systemd service persistence. Retrieved March 20, 2023.", + "url": "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Tony Lambert, Red Canary", + "Emad Al-Mousa, Saudi Aramco", + "Tim (Wadhwa-)Brown" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "File: File Modification", + "Service: Service Creation", + "Service: Service Modification", + "Process: Process Creation", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor file creation and modification events of Systemd service unit configuration files in the default directory locations for `root` & `user` level permissions. Suspicious processes or scripts spawned in this manner will have a parent process of \u2018systemd\u2019, a parent process ID of 1, and will usually execute as the `root` user.(Citation: lambert systemd 2022) \n\nSuspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: `systemctl list-units -\u2013type=service \u2013all`. Analyze the contents of `.service` files present on the file system and ensure that they refer to legitimate, expected executables, and symbolic links.(Citation: Berba hunting linux systemd)\n\nAuditing the execution and command-line arguments of the `systemctl` utility, as well related utilities such as `/usr/sbin/service` may reveal malicious systemd service execution.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User", + "root" + ], + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-09 16:19:01.408000+00:00\", \"old_value\": \"2023-04-12 20:13:07.604000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \\n\\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) \\n\\nInside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) \\n\\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\\n* `ExecReload` directive executes when a service restarts. \\n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. \\n\\nAdversaries have created new service files, altered the commands a `.service` file\\u2019s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) \", \"old_value\": \"Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \\n\\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) \\n\\nService unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service) \\n\\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start.\\n* `ExecReload` directive covers when a service restarts. \\n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped. \\n\\nAdversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.\\n\\nThe `.service` file\\u2019s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) \", \"diff\": \"--- \\n+++ \\n@@ -1,13 +1,11 @@\\n Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \\n \\n-Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) \\n+Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) \\n \\n-Service unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service) \\n+Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) \\n \\n-* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start.\\n-* `ExecReload` directive covers when a service restarts. \\n-* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped. \\n+* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\\n+* `ExecReload` directive executes when a service restarts. \\n+* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. \\n \\n-Adversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.\\n-\\n-The `.service` file\\u2019s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) \\n+Adversaries have created new service files, altered the commands a `.service` file\\u2019s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"airwalk backdoor unix systems\", \"description\": \"airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.\", \"url\": \"http://www.ouah.org/backdoors.html\"}, \"root['x_mitre_contributors'][2]\": \"Tim (Wadhwa-)Brown\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may create or modify systemd services to repeatet1Adversaries may create or modify systemd services to repeate
    >dly execute malicious payloads as part of persistence. Syste>dly execute malicious payloads as part of persistence. Syste
    >md is a system and service manager commonly used for managin>md is a system and service manager commonly used for managin
    >g background daemon processes (also known as services) and o>g background daemon processes (also known as services) and o
    >ther system resources.(Citation: Linux man-pages: systemd Ja>ther system resources.(Citation: Linux man-pages: systemd Ja
    >nuary 2014) Systemd is the default initialization (init) sys>nuary 2014) Systemd is the default initialization (init) sys
    >tem on many Linux distributions replacing legacy init system>tem on many Linux distributions replacing legacy init system
    >s, including SysVinit and Upstart, while remaining backwards>s, including SysVinit and Upstart, while remaining backwards
    > compatible.    Systemd utilizes unit configuration files wi> compatible.    Systemd utilizes unit configuration files wi
    >th the `.service` file extension to encode information about>th the `.service` file extension to encode information about
    > a service's process. By default, system level unit files ar> a service's process. By default, system level unit files ar
    >e stored in the `/systemd/system` directory of the root owne>e stored in the `/systemd/system` directory of the root owne
    >d directories (`/`). User level unit files are stored in the>d directories (`/`). User level unit files are stored in the
    > `/systemd/user` directories of the user owned directories (> `/systemd/user` directories of the user owned directories (
    >`$HOME`). (Citation: lambert systemd 2022)   Service unit fi>`$HOME`).(Citation: lambert systemd 2022)   Inside the `.ser
    >les use the following directives to execute system commands:>vice` unit files, the following directives are used to execu
    >(Citation: freedesktop systemd.service)    * `ExecStart`, `E>te commands:(Citation: freedesktop systemd.service)    * `Ex
    >xecStartPre`, and `ExecStartPost` directives cover execution>ecStart`, `ExecStartPre`, and `ExecStartPost` directives exe
    > of commands when a service is started manually by `systemct>cute when a service is started manually by `systemctl` or on
    >l`, or on system start if the service is set to automaticall> system start if the service is set to automatically start. 
    >y start. * `ExecReload` directive covers when a service rest>* `ExecReload` directive executes when a service restarts.  
    >arts.  * `ExecStop`, `ExecStopPre`, and `ExecStopPost` direc>* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives e
    >tives cover when a service is stopped.    Adversaries may ab>xecute when a service is stopped.    Adversaries have create
    >use systemd functionality to establish persistent access to >d new service files, altered the commands a `.service` file\u2019
    >victim systems by creating and/or modifying service unit fil>s directive executes, and modified the user directive a `.se
    >es systemd uses upon reboot or starting a service.(Citation:>rvice` file executes as, which could result in privilege esc
    > Anomali Rocke March 2019) Adversaries may also place symbol>alation. Adversaries may also place symbolic links in these 
    >ic links in these directories, enabling systemd to find thes>directories, enabling systemd to find these payloads regardl
    >e payloads regardless of where they reside on the filesystem>ess of where they reside on the filesystem.(Citation: Anomal
    >.  The `.service` file\u2019s `User` directive can be used to run>i Rocke March 2019)(Citation: airwalk backdoor unix systems)
    > service as a specific user, which could result in privilege>(Citation: Rapid7 Service Persistence 22JUNE2016) 
    > escalation based on specific user/group permissions.(Citati 
    >on: Rapid7 Service Persistence 22JUNE2016)  
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1022: Restrict File and Directory Permissions", + "M1026: Privileged Account Management", + "M1033: Limit Software Installation" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0019: Service (Service Creation)", + "DS0019: Service (Service Modification)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-17 19:13:50.402000+00:00", + "modified": "2023-09-15 16:42:25.014000+00:00", + "name": "Windows Service", + "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.\n\nAdversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. \n\nAdversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1543/003", + "external_id": "T1543.003" + }, + { + "source_name": "Microsoft Windows Event Forwarding FEB 2018", + "description": "Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018.", + "url": "https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection" + }, + { + "source_name": "ESET InvisiMole June 2020", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" + }, + { + "source_name": "TechNet Services", + "description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/cc772408.aspx" + }, + { + "source_name": "Microsoft 4697 APR 2017", + "description": "Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018.", + "url": "https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697" + }, + { + "source_name": "Symantec W.32 Stuxnet Dossier", + "description": "Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.", + "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" + }, + { + "source_name": "Unit42 AcidBox June 2020", + "description": "Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.", + "url": "https://unit42.paloaltonetworks.com/acidbox-rare-malware/" + }, + { + "source_name": "TechNet Autoruns", + "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.", + "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902" + }, + { + "source_name": "Crowdstrike DriveSlayer February 2022", + "description": "Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.", + "url": "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Matthew Demaske, Adaptforward", + "Pedro Harrison", + "Mayuresh Dani, Qualys", + "Wietze Beukema, @wietze", + "Akshat Pradhan, Qualys" + ], + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Modification", + "Process: Process Creation", + "Network Traffic: Network Traffic Flow", + "Service: Service Creation", + "Command: Command Execution", + "File: File Metadata", + "Windows Registry: Windows Registry Key Creation", + "Driver: Driver Load", + "Service: Service Modification", + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. Remote access tools with built-in features may also interact directly with the Windows API to perform these functions outside of typical system utilities. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts. \n\nLook for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.(Citation: TechNet Autoruns) \n\nCreation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft Windows Event Forwarding FEB 2018)). New, benign services may be created during installation of new software.\n\nSuspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_effective_permissions": [ + "Administrator", + "SYSTEM" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-15 16:42:25.014000+00:00\", \"old_value\": \"2023-04-21 12:30:35.872000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][2]\": \"Network Traffic: Network Traffic Flow\", \"root['x_mitre_data_sources'][5]\": \"File: File Metadata\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1028: Operating System Configuration", + "M1040: Behavior Prevention on Endpoint", + "M1045: Code Signing", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0019: Service (Service Creation)", + "DS0019: Service (Service Modification)", + "DS0024: Windows Registry (Windows Registry Key Creation)", + "DS0024: Windows Registry (Windows Registry Key Modification)", + "DS0027: Driver (Driver Load)" + ], + "new": [ + "DS0022: File (File Metadata)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:48:28.456000+00:00", + "modified": "2023-09-30 20:16:41.759000+00:00", + "name": "Credentials from Password Stores", + "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1555", + "external_id": "T1555" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Access", + "Command: Command Execution", + "Process: Process Access", + "Cloud Service: Cloud Service Enumeration", + "Process: Process Creation", + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "IaaS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-30 20:16:41.759000+00:00\", \"old_value\": \"2022-04-01 18:25:13.952000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.\", \"old_value\": \"Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][3]\": \"Cloud Service: Cloud Service Enumeration\", \"root['x_mitre_platforms'][3]\": \"IaaS\"}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may search for common password storage locationst1Adversaries may search for common password storage locations
    > to obtain user credentials. Passwords are stored in several> to obtain user credentials. Passwords are stored in several
    > places on a system, depending on the operating system or ap> places on a system, depending on the operating system or ap
    >plication holding the credentials. There are also specific a>plication holding the credentials. There are also specific a
    >pplications that store passwords to make it easier for users>pplications and services that store passwords to make them e
    > manage and maintain. Once credentials are obtained, they ca>asier for users to manage and maintain, such as password man
    >n be used to perform lateral movement and access restricted >agers and cloud secrets vaults. Once credentials are obtaine
    >information.>d, they can be used to perform lateral movement and access r
     >estricted information.
    ", + "changelog_mitigations": { + "shared": [ + "M1027: Password Policies" + ], + "new": [ + "M1026: Privileged Account Management" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Access)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)" + ], + "new": [ + "DS0025: Cloud Service (Cloud Service Enumeration)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-03-14 18:47:17.701000+00:00", + "modified": "2023-10-03 17:30:32.192000+00:00", + "name": "Data Destruction", + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).\n\nIn cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1485", + "external_id": "T1485" + }, + { + "source_name": "DOJ - Cisco Insider", + "description": "DOJ. (2020, August 26). San Jose Man Pleads Guilty To Damaging Cisco\u2019s Network. Retrieved December 15, 2020.", + "url": "https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network" + }, + { + "source_name": "Unit 42 Shamoon3 2018", + "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.", + "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" + }, + { + "source_name": "Palo Alto Shamoon Nov 2016", + "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" + }, + { + "source_name": "FireEye Shamoon Nov 2016", + "description": "FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html" + }, + { + "source_name": "Kaspersky StoneDrill 2017", + "description": "Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" + }, + { + "source_name": "Talos Olympic Destroyer 2018", + "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.", + "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" + }, + { + "source_name": "Data Destruction - Threat Post", + "description": "Mimoso, M.. (2014, June 18). Hacker Puts Hosting Service Code Spaces Out of Business. Retrieved December 15, 2020.", + "url": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" + }, + { + "source_name": "Symantec Shamoon 2012", + "description": "Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.", + "url": "https://www.symantec.com/connect/blogs/shamoon-attacks" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Brent Murphy, Elastic", + "David French, Elastic", + "Syed Ummar Farooqh, McAfee", + "Prasad Somasamudram, McAfee", + "Sekhar Sarukkai, McAfee", + "Varonis Threat Labs", + "Joey Lei" + ], + "x_mitre_data_sources": [ + "Snapshot: Snapshot Deletion", + "Process: Process Creation", + "File: File Deletion", + "Image: Image Deletion", + "Instance: Instance Deletion", + "File: File Modification", + "Volume: Volume Deletion", + "Cloud Storage: Cloud Storage Deletion", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as [SDelete](https://attack.mitre.org/software/S0195). Monitor for the creation of suspicious files as well as high unusual file modification activity. In particular, look for large quantities of file modifications in user directories and under C:\\Windows\\System32\\.\n\nIn cloud environments, the occurrence of anomalous high-volume deletion events, such as the DeleteDBCluster and DeleteGlobalCluster events in AWS, or a high quantity of data deletion events, such as DeleteBucket, within a short period of time may indicate suspicious activity.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_impact_type": [ + "Availability" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "IaaS", + "Linux", + "macOS", + "Containers" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\", \"Administrator\", \"root\", \"SYSTEM\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 17:30:32.192000+00:00\", \"old_value\": \"2021-03-25 14:47:48.728000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][6]\": \"Joey Lei\", \"root['x_mitre_platforms'][4]\": \"Containers\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1053: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0007: Image (Image Deletion)", + "DS0009: Process (Process Creation)", + "DS0010: Cloud Storage (Cloud Storage Deletion)", + "DS0017: Command (Command Execution)", + "DS0020: Snapshot (Snapshot Deletion)", + "DS0022: File (File Deletion)", + "DS0022: File (File Modification)", + "DS0030: Instance (Instance Deletion)", + "DS0034: Volume (Volume Deletion)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-08-30 18:07:27.741000+00:00", + "modified": "2023-09-29 16:11:43.530000+00:00", + "name": "Data from Cloud Storage", + "description": "Adversaries may access data from cloud storage.\n\nMany IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. \n\nIn some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). \n\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\n\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\n\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1530", + "external_id": "T1530" + }, + { + "source_name": "Amazon S3 Security, 2019", + "description": "Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019.", + "url": "https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/" + }, + { + "source_name": "Microsoft Azure Storage Security, 2019", + "description": "Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide" + }, + { + "source_name": "Wired Magecart S3 Buckets, 2019", + "description": "Barrett, B.. (2019, July 11). Hack Brief: A Card-Skimming Hacker Group Hit 17K Domains\u2014and Counting. Retrieved October 4, 2019.", + "url": "https://www.wired.com/story/magecart-amazon-cloud-hacks/" + }, + { + "source_name": "Google Cloud Storage Best Practices, 2019", + "description": "Google. (2019, September 16). Best practices for Cloud Storage. Retrieved October 4, 2019.", + "url": "https://cloud.google.com/storage/docs/best-practices" + }, + { + "source_name": "HIPAA Journal S3 Breach, 2017", + "description": "HIPAA Journal. (2017, October 11). 47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019.", + "url": "https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/" + }, + { + "source_name": "Rclone-mega-extortion_05_2021", + "description": "Justin Schoenfeld, Aaron Didier. (2021, May 4). Transferring leverage in a ransomware attack. Retrieved July 14, 2022.", + "url": "https://redcanary.com/blog/rclone-mega-extortion/" + }, + { + "source_name": "Trend Micro S3 Exposed PII, 2017", + "description": "Trend Micro. (2017, November 6). A Misconfigured Amazon S3 Exposed Almost 50 Thousand PII in Australia. Retrieved October 4, 2019.", + "url": "https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Netskope", + "Praetorian", + "AppOmni" + ], + "x_mitre_data_sources": [ + "Cloud Storage: Cloud Storage Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS", + "SaaS", + "Google Workspace", + "Office 365" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 16:11:43.530000+00:00\", \"old_value\": \"2022-10-18 19:10:42.621000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may access data from cloud storage.\\n\\nMany IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. \\n\\nIn some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). \\n\\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\\n\\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\\n\\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.\", \"old_value\": \"Adversaries may access data from improperly secured cloud storage.\\n\\nMany cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. \\n\\nIn other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011)\\n\\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\\n\\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\\n\\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.\", \"diff\": \"--- \\n+++ \\n@@ -1,8 +1,8 @@\\n-Adversaries may access data from improperly secured cloud storage.\\n+Adversaries may access data from cloud storage.\\n \\n-Many cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. \\n+Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. \\n \\n-In other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011)\\n+In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). \\n \\n Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][2]\": \"Google Workspace\", \"root['x_mitre_platforms'][3]\": \"Office 365\"}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"SecureWorld - How Secure Is Your Slack Channel - Dec 2021\", \"description\": \" Drew Todd. (2021, December 28). How Secure Is Your Slack Channel?. Retrieved May 31, 2022.\", \"url\": \"https://www.secureworld.io/industry-news/how-secure-is-your-slack-channel#:~:text=Electronic%20Arts%20hacked%20through%20Slack%20channel&text=In%20total%2C%20the%20hackers%20claim,credentials%20over%20a%20Slack%20channel.\"}, \"root['external_references'][4]\": {\"source_name\": \"EA Hacked via Slack - June 2021\", \"description\": \"Anthony Spadafora. (2021, June 11). EA hack reportedly used stolen cookies and Slack to target gaming giant. Retrieved May 31, 2022.\", \"url\": \"https://www.techradar.com/news/ea-hack-reportedly-used-stolen-cookies-and-slack-to-hack-gaming-giant\"}, \"root['external_references'][7]\": {\"source_name\": \"HackerNews - 3 SaaS App Cyber Attacks - April 2022\", \"description\": \"Hananel Livneh. (2022, April 7). Into the Breach: Breaking Down 3 SaaS App Cyber Attacks in 2022. Retrieved May 31, 2022.\", \"url\": \"https://thehackernews.com/2022/04/into-breach-breaking-down-3-saas-app.html\"}, \"root['external_references'][10]\": {\"source_name\": \"Dark Clouds_Usenix_Mulazzani_08_2011\", \"description\": \"Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl. (2011, August). Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. Retrieved July 14, 2022.\", \"url\": \"https://www.usenix.org/conference/usenix-security-11/dark-clouds-horizon-using-cloud-storage-attack-vector-and-online-slack\"}}}", + "previous_version": "2.0", + "version_change": "2.0 \u2192 2.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may access data from improperly secured cloud stt1Adversaries may access data from cloud storage.  Many IaaS p
    >orage.  Many cloud service providers offer solutions for onl>roviders offer solutions for online data object storage such
    >ine data object storage such as Amazon S3, Azure Storage, an> as Amazon S3, Azure Storage, and Google Cloud Storage. Simi
    >d Google Cloud Storage. These solutions differ from other st>larly, SaaS enterprise platforms such as Office 365 and Goog
    >orage solutions (such as SQL or Elasticsearch) in that there>le Workspace provide cloud-based document storage to users t
    > is no overarching application. Data from these solutions ca>hrough services such as OneDrive and Google Drive, while Saa
    >n be retrieved directly using the cloud provider's APIs.   I>S application providers such as Slack, Confluence, Salesforc
    >n other cases, SaaS application providers such as Slack, Con>e, and Dropbox may provide cloud storage solutions as a peri
    >fluence, and Salesforce also provide cloud storage solutions>pheral or primary use case of their platform.   In some case
    > as a peripheral use case of their platform. These cloud obj>s, as with IaaS-based cloud storage, there exists no overarc
    >ects can be extracted directly from their associated applica>hing application (such as SQL or Elasticsearch) with which t
    >tion.(Citation: EA Hacked via Slack - June 2021)(Citation: S>o interact with the stored objects: instead, data from these
    >ecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Ci> solutions is retrieved directly though the [Cloud API](http
    >tation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(>s://attack.mitre.org/techniques/T1059/009). In SaaS applicat
    >Citation: Dark Clouds_Usenix_Mulazzani_08_2011)  Adversaries>ions, adversaries may be able to collect this data directly 
    > may collect sensitive data from these cloud storage solutio>from APIs or backend cloud storage objects, rather than thro
    >ns. Providers typically offer security guides to help end us>ugh their front-end application or interface (i.e., [Data fr
    >ers configure systems, though misconfigurations are a common>om Information Repositories](https://attack.mitre.org/techni
    > problem.(Citation: Amazon S3 Security, 2019)(Citation: Micr>ques/T1213)).   Adversaries may collect sensitive data from 
    >osoft Azure Storage Security, 2019)(Citation: Google Cloud S>these cloud storage solutions. Providers typically offer sec
    >torage Best Practices, 2019) There have been numerous incide>urity guides to help end users configure systems, though mis
    >nts where cloud storage has been improperly secured, typical>configurations are a common problem.(Citation: Amazon S3 Sec
    >ly by unintentionally allowing public access to unauthentica>urity, 2019)(Citation: Microsoft Azure Storage Security, 201
    >ted users, overly-broad access by all users, or even access >9)(Citation: Google Cloud Storage Best Practices, 2019) Ther
    >for any anonymous person outside the control of the Identity>e have been numerous incidents where cloud storage has been 
    > Access Management system without even needing basic user pe>improperly secured, typically by unintentionally allowing pu
    >rmissions.  This open access may expose various types of sen>blic access to unauthenticated users, overly-broad access by
    >sitive data, such as credit cards, personally identifiable i> all users, or even access for any anonymous person outside 
    >nformation, or medical records.(Citation: Trend Micro S3 Exp>the control of the Identity Access Management system without
    >osed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(C> even needing basic user permissions.  This open access may 
    >itation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-meg>expose various types of sensitive data, such as credit cards
    >a-extortion_05_2021)  Adversaries may also obtain then abuse>, personally identifiable information, or medical records.(C
    > leaked credentials from source repositories, logs, or other>itation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired M
    > means as a way to gain access to cloud storage objects.>agecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach,
     > 2017)(Citation: Rclone-mega-extortion_05_2021)  Adversaries
     > may also obtain then abuse leaked credentials from source r
     >epositories, logs, or other means as a way to gain access to
     > cloud storage objects.
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1022: Restrict File and Directory Permissions", + "M1032: Multi-factor Authentication", + "M1037: Filter Network Traffic", + "M1041: Encrypt Sensitive Information", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0010: Cloud Storage (Cloud Storage Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:41.022000+00:00", + "modified": "2023-08-11 21:06:07.690000+00:00", + "name": "Data from Network Shared Drive", + "description": "Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1039", + "external_id": "T1039" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "David Tayouri" + ], + "x_mitre_data_sources": [ + "Network Share: Network Share Access", + "Command: Command Execution", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "File: File Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_system_requirements": [ + "Privileges to access network shared drive" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 21:06:07.690000+00:00\", \"old_value\": \"2023-03-30 21:01:35.611000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][4]\": \"Network Traffic: Network Traffic Flow\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0033: Network Share (Network Share Access)" + ], + "new": [ + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2023-08-14 19:28:18.334000+00:00", + "name": "Deobfuscate/Decode Files or Information", + "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1140", + "external_id": "T1140" + }, + { + "source_name": "Volexity PowerDuke November 2016", + "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.", + "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + }, + { + "source_name": "Malwarebytes Targeted Attack against Saudi Arabia", + "description": "Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.", + "url": "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/" + }, + { + "source_name": "Carbon Black Obfuscation Sept 2016", + "description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.", + "url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Matthew Demaske, Adaptforward", + "Red Canary" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Script: Script Execution", + "File: File Modification" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "Host Intrusion Prevention Systems", + "Signature-based Detection", + "Network Intrusion Detection System" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as [certutil](https://attack.mitre.org/software/S0160).\n\nMonitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 19:28:18.334000+00:00\", \"old_value\": \"2023-04-21 12:21:06.026000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0012: Script (Script Execution)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:20.934000+00:00", + "modified": "2023-10-01 14:19:18.804000+00:00", + "name": "Direct Volume Access", + "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1006", + "external_id": "T1006" + }, + { + "source_name": "Github PowerSploit Ninjacopy", + "description": "Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.", + "url": "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1" + }, + { + "source_name": "Hakobyan 2009", + "description": "Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.", + "url": "http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin" + }, + { + "source_name": "LOLBAS Esentutl", + "description": "LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Esentutl/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Tom Simpson, CrowdStrike Falcon OverWatch" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "Drive: Drive Access", + "Command: Command Execution" + ], + "x_mitre_defense_bypassed": [ + "File monitoring", + "File system access controls" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)\n\nMonitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1059/001), additional logging of PowerShell scripts is recommended.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_contributors']\": [\"Tom Simpson, CrowdStrike Falcon OverWatch\"], \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 14:19:18.804000+00:00\", \"old_value\": \"2021-02-09 14:09:00.753000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n\\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)\", \"old_value\": \"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n\\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n+Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n \\n-Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)\\n+Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"LOLBAS Esentutl\", \"description\": \"LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.\", \"url\": \"https://lolbas-project.github.io/lolbas/Binaries/Esentutl/\"}, \"root['x_mitre_data_sources'][0]\": \"File: File Creation\"}}", + "previous_version": "2.0", + "version_change": "2.0 \u2192 2.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may directly access a volume to bypass file accet1Adversaries may directly access a volume to bypass file acce
    >ss controls and file system monitoring. Windows allows progr>ss controls and file system monitoring. Windows allows progr
    >ams to have direct access to logical volumes. Programs with >ams to have direct access to logical volumes. Programs with 
    >direct access may read and write files directly from the dri>direct access may read and write files directly from the dri
    >ve by analyzing file system data structures. This technique >ve by analyzing file system data structures. This technique 
    >bypasses Windows file access controls as well as file system>may bypass Windows file access controls as well as file syst
    > monitoring tools. (Citation: Hakobyan 2009)  Utilities, suc>em monitoring tools. (Citation: Hakobyan 2009)  Utilities, s
    >h as NinjaCopy, exist to perform these actions in PowerShell>uch as `NinjaCopy`, exist to perform these actions in PowerS
    >. (Citation: Github PowerSploit Ninjacopy)>hell.(Citation: Github PowerSploit Ninjacopy) Adversaries ma
     >y also use built-in or third-party utilities (such as `vssad
     >min`, `wbadmin`, and [esentutl](https://attack.mitre.org/sof
     >tware/S0404)) to create shadow copies or backups of data fro
     >m system volumes.(Citation: LOLBAS Esentutl)
    ", + "changelog_mitigations": { + "shared": [], + "new": [ + "M1018: User Account Management", + "M1040: Behavior Prevention on Endpoint" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0016: Drive (Drive Access)", + "DS0017: Command (Command Execution)" + ], + "new": [ + "DS0022: File (File Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:25.454000+00:00", + "modified": "2023-09-29 21:06:03.098000+00:00", + "name": "Email Collection", + "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1114", + "external_id": "T1114" + }, + { + "source_name": "Microsoft Tim McMichael Exchange Mail Forwarding 2", + "description": "McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.", + "url": "https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)" + ], + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Application Log: Application Log Content", + "Network Traffic: Network Connection Creation", + "File: File Access", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\n\nFile access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.\n\nMonitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nDetection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Office 365", + "Google Workspace", + "macOS", + "Linux" + ], + "x_mitre_version": "2.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 21:06:03.098000+00:00\", \"old_value\": \"2023-04-12 20:46:04.871000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.5\", \"old_value\": \"2.4\"}}}", + "previous_version": "2.4", + "version_change": "2.4 \u2192 2.5", + "changelog_mitigations": { + "shared": [ + "M1032: Multi-factor Authentication", + "M1041: Encrypt Sensitive Information", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Connection Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-19 18:52:24.547000+00:00", + "modified": "2023-05-31 12:34:03.420000+00:00", + "name": "Remote Email Collection", + "description": "Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1114/002", + "external_id": "T1114.002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Creation", + "Command: Command Execution", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Office 365", + "Windows", + "Google Workspace" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-05-31 12:34:03.420000+00:00\", \"old_value\": \"2021-03-25 13:12:56.909000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Application Log: Application Log Content\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1032: Multi-factor Authentication", + "M1041: Encrypt Sensitive Information" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Connection Creation)" + ], + "new": [ + "DS0015: Application Log (Application Log Content)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-24 13:51:01.210000+00:00", + "modified": "2023-07-28 18:17:34.185000+00:00", + "name": "Screensaver", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations.\n\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n\n* SCRNSAVE.exe - set to malicious PE path\n* ScreenSaveActive - set to '1' to enable the screensaver\n* ScreenSaverIsSecure - set to '0' to not require a password to unlock\n* ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1546/002", + "external_id": "T1546.002" + }, + { + "source_name": "ESET Gazer Aug 2017", + "description": "ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" + }, + { + "source_name": "Wikipedia Screensaver", + "description": "Wikipedia. (2017, November 22). Screensaver. Retrieved December 5, 2017.", + "url": "https://en.wikipedia.org/wiki/Screensaver" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Bartosz Jerzman" + ], + "x_mitre_data_sources": [ + "File: File Modification", + "File: File Creation", + "Command: Command Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\n\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-28 18:17:34.185000+00:00\", \"old_value\": \"2023-04-21 12:31:54.177000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:25.159000+00:00", + "modified": "2023-09-11 16:06:10.376000+00:00", + "name": "Exfiltration Over Other Network Medium", + "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.\n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1011", + "external_id": "T1011" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Itzik Kotler, SafeBreach" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "File: File Access", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-11 16:06:10.376000+00:00\", \"old_value\": \"2022-03-08 21:02:16.115000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1028: Operating System Configuration" + ], + "new": [ + "M1042: Disable or Remove Feature or Program" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--40597f16-0963-4249-bf4c-ac93b7fb9807", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-09 12:51:45.570000+00:00", + "modified": "2023-09-05 15:00:36.471000+00:00", + "name": "Exfiltration Over Web Service", + "description": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\n\nWeb service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1567", + "external_id": "T1567" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "William Cain" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Connection Creation", + "Command: Command Execution", + "Network Traffic: Network Traffic Flow", + "File: File Access", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-05 15:00:36.471000+00:00\", \"old_value\": \"2022-10-19 21:28:34.699000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][5]\": \"Application Log: Application Log Content\", \"root['x_mitre_platforms'][3]\": \"Office 365\", \"root['x_mitre_platforms'][4]\": \"SaaS\", \"root['x_mitre_platforms'][5]\": \"Google Workspace\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1021: Restrict Web-Based Content", + "M1057: Data Loss Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [ + "DS0015: Application Log (Application Log Content)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-09 15:04:32.767000+00:00", + "modified": "2023-09-15 19:11:47.547000+00:00", + "name": "Exfiltration to Cloud Storage", + "description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\n\nExamples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1567/002", + "external_id": "T1567.002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow", + "File: File Access", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-15 19:11:47.547000+00:00\", \"old_value\": \"2022-08-30 12:49:02.969000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1021: Restrict Web-Based Content" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-09 14:51:11.772000+00:00", + "modified": "2023-09-15 19:08:16.882000+00:00", + "name": "Exfiltration to Code Repository", + "description": "Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.\n\nExfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1567/001", + "external_id": "T1567.001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "File: File Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to code repositories. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-15 19:08:16.882000+00:00\", \"old_value\": \"2020-03-28 00:58:55.433000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [ + "M1021: Restrict Web-Based Content" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-10-15 11:45:21.555000+00:00", + "name": "Exploitation for Credential Access", + "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\u00a0\n\nCredentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)\n\nSuch exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)\n\nExploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1212", + "external_id": "T1212" + }, + { + "source_name": "Bugcrowd Replay Attack", + "description": "Bugcrowd. (n.d.). Replay Attack. Retrieved September 27, 2023.", + "url": "https://www.bugcrowd.com/glossary/replay-attack/" + }, + { + "source_name": "Comparitech Replay Attack", + "description": "Justin Schamotta. (2022, October 28). What is a replay attack?. Retrieved September 27, 2023.", + "url": "https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/" + }, + { + "source_name": "ADSecurity Detecting Forged Tickets", + "description": "Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.", + "url": "https://adsecurity.org/?p=1515" + }, + { + "source_name": "Storm-0558 techniques for unauthorized email access", + "description": "Microsoft Threat Intelligence. (2023, July 14). Analysis of Storm-0558 techniques for unauthorized email access. Retrieved September 18, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/" + }, + { + "source_name": "Microsoft Midnight Blizzard Replay Attack", + "description": "Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 27, 2023.", + "url": "https://twitter.com/MsftSecIntel/status/1671579359994343425" + }, + { + "source_name": "Technet MS14-068", + "description": "Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.", + "url": "https://technet.microsoft.com/en-us/library/security/ms14-068.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "John Lambert, Microsoft Threat Intelligence Center", + "Mohit Rathore" + ], + "x_mitre_data_sources": [ + "User Account: User Account Authentication", + "Process: Process Creation", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Azure AD" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-15 11:45:21.555000+00:00\", \"old_value\": \"2022-04-28 16:06:49.447000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0\\n\\nCredentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)\\n\\nSuch exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)\\n\\nExploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.\", \"old_value\": \"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,7 @@\\n-Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.\\n+Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0\\n+\\n+Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)\\n+\\n+Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)\\n+\\n+Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Bugcrowd Replay Attack\", \"description\": \"Bugcrowd. (n.d.). Replay Attack. Retrieved September 27, 2023.\", \"url\": \"https://www.bugcrowd.com/glossary/replay-attack/\"}, \"root['external_references'][2]\": {\"source_name\": \"Comparitech Replay Attack\", \"description\": \"Justin Schamotta. (2022, October 28). What is a replay attack?. Retrieved September 27, 2023.\", \"url\": \"https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/\"}, \"root['external_references'][4]\": {\"source_name\": \"Storm-0558 techniques for unauthorized email access\", \"description\": \"Microsoft Threat Intelligence. (2023, July 14). Analysis of Storm-0558 techniques for unauthorized email access. Retrieved September 18, 2023.\", \"url\": \"https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\"}, \"root['external_references'][5]\": {\"source_name\": \"Microsoft Midnight Blizzard Replay Attack\", \"description\": \"Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 27, 2023.\", \"url\": \"https://twitter.com/MsftSecIntel/status/1671579359994343425\"}, \"root['x_mitre_contributors'][1]\": \"Mohit Rathore\", \"root['x_mitre_platforms'][3]\": \"Azure AD\"}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may exploit software vulnerabilities in an attemt1Adversaries may exploit software vulnerabilities in an attem
    >pt to collect credentials. Exploitation of a software vulner>pt to collect credentials. Exploitation of a software vulner
    >ability occurs when an adversary takes advantage of a progra>ability occurs when an adversary takes advantage of a progra
    >mming error in a program, service, or within the operating s>mming error in a program, service, or within the operating s
    >ystem software or kernel itself to execute adversary-control>ystem software or kernel itself to execute adversary-control
    >led code.\u00a0Credentialing and authentication mechanisms may be>led code.\u00a0  Credentialing and authentication mechanisms may 
    > targeted for exploitation by adversaries as a means to gain>be targeted for exploitation by adversaries as a means to ga
    > access to useful credentials or circumvent the process to g>in access to useful credentials or circumvent the process to
    >ain access to systems. One example of this is MS14-068, whic> gain authenticated access to systems. One example of this i
    >h targets Kerberos and can be used to forge Kerberos tickets>s `MS14-068`, which targets Kerberos and can be used to forg
    > using domain user permissions.(Citation: Technet MS14-068)(>e Kerberos tickets using domain user permissions.(Citation: 
    >Citation: ADSecurity Detecting Forged Tickets) Exploitation >Technet MS14-068)(Citation: ADSecurity Detecting Forged Tick
    >for credential access may also result in Privilege Escalatio>ets) Another example of this is replay attacks, in which the
    >n depending on the process targeted or credentials obtained.> adversary intercepts data packets sent between parties and 
     >then later replays these packets. If services don't properly
     > validate authentication requests, these replayed packets ma
     >y allow an adversary to impersonate one of the parties and g
     >ain unauthorized access or privileges.(Citation: Bugcrowd Re
     >play Attack)(Citation: Comparitech Replay Attack)(Citation: 
     >Microsoft Midnight Blizzard Replay Attack)  Such exploitatio
     >n has been demonstrated in cloud environments as well. For e
     >xample, adversaries have exploited vulnerabilities in public
     > cloud infrastructure that allowed for unintended authentica
     >tion token creation and renewal.(Citation: Storm-0558 techni
     >ques for unauthorized email access)  Exploitation for creden
     >tial access may also result in Privilege Escalation dependin
     >g on the process targeted or credentials obtained.
    ", + "changelog_mitigations": { + "shared": [ + "M1019: Threat Intelligence Program", + "M1048: Application Isolation and Sandboxing", + "M1050: Exploit Protection", + "M1051: Update Software" + ], + "new": [ + "M1013: Application Developer Guidance" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0009: Process (Process Creation)", + "DS0015: Application Log (Application Log Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-10-15 11:41:47.274000+00:00", + "name": "Exploitation for Defense Evasion", + "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\n\nThere have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1211", + "external_id": "T1211" + }, + { + "source_name": "Salesforce zero-day in facebook phishing attack", + "description": "Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.", + "url": "https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/" + }, + { + "source_name": "Bypassing CloudTrail in AWS Service Catalog", + "description": "Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.", + "url": "https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/" + }, + { + "source_name": "GhostToken GCP flaw", + "description": "Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.", + "url": "https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "John Lambert, Microsoft Threat Intelligence Center" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "System access controls" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "SaaS", + "IaaS" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-15 11:41:47.274000+00:00\", \"old_value\": \"2022-04-28 16:10:16.632000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\\n\\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\\n\\nThere have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)\", \"old_value\": \"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\\n\\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\\n+Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\\n \\n Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\\n+\\n+There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Salesforce zero-day in facebook phishing attack\", \"description\": \"Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.\", \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/\"}, \"root['external_references'][2]\": {\"source_name\": \"Bypassing CloudTrail in AWS Service Catalog\", \"description\": \"Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.\", \"url\": \"https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/\"}, \"root['external_references'][3]\": {\"source_name\": \"GhostToken GCP flaw\", \"description\": \"Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.\", \"url\": \"https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/\"}, \"root['x_mitre_platforms'][3]\": \"SaaS\", \"root['x_mitre_platforms'][4]\": \"IaaS\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may exploit a system or application vulnerabilitt1Adversaries may exploit a system or application vulnerabilit
    >y to bypass security features. Exploitation of a software vu>y to bypass security features. Exploitation of a vulnerabili
    >lnerability occurs when an adversary takes advantage of a pr>ty occurs when an adversary takes advantage of a programming
    >ogramming error in a program, service, or within the operati> error in a program, service, or within the operating system
    >ng system software or kernel itself to execute adversary-con> software or kernel itself to execute adversary-controlled c
    >trolled code.\u00a0Vulnerabilities may exist in defensive securit>ode.\u00a0Vulnerabilities may exist in defensive security softwar
    >y software that can be used to disable or circumvent them.  >e that can be used to disable or circumvent them.  Adversari
    >Adversaries may have prior knowledge through reconnaissance >es may have prior knowledge through reconnaissance that secu
    >that security software exists within an environment or they >rity software exists within an environment or they may perfo
    >may perform checks during or shortly after the system is com>rm checks during or shortly after the system is compromised 
    >promised for [Security Software Discovery](https://attack.mi>for [Security Software Discovery](https://attack.mitre.org/t
    >tre.org/techniques/T1518/001). The security software will li>echniques/T1518/001). The security software will likely be t
    >kely be targeted directly for exploitation. There are exampl>argeted directly for exploitation. There are examples of ant
    >es of antivirus software being targeted by persistent threat>ivirus software being targeted by persistent threat groups t
    > groups to avoid detection.>o avoid detection.  There have also been examples of vulnera
     >bilities in public cloud infrastructure of SaaS applications
     > that may bypass defense boundaries (Citation: Salesforce ze
     >ro-day in facebook phishing attack), evade security logs (Ci
     >tation: Bypassing CloudTrail in AWS Service Catalog), or dep
     >loy hidden infrastructure.(Citation: GhostToken GCP flaw)
    ", + "changelog_mitigations": { + "shared": [ + "M1019: Threat Intelligence Program", + "M1048: Application Isolation and Sandboxing", + "M1050: Exploit Protection", + "M1051: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0015: Application Log (Application Log Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-04 19:24:27.774000+00:00", + "modified": "2023-08-14 17:54:22.970000+00:00", + "name": "Linux and Mac File and Directory Permissions Modification", + "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform\u2019s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1222/002", + "external_id": "T1222.002" + }, + { + "source_name": "Hybrid Analysis Icacls1 June 2018", + "description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.", + "url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100" + }, + { + "source_name": "Hybrid Analysis Icacls2 May 2018", + "description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.", + "url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110" + }, + { + "source_name": "20 macOS Common Tools and Techniques", + "description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.", + "url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "File: File Metadata", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.(Citation: 20 macOS Common Tools and Techniques) \n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS", + "Linux" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\", \"root\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 17:54:22.970000+00:00\", \"old_value\": \"2021-09-13 21:08:09.985000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1026: Privileged Account Management" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2023-08-14 19:30:45.123000+00:00", + "name": "Forced Authentication", + "description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\n\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\n\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)\n\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)\n\nThere are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:\n\n* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)\n* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\\\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1187", + "external_id": "T1187" + }, + { + "source_name": "Cylance Redirect to SMB", + "description": "Cylance. (2015, April 13). Redirect to SMB. Retrieved December 21, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pdfs/white_papers/RedirectToSMB.pdf" + }, + { + "source_name": "GitHub Hashjacking", + "description": "Dunning, J. (2016, August 1). Hashjacking. Retrieved December 21, 2017.", + "url": "https://github.com/hob0/hashjacking" + }, + { + "source_name": "Microsoft Managing WebDAV Security", + "description": "Microsoft. (n.d.). Managing WebDAV Security (IIS 6.0). Retrieved December 21, 2017.", + "url": "https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx" + }, + { + "source_name": "Osanda Stealing NetNTLM Hashes", + "description": "Osanda Malith Jayathissa. (2017, March 24). Places of Interest in Stealing NetNTLM Hashes. Retrieved January 26, 2018.", + "url": "https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/" + }, + { + "source_name": "Didier Stevens WebDAV Traffic", + "description": "Stevens, D. (2017, November 13). WebDAV Traffic To Malicious Sites. Retrieved December 21, 2017.", + "url": "https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/" + }, + { + "source_name": "US-CERT APT Energy Oct 2017", + "description": "US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" + }, + { + "source_name": "Wikipedia Server Message Block", + "description": "Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.", + "url": "https://en.wikipedia.org/wiki/Server_Message_Block" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Teodor Cimpoesu", + "Sudhanshu Chauhan, @Sudhanshu_C" + ], + "x_mitre_data_sources": [ + "File: File Access", + "Network Traffic: Network Traffic Flow", + "File: File Modification", + "File: File Creation", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\n\nMonitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 19:30:45.123000+00:00\", \"old_value\": \"2020-06-19 17:16:41.470000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1027: Password Policies", + "M1037: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Access)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--94cb00a4-b295-4d06-aa2b-5653b9c1be9c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-17 02:13:46.247000+00:00", + "modified": "2023-10-15 11:10:03.428000+00:00", + "name": "Forge Web Credentials", + "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nThe generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1606", + "external_id": "T1606" + }, + { + "source_name": "AWS Temporary Security Credentials", + "description": "AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html" + }, + { + "source_name": "Unit 42 Mac Crypto Cookies January 2019", + "description": "Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved October 14, 2019.", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" + }, + { + "source_name": "GitHub AWS-ADFS-Credential-Generator", + "description": "Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved December 16, 2020.", + "url": "https://github.com/damianh/aws-adfs-credential-generator" + }, + { + "source_name": "Microsoft SolarWinds Customer Guidance", + "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.", + "url": "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + }, + { + "source_name": "Pass The Cookie", + "description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.", + "url": "https://wunderwuzzi23.github.io/blog/passthecookie.html" + }, + { + "source_name": "Zimbra Preauth", + "description": "Zimbra. (2023, March 16). Preauth. Retrieved May 31, 2023.", + "url": "https://wiki.zimbra.com/wiki/Preauth" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Dylan Silva, AWS Security" + ], + "x_mitre_data_sources": [ + "Web Credential: Web Credential Usage", + "Web Credential: Web Credential Creation", + "Logon Session: Logon Session Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "SaaS", + "Windows", + "macOS", + "Linux", + "Azure AD", + "Office 365", + "Google Workspace", + "IaaS" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-15 11:10:03.428000+00:00\", \"old_value\": \"2023-05-04 18:05:16.877000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\\n\\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\\n\\nThe generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)\\n\\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) \", \"old_value\": \"Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\\n\\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials)\\n\\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) \", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\\n \\n-Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials)\\n+Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\\n+\\n+The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)\\n \\n Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"Zimbra Preauth\", \"description\": \"Zimbra. (2023, March 16). Preauth. Retrieved May 31, 2023.\", \"url\": \"https://wiki.zimbra.com/wiki/Preauth\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may forge credential materials that can be used t1Adversaries may forge credential materials that can be used 
    >to gain access to web applications or Internet services. Web>to gain access to web applications or Internet services. Web
    > applications and services (hosted in cloud SaaS environment> applications and services (hosted in cloud SaaS environment
    >s or on-premise servers) often use session cookies, tokens, >s or on-premise servers) often use session cookies, tokens, 
    >or other materials to authenticate and authorize user access>or other materials to authenticate and authorize user access
    >.  Adversaries may generate these credential materials in or>.  Adversaries may generate these credential materials in or
    >der to gain access to web resources. This differs from [Stea>der to gain access to web resources. This differs from [Stea
    >l Web Session Cookie](https://attack.mitre.org/techniques/T1>l Web Session Cookie](https://attack.mitre.org/techniques/T1
    >539), [Steal Application Access Token](https://attack.mitre.>539), [Steal Application Access Token](https://attack.mitre.
    >org/techniques/T1528), and other similar behaviors in that t>org/techniques/T1528), and other similar behaviors in that t
    >he credentials are new and forged by the adversary, rather t>he credentials are new and forged by the adversary, rather t
    >han stolen or intercepted from legitimate users. The generat>han stolen or intercepted from legitimate users.  The genera
    >ion of web credentials often requires secret values, such as>tion of web credentials often requires secret values, such a
    > passwords, [Private Keys](https://attack.mitre.org/techniqu>s passwords, [Private Keys](https://attack.mitre.org/techniq
    >es/T1552/004), or other cryptographic seed values.(Citation:>ues/T1552/004), or other cryptographic seed values.(Citation
    > GitHub AWS-ADFS-Credential-Generator) Adversaries may also >: GitHub AWS-ADFS-Credential-Generator) Adversaries may also
    >forge tokens by taking advantage of features such as the `As> forge tokens by taking advantage of features such as the `A
    >sumeRole` and `GetFederationToken` APIs in AWS, which allow >ssumeRole` and `GetFederationToken` APIs in AWS, which allow
    >users to request temporary security credentials.(Citation: A> users to request temporary security credentials (i.e., [Tem
    >WS Temporary Security Credentials)  Once forged, adversaries>porary Elevated Cloud Access](https://attack.mitre.org/techn
    > may use these web credentials to access resources (ex: [Use>iques/T1548/005)), or the `zmprov gdpak` command in Zimbra, 
    > Alternate Authentication Material](https://attack.mitre.org>which generates a pre-authentication key that can be used to
    >/techniques/T1550)), which may bypass multi-factor and other> generate tokens for any user in the domain.(Citation: AWS T
    > authentication protection mechanisms.(Citation: Pass The Co>emporary Security Credentials)(Citation: Zimbra Preauth)  On
    >okie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Cit>ce forged, adversaries may use these web credentials to acce
    >ation: Microsoft SolarWinds Customer Guidance)  >ss resources (ex: [Use Alternate Authentication Material](ht
     >tps://attack.mitre.org/techniques/T1550)), which may bypass 
     >multi-factor and other authentication protection mechanisms.
     >(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Coo
     >kies January 2019)(Citation: Microsoft SolarWinds Customer G
     >uidance)  
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1047: Audit", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0006: Web Credential (Web Credential Creation)", + "DS0006: Web Credential (Web Credential Usage)", + "DS0028: Logon Session (Logon Session Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-07 13:20:23.767000+00:00", + "modified": "2023-10-16 16:41:53.957000+00:00", + "name": "Email Hiding Rules", + "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)\n\nIn some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1564/008", + "external_id": "T1564.008" + }, + { + "source_name": "MacOS Email Rules", + "description": "Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.", + "url": "https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac" + }, + { + "source_name": "Microsoft BEC Campaign", + "description": "Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/" + }, + { + "source_name": "Microsoft Mail Flow Rules 2023", + "description": "Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023.", + "url": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + }, + { + "source_name": "Microsoft Inbox Rules", + "description": "Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.", + "url": "https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59" + }, + { + "source_name": "Microsoft New-InboxRule", + "description": "Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.", + "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps" + }, + { + "source_name": "Microsoft Set-InboxRule", + "description": "Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.", + "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps" + }, + { + "source_name": "Microsoft Cloud App Security", + "description": "Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.", + "url": "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Dor Edry, Microsoft", + "Liran Ravich, CardinalOps" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Application Log: Application Log Content", + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.\n\nOn Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule and Set-InboxRule PowerShell cmdlets.(Citation: Microsoft BEC Campaign) On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.(Citation: MacOS Email Rules)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Office 365", + "Linux", + "macOS", + "Google Workspace" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 16:41:53.957000+00:00\", \"old_value\": \"2023-04-12 20:42:20.079000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-13 14:10:43.424000+00:00", + "modified": "2023-10-03 03:29:57.078000+00:00", + "name": "Path Interception by PATH Environment Variable", + "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \n\nAdversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\n\nFor example, on Windows if an adversary places a malicious program named \"net.exe\" in `C:\\example path`, which by default precedes `C:\\Windows\\system32\\net.exe` in the PATH environment variable, when \"net\" is executed from the command-line the `C:\\example path` will be called instead of the system's legitimate executable at `C:\\Windows\\system32\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\n\nAdversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1574/007", + "external_id": "T1574.007" + }, + { + "source_name": "Elastic Rules macOS launchctl 2022", + "description": "Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.", + "url": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html" + }, + { + "source_name": "ExpressVPN PATH env Windows 2021", + "description": "ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.", + "url": "https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/" + }, + { + "source_name": "uptycs Fake POC linux malware 2023", + "description": "Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.", + "url": "https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware" + }, + { + "source_name": "nixCraft macOS PATH variables", + "description": "Vivek Gite. (2023, August 22). MacOS \u2013 Set / Change $PATH Variable Command. Retrieved September 28, 2023.", + "url": "https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Stefan Kanthak" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "Windows Registry: Windows Registry Key Modification", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Application Control" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 03:29:57.078000+00:00\", \"old_value\": \"2023-03-30 21:01:39.426000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \\n\\nAdversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\\n\\nFor example, on Windows if an adversary places a malicious program named \\\"net.exe\\\" in `C:\\\\example path`, which by default precedes `C:\\\\Windows\\\\system32\\\\net.exe` in the PATH environment variable, when \\\"net\\\" is executed from the command-line the `C:\\\\example path` will be called instead of the system's legitimate executable at `C:\\\\Windows\\\\system32\\\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\\n\\nAdversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)\", \"old_value\": \"Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\\n\\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\\\system32 (e.g., C:\\\\Windows\\\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\\n\\nFor example, if C:\\\\example path precedes C:\\\\Windows\\\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\\\example path will be called instead of the Windows system \\\"net\\\" when \\\"net\\\" is executed from the command-line.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\\n+Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \\n \\n-The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\\\system32 (e.g., C:\\\\Windows\\\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\\n+Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\\n \\n-For example, if C:\\\\example path precedes C:\\\\Windows\\\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\\\example path will be called instead of the Windows system \\\"net\\\" when \\\"net\\\" is executed from the command-line.\\n+For example, on Windows if an adversary places a malicious program named \\\"net.exe\\\" in `C:\\\\example path`, which by default precedes `C:\\\\Windows\\\\system32\\\\net.exe` in the PATH environment variable, when \\\"net\\\" is executed from the command-line the `C:\\\\example path` will be called instead of the system's legitimate executable at `C:\\\\Windows\\\\system32\\\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\\n+\\n+Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Elastic Rules macOS launchctl 2022\", \"description\": \"Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.\", \"url\": \"https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html\"}, \"root['external_references'][2]\": {\"source_name\": \"ExpressVPN PATH env Windows 2021\", \"description\": \"ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.\", \"url\": \"https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/\"}, \"root['external_references'][3]\": {\"source_name\": \"uptycs Fake POC linux malware 2023\", \"description\": \"Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.\", \"url\": \"https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware\"}, \"root['external_references'][4]\": {\"source_name\": \"nixCraft macOS PATH variables\", \"description\": \"Vivek Gite. (2023, August 22). MacOS \\u2013 Set / Change $PATH Variable Command. Retrieved September 28, 2023.\", \"url\": \"https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/\"}, \"root['x_mitre_platforms'][1]\": \"macOS\", \"root['x_mitre_platforms'][2]\": \"Linux\"}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may execute their own malicious payloads by hijat1Adversaries may execute their own malicious payloads by hija
    >cking environment variables used to load libraries. Adversar>cking environment variables used to load libraries. The PATH
    >ies may place a program in an earlier entry in the list of d> environment variable contains a list of directories (User a
    >irectories stored in the PATH environment variable, which Wi>nd System) that the OS searches sequentially through in sear
    >ndows will then execute when it searches sequentially throug>ch of the binary that was called from a script or the comman
    >h that PATH listing in search of the binary that was called >d line.   Adversaries can place a malicious program in an ea
    >from a script or the command line.  The PATH environment var>rlier entry in the list of directories stored in the PATH en
    >iable contains a list of directories. Certain methods of exe>vironment variable, resulting in the operating system execut
    >cuting a program (namely using cmd.exe or the command-line) >ing the malicious binary rather than the legitimate binary w
    >rely solely on the PATH environment variable to determine th>hen it searches sequentially through that PATH listing.  For
    >e locations that are searched for a program when the path fo> example, on Windows if an adversary places a malicious prog
    >r the program is not given. If any directories are listed in>ram named \"net.exe\" in `C:\\example path`, which by default p
    > the PATH environment variable before the Windows directory,>recedes `C:\\Windows\\system32\\net.exe` in the PATH environmen
    > <code>%SystemRoot%\\system32</code> (e.g., <code>C:\\Windows\\>t variable, when \"net\" is executed from the command-line the
    >system32</code>), a program may be placed in the preceding d> `C:\\example path` will be called instead of the system's le
    >irectory that is named the same as a Windows program (such a>gitimate executable at `C:\\Windows\\system32\\net.exe`. Some m
    >s cmd, PowerShell, or Python), which will be executed when t>ethods of executing a program rely on the PATH environment v
    >hat command is executed from a script or command-line.  For >ariable to determine the locations that are searched when th
    >example, if <code>C:\\example path</code> precedes </code>C:\\>e path for the program is not given, such as executing progr
    >Windows\\system32</code> is in the PATH environment variable,>ams from a [Command and Scripting Interpreter](https://attac
    > a program that is named net.exe and placed in <code>C:\\exam>k.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env
    >ple path</code> will be called instead of the Windows system> Windows 2021)  Adversaries may also directly modify the $PA
    > \"net\" when \"net\" is executed from the command-line.>TH variable specifying the directories to be searched.  An a
     >dversary can modify the `$PATH` variable to point to a direc
     >tory they have write access. When a program using the $PATH 
     >variable is called, the OS searches the specified directory 
     >and executes the malicious binary. On macOS, this can also b
     >e performed through modifying the $HOME variable. These vari
     >ables can be modified using the command-line, launchctl, [Un
     >ix Shell Configuration Modification](https://attack.mitre.or
     >g/techniques/T1546/004), or modifying the `/etc/paths.d` fol
     >der contents.(Citation: uptycs Fake POC linux malware 2023)(
     >Citation: nixCraft macOS PATH variables)(Citation: Elastic R
     >ules macOS launchctl 2022)
    ", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1038: Execution Prevention", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0022: File (File Creation)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-21 20:22:13.470000+00:00", + "modified": "2023-10-20 16:43:53.391000+00:00", + "name": "Impair Defenses", + "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1562", + "external_id": "T1562" + }, + { + "source_name": "Emotet shutdown", + "description": "The DFIR Report. (2022, November 8). Emotet Strikes Again \u2013 LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.", + "url": "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification", + "Cloud Service: Cloud Service Disable", + "Firewall: Firewall Rule Modification", + "Command: Command Execution", + "Script: Script Execution", + "Process: Process Modification", + "Windows Registry: Windows Registry Key Deletion", + "Process: Process Termination", + "Service: Service Metadata", + "Cloud Service: Cloud Service Modification", + "User Account: User Account Modification", + "File: File Deletion", + "Sensor Health: Host Status", + "Process: OS API Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification", + "Driver: Driver Load", + "Firewall: Firewall Disable" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "Signature-based detection", + "Host intrusion prevention systems", + "File monitoring", + "Digital Certificate Validation", + "Host forensic analysis", + "Log analysis", + "Firewall" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious.\n\nMonitor environment variables and APIs that can be leveraged to disable security measures.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Office 365", + "IaaS", + "Linux", + "macOS", + "Containers", + "Network" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-20 16:43:53.391000+00:00\", \"old_value\": \"2023-04-15 00:48:46.626000+00:00\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\", \"old_value\": \"https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/#:~:text=Don\\u2019t%20Sleep%20has%20the%20capability%20to%20keep%20the%20computer%20from%20being%20shutdown%20and%20the%20user%20from%20being%20signed%20off.%20This%20was%20likely%20done%20to%20ensure%20nothing%20will%20interfere%20with%20the%20propagation%20of%20the%20ransomware%20payload\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"File: File Modification\", \"root['x_mitre_data_sources'][5]\": \"Process: Process Modification\", \"root['x_mitre_data_sources'][11]\": \"File: File Deletion\", \"root['x_mitre_data_sources'][13]\": \"Process: OS API Execution\"}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1022: Restrict File and Directory Permissions", + "M1024: Restrict Registry Permissions", + "M1038: Execution Prevention", + "M1047: Audit" + ], + "new": [ + "M1054: Software Configuration" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Modification)", + "DS0009: Process (Process Creation)", + "DS0009: Process (Process Termination)", + "DS0012: Script (Script Execution)", + "DS0013: Sensor Health (Host Status)", + "DS0017: Command (Command Execution)", + "DS0018: Firewall (Firewall Disable)", + "DS0018: Firewall (Firewall Rule Modification)", + "DS0019: Service (Service Metadata)", + "DS0024: Windows Registry (Windows Registry Key Deletion)", + "DS0024: Windows Registry (Windows Registry Key Modification)", + "DS0025: Cloud Service (Cloud Service Disable)", + "DS0025: Cloud Service (Cloud Service Modification)", + "DS0027: Driver (Driver Load)" + ], + "new": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Modification)", + "DS0022: File (File Deletion)", + "DS0022: File (File Modification)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-21 20:46:36.688000+00:00", + "modified": "2023-09-18 22:33:57.556000+00:00", + "name": "Disable Windows Event Logging", + "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service may be disabled by modifying the \u201cStart\u201d value in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog then restarting the system for the change to take effect.(Citation: disable_win_evt_logging)\n\nThere are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the \"Start\" value in the key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Security, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-System and HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Application to disable the entire EventLog.(Citation: disable_win_evt_logging)\n\nAdditionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:\u201dAccount Logon\u201d /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1562/002", + "external_id": "T1562.002" + }, + { + "source_name": "Disable_Win_Event_Logging", + "description": " dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021.", + "url": "https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging" + }, + { + "source_name": "def_ev_win_event_logging", + "description": "Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021.", + "url": "https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/" + }, + { + "source_name": "EventLog_Core_Technologies", + "description": "Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021.", + "url": "https://www.coretechnologies.com/blog/windows-services/eventlog/" + }, + { + "source_name": "Audit_Policy_Microsoft", + "description": "Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy" + }, + { + "source_name": "Windows Log Events", + "description": "Franklin Smith. (n.d.). Windows Security Log Events. Retrieved February 21, 2020.", + "url": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/" + }, + { + "source_name": "disable_win_evt_logging", + "description": "Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.", + "url": "https://ptylu.github.io/content/report/report.html?report=25" + }, + { + "source_name": "auditpol", + "description": "Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol" + }, + { + "source_name": "winser19_file_overwrite_bug_twitter", + "description": "Naceri, A. (2021, November 7). Windows Server 2019 file overwrite bug. Retrieved April 7, 2022.", + "url": "https://web.archive.org/web/20211107115646/https://twitter.com/klinix5/status/1457316029114327040" + }, + { + "source_name": "T1562.002_redcanaryco", + "description": "redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.", + "url": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md" + }, + { + "source_name": "Advanced_sec_audit_policy_settings", + "description": "Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings" + }, + { + "source_name": "auditpol.exe_STRONTIC", + "description": "STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.", + "url": "https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html" + }, + { + "source_name": "evt_log_tampering", + "description": "svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021.", + "url": "https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team", + "Lucas Heiligenstein" + ], + "x_mitre_data_sources": [ + "Sensor Health: Host Status", + "Command: Command Execution", + "Windows Registry: Windows Registry Key Modification", + "Script: Script Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Creation", + "Application Log: Application Log Content" + ], + "x_mitre_defense_bypassed": [ + "Log analysis" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor processes and command-line arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), `auditpol`, `sc stop EventLog`, and offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and `Invoke-Phant0m`) may be used to clear logs.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering) \n\nIn Event Viewer, Event ID 1102 under the \u201cSecurity\u201d Windows Log and Event ID 104 under the \u201cSystem\u201d Windows Log both indicate logs have been cleared.(Citation: def_ev_win_event_logging) `Service Control Manager Event ID 7035` in Event Viewer may indicate the termination of the EventLog service.(Citation: evt_log_tampering) Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.\n\nMonitor the addition of the MiniNT registry key in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control`, which may disable Event Viewer.(Citation: def_ev_win_event_logging)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-18 22:33:57.556000+00:00\", \"old_value\": \"2023-03-17 23:24:19.730000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][2]\": \"Windows Registry: Windows Registry Key Modification\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1022: Restrict File and Directory Permissions", + "M1024: Restrict Registry Permissions", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0012: Script (Script Execution)", + "DS0013: Sensor Health (Host Status)", + "DS0015: Application Log (Application Log Content)", + "DS0017: Command (Command Execution)", + "DS0024: Windows Registry (Windows Registry Key Creation)" + ], + "new": [ + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-21 20:32:20.810000+00:00", + "modified": "2023-05-28 16:57:27.185000+00:00", + "name": "Disable or Modify Tools", + "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) \n\nAdversaries may also focus on specific applications such as Sysmon. For example, the \u201cStart\u201d and \u201cEnable\u201d values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1562/001", + "external_id": "T1562.001" + }, + { + "source_name": "Analysis of FG-IR-22-369", + "description": " Guillaume Lovet and Alex Kong. (2023, March 9). Analysis of FG-IR-22-369. Retrieved May 15, 2023.", + "url": "https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis" + }, + { + "source_name": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation", + "description": "ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.", + "url": "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem" + }, + { + "source_name": "OutFlank System Calls", + "description": "de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.", + "url": "https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/" + }, + { + "source_name": "disable_win_evt_logging", + "description": "Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.", + "url": "https://ptylu.github.io/content/report/report.html?report=25" + }, + { + "source_name": "chasing_avaddon_ransomware", + "description": "Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022.", + "url": "https://www.mandiant.com/resources/chasing-avaddon-ransomware" + }, + { + "source_name": "doppelpaymer_crowdstrike", + "description": "Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes. Retrieved January 26, 2022.", + "url": "https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/" + }, + { + "source_name": "avoslocker_ransomware", + "description": "Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection. Retrieved May 17, 2022.", + "url": "https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html" + }, + { + "source_name": "dharma_ransomware", + "description": "Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022.", + "url": "https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/" + }, + { + "source_name": "MDSec System Calls", + "description": "MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.", + "url": "https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/" + }, + { + "source_name": "SCADAfence_ransomware", + "description": "Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022.", + "url": "https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf" + }, + { + "source_name": "demystifying_ryuk", + "description": "Tran, T. (2020, November 24). Demystifying Ransomware Attacks Against Microsoft Defender Solution. Retrieved January 26, 2022.", + "url": "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Gordon Long, Box, Inc., @ethicalhax", + "Ziv Karliner, @ziv_kr, Team Nautilus Aqua Security", + "Nathaniel Quist, Palo Alto Networks", + "Gal Singer, @galsinger29, Team Nautilus Aqua Security", + "Daniel Feichter, @VirtualAllocEx, Infosec Tirol", + "Cian Heasley", + "Alex Soler, AttackIQ", + "Sarathkumar Rajendran, Microsoft Defender365", + "Lucas Heiligenstein" + ], + "x_mitre_data_sources": [ + "Sensor Health: Host Status", + "Process: Process Termination", + "Process: Process Creation", + "Service: Service Metadata", + "Windows Registry: Windows Registry Key Modification", + "Command: Command Execution", + "Windows Registry: Windows Registry Key Deletion", + "Driver: Driver Load" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "Log analysis", + "Signature-based detection", + "Host intrusion prevention systems", + "File monitoring" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor processes and command-line arguments to see if security tools/services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Monitoring for changes to other known features used by deployed security tools may also expose malicious activity.\n\nLack of expected log events may be suspicious.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux", + "Containers", + "IaaS", + "Network" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-05-28 16:57:27.185000+00:00\", \"old_value\": \"2023-04-12 13:43:42.986000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\\n\\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) \\n\\nAdversaries may also focus on specific applications such as Sysmon. For example, the \\u201cStart\\u201d and \\u201cEnable\\u201d values in HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \\n\\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\\n\\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\\n\\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\\n\\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)\", \"old_value\": \"Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\\n\\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) \\n\\nAdversaries may also focus on specific applications such as Sysmon. For example, the \\u201cStart\\u201d and \\u201cEnable\\u201d values in HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \\n\\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\\n\\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\\n\\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)\", \"diff\": \"--- \\n+++ \\n@@ -4,6 +4,8 @@\\n \\n Adversaries may also focus on specific applications such as Sysmon. For example, the \\u201cStart\\u201d and \\u201cEnable\\u201d values in HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \\n \\n+On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\\n+\\n In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\\n \\n Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Analysis of FG-IR-22-369\", \"description\": \" Guillaume Lovet and Alex Kong. (2023, March 9). Analysis of FG-IR-22-369. Retrieved May 15, 2023.\", \"url\": \"https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis\"}, \"root['external_references'][2]\": {\"source_name\": \"Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation\", \"description\": \"ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem\"}, \"root['x_mitre_data_sources'][2]\": \"Process: Process Creation\", \"root['x_mitre_platforms'][5]\": \"Network\"}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may modify and/or disable security tools to avoit1Adversaries may modify and/or disable security tools to avoi
    >d possible detection of their malware/tools and activities. >d possible detection of their malware/tools and activities. 
    >This may take many forms, such as killing security software >This may take many forms, such as killing security software 
    >processes or services, modifying / deleting Registry keys or>processes or services, modifying / deleting Registry keys or
    > configuration files so that tools do not operate properly, > configuration files so that tools do not operate properly, 
    >or other methods to interfere with security tools scanning o>or other methods to interfere with security tools scanning o
    >r reporting information. Adversaries may also disable update>r reporting information. Adversaries may also disable update
    >s to prevent the latest security patches from reaching tools>s to prevent the latest security patches from reaching tools
    > on victim systems.(Citation: SCADAfence_ransomware)  Advers> on victim systems.(Citation: SCADAfence_ransomware)  Advers
    >aries may also tamper with artifacts deployed and utilized b>aries may also tamper with artifacts deployed and utilized b
    >y security tools. Security tools may make dynamic changes to>y security tools. Security tools may make dynamic changes to
    > system components in order to maintain visibility into spec> system components in order to maintain visibility into spec
    >ific events. For example, security products may load their o>ific events. For example, security products may load their o
    >wn modules and/or modify those loaded by processes to facili>wn modules and/or modify those loaded by processes to facili
    >tate data collection. Similar to [Indicator Blocking](https:>tate data collection. Similar to [Indicator Blocking](https:
    >//attack.mitre.org/techniques/T1562/006), adversaries may un>//attack.mitre.org/techniques/T1562/006), adversaries may un
    >hook or otherwise modify these features added by tools (espe>hook or otherwise modify these features added by tools (espe
    >cially those that exist in userland or are otherwise potenti>cially those that exist in userland or are otherwise potenti
    >ally accessible to adversaries) to avoid detection.(Citation>ally accessible to adversaries) to avoid detection.(Citation
    >: OutFlank System Calls)(Citation: MDSec System Calls)   Adv>: OutFlank System Calls)(Citation: MDSec System Calls)   Adv
    >ersaries may also focus on specific applications such as Sys>ersaries may also focus on specific applications such as Sys
    >mon. For example, the \u201cStart\u201d and \u201cEnable\u201d values in <code>H>mon. For example, the \u201cStart\u201d and \u201cEnable\u201d values in <code>H
    >KEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autol>KEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autol
    >ogger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> m>ogger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> m
    >ay be modified to tamper with and potentially disable Sysmon>ay be modified to tamper with and potentially disable Sysmon
    > logging.(Citation: disable_win_evt_logging)   In cloud envi> logging.(Citation: disable_win_evt_logging)   On network de
    >ronments, tools disabled by adversaries may include cloud mo>vices, adversaries may attempt to skip digital signature ver
    >nitoring agents that report back to services such as AWS Clo>ification checks by altering startup configuration files and
    >udWatch or Google Cloud Monitor.  Furthermore, although defe> effectively disabling firmware verification that typically 
    >nsive tools may have anti-tampering mechanisms, adversaries >occurs at boot.(Citation: Fortinet Zero-Day and Custom Malwa
    >may abuse tools such as legitimate rootkit removal kits to i>re Used by Suspected Chinese Actor in Espionage Operation)(C
    >mpair and/or disable these tools.(Citation: chasing_avaddon_>itation: Analysis of FG-IR-22-369)  In cloud environments, t
    >ransomware)(Citation: dharma_ransomware)(Citation: demystify>ools disabled by adversaries may include cloud monitoring ag
    >ing_ryuk)(Citation: doppelpaymer_crowdstrike) For example, a>ents that report back to services such as AWS CloudWatch or 
    >dversaries have used tools such as GMER to find and shut dow>Google Cloud Monitor.  Furthermore, although defensive tools
    >n hidden processes and antivirus software on infected system> may have anti-tampering mechanisms, adversaries may abuse t
    >s.(Citation: demystifying_ryuk)  Additionally, adversaries m>ools such as legitimate rootkit removal kits to impair and/o
    >ay exploit legitimate drivers from anti-virus software to ga>r disable these tools.(Citation: chasing_avaddon_ransomware)
    >in access to kernel space (i.e. [Exploitation for Privilege >(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(C
    >Escalation](https://attack.mitre.org/techniques/T1068)), whi>itation: doppelpaymer_crowdstrike) For example, adversaries 
    >ch may lead to bypassing anti-tampering features.(Citation: >have used tools such as GMER to find and shut down hidden pr
    >avoslocker_ransomware)>ocesses and antivirus software on infected systems.(Citation
     >: demystifying_ryuk)  Additionally, adversaries may exploit 
     >legitimate drivers from anti-virus software to gain access t
     >o kernel space (i.e. [Exploitation for Privilege Escalation]
     >(https://attack.mitre.org/techniques/T1068)), which may lead
     > to bypassing anti-tampering features.(Citation: avoslocker_
     >ransomware)
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1022: Restrict File and Directory Permissions", + "M1024: Restrict Registry Permissions", + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Termination)", + "DS0013: Sensor Health (Host Status)", + "DS0017: Command (Command Execution)", + "DS0019: Service (Service Metadata)", + "DS0024: Windows Registry (Windows Registry Key Deletion)", + "DS0024: Windows Registry (Windows Registry Key Modification)", + "DS0027: Driver (Driver Load)" + ], + "new": [ + "DS0009: Process (Process Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--824add00-99a1-4b15-9a2d-6c5683b7b497", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-08 14:06:28.212000+00:00", + "modified": "2023-10-03 16:40:15.445000+00:00", + "name": "Downgrade Attack", + "description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system\u2019s backward compatibility to force it into less secure modes of operation. \n\nAdversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\n\nAdversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1562/010", + "external_id": "T1562.010" + }, + { + "source_name": "Crowdstrike Downgrade", + "description": "Bart Lenaerts-Bergman. (2023, March 14). WHAT ARE DOWNGRADE ATTACKS?. Retrieved May 24, 2023.", + "url": "https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/" + }, + { + "source_name": "Targeted SSL Stripping Attacks Are Real", + "description": "Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.", + "url": "https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/" + }, + { + "source_name": "CrowdStrike BGH Ransomware 2021", + "description": "Falcon Complete Team. (2021, May 11). Response When Minutes Matter: Rising Up Against Ransomware. Retrieved October 8, 2021.", + "url": "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/" + }, + { + "source_name": "att_def_ps_logging", + "description": "Hao, M. (2019, February 27). Attack and Defense Around PowerShell Event Logging. Retrieved November 24, 2021.", + "url": "https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/" + }, + { + "source_name": "inv_ps_attacks", + "description": "Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.", + "url": "https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/" + }, + { + "source_name": "Mandiant BYOL 2018", + "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) \u2013 A Novel Red Teaming Technique. Retrieved October 8, 2021.", + "url": "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique" + }, + { + "source_name": "Praetorian TLS Downgrade Attack 2014", + "description": "Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.", + "url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Mayuresh Dani, Qualys", + "Daniel Feichter, @VirtualAllocEx, Infosec Tirol", + "Arad Inbar, Fidelis Security" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Process: Process Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell \u2013v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.\n\nMonitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)\n\nMonitor network data to detect cases where HTTP is used instead of HTTPS.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 16:40:15.445000+00:00\", \"old_value\": \"2022-05-19 16:28:31.041000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system\\u2019s backward compatibility to force it into less secure modes of operation. \\n\\nAdversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\\n\\nAdversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)\", \"old_value\": \"Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\\n\\nAdversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\\n+Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system\\u2019s backward compatibility to force it into less secure modes of operation. \\n \\n-Adversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)\\n+Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\\n+\\n+Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell \\u2013v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.\\n\\nMonitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)\\n\\nMonitor network data to detect cases where HTTP is used instead of HTTPS.\", \"old_value\": \"Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell \\u2013v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.\\n\\nMonitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell \\u2013v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.\\n \\n Monitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)\\n+\\n+Monitor network data to detect cases where HTTP is used instead of HTTPS.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Crowdstrike Downgrade\", \"description\": \"Bart Lenaerts-Bergman. (2023, March 14). WHAT ARE DOWNGRADE ATTACKS?. Retrieved May 24, 2023.\", \"url\": \"https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/\"}, \"root['external_references'][2]\": {\"source_name\": \"Targeted SSL Stripping Attacks Are Real\", \"description\": \"Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.\", \"url\": \"https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/\"}, \"root['x_mitre_contributors'][2]\": \"Arad Inbar, Fidelis Security\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may downgrade or use a version of system featuret1Adversaries may downgrade or use a version of system feature
    >s that may be outdated, vulnerable, and/or does not support >s that may be outdated, vulnerable, and/or does not support 
    >updated security controls such as logging. For example, [Pow>updated security controls. Downgrade attacks typically take 
    >erShell](https://attack.mitre.org/techniques/T1059/001) vers>advantage of a system\u2019s backward compatibility to force it i
    >ions 5+ includes Script Block Logging (SBL) which can record>nto less secure modes of operation.   Adversaries may downgr
    > executed script content. However, adversaries may attempt t>ade and use various less-secure versions of features of a sy
    >o execute a previous version of PowerShell that does not sup>stem, such as [Command and Scripting Interpreter](https://at
    >port SBL with the intent to [Impair Defenses](https://attack>tack.mitre.org/techniques/T1059)s or even network protocols 
    >.mitre.org/techniques/T1562) while running malicious scripts>that can be abused to enable [Adversary-in-the-Middle](https
    > that may have otherwise been detected.(Citation: CrowdStrik>://attack.mitre.org/techniques/T1557) or [Network Sniffing](
    >e BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citatio>https://attack.mitre.org/techniques/T1040).(Citation: Praeto
    >n: att_def_ps_logging)  Adversaries may downgrade and use le>rian TLS Downgrade Attack 2014) For example, [PowerShell](ht
    >ss-secure versions of various features of a system, such as >tps://attack.mitre.org/techniques/T1059/001) versions 5+ inc
    >[Command and Scripting Interpreter](https://attack.mitre.org>ludes Script Block Logging (SBL) which can record executed s
    >/techniques/T1059)s or even network protocols that can be ab>cript content. However, adversaries may attempt to execute a
    >used to enable [Adversary-in-the-Middle](https://attack.mitr> previous version of PowerShell that does not support SBL wi
    >e.org/techniques/T1557).(Citation: Praetorian TLS Downgrade >th the intent to [Impair Defenses](https://attack.mitre.org/
    >Attack 2014)>techniques/T1562) while running malicious scripts that may h
     >ave otherwise been detected.(Citation: CrowdStrike BGH Ranso
     >mware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_
     >ps_logging)  Adversaries may similarly target network traffi
     >c to downgrade from an encrypted HTTPS connection to an unse
     >cured HTTP connection that exposes network data in clear tex
     >t.(Citation: Targeted SSL Stripping Attacks Are Real)(Citati
     >on: Crowdstrike Downgrade)
    ", + "changelog_mitigations": { + "shared": [ + "M1042: Disable or Remove Feature or Program" + ], + "new": [ + "M1054: Software Configuration" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0009: Process (Process Metadata)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--74d2a63f-3c7b-4852-92da-02d8fbab16da", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-19 19:09:30.329000+00:00", + "modified": "2023-09-18 22:23:55.329000+00:00", + "name": "Indicator Blocking", + "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nFor example, adversaries may modify the `File` value in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging) \n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.\n\nIn Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1562/006", + "external_id": "T1562.006" + }, + { + "source_name": "disable_win_evt_logging", + "description": "Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.", + "url": "https://ptylu.github.io/content/report/report.html?report=25" + }, + { + "source_name": "LemonDuck", + "description": "Manoj Ahuje. (2022, April 21). LemonDuck Targets Docker for Cryptomining Operations. Retrieved June 30, 2022.", + "url": "https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/" + }, + { + "source_name": "Microsoft Lamin Sept 2017", + "description": "Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved September 6, 2018.", + "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A" + }, + { + "source_name": "Microsoft About Event Tracing 2018", + "description": "Microsoft. (2018, May 30). About Event Tracing. Retrieved June 7, 2019.", + "url": "https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events" + }, + { + "source_name": "Medium Event Tracing Tampering 2018", + "description": "Palantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved June 7, 2019.", + "url": "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Rob Smith", + "Lucas Heiligenstein" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Sensor Health: Host Status", + "Windows Registry: Windows Registry Key Modification" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "Host intrusion prevention systems" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data.\n\nDepending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. (Citation: Medium Event Tracing Tampering 2018) To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\AUTOLOGGER_NAME\\{PROVIDER_GUID}", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-18 22:23:55.329000+00:00\", \"old_value\": \"2023-04-12 15:25:10.496000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1022: Restrict File and Directory Permissions", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0013: Sensor Health (Host Status)", + "DS0017: Command (Command Execution)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-06-15 18:00:04.219000+00:00", + "modified": "2023-09-08 18:05:28.311000+00:00", + "name": "Clear Network Connection History and Configurations", + "description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\n\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\n\nWindows may also store information about recent RDP connections in files such as C:\\Users\\\\%username%\\Documents\\Default.rdp and `C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Terminal\nServer Client\\Cache\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1070/007", + "external_id": "T1070.007" + }, + { + "source_name": "FreeDesktop Journal", + "description": "freedesktop.org. (n.d.). systemd-journald.service. Retrieved June 15, 2022.", + "url": "https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html" + }, + { + "source_name": "Microsoft RDP Removal", + "description": "Microsoft. (2021, September 24). How to remove entries from the Remote Desktop Connection Computer box. Retrieved June 15, 2022.", + "url": "https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer" + }, + { + "source_name": "Moran RDPieces", + "description": "Moran, B. (2020, November 18). Putting Together the RDPieces. Retrieved October 17, 2022.", + "url": "https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf" + }, + { + "source_name": "Apple Culprit Access", + "description": "rjben. (2012, May 30). How do you find the culprit when unauthorized access to a computer is a problem?. Retrieved August 3, 2022.", + "url": "https://discussions.apple.com/thread/3991574" + }, + { + "source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing", + "description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.", + "url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "CrowdStrike Falcon OverWatch" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification", + "Command: Command Execution", + "Firewall: Firewall Rule Modification", + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 18:05:28.311000+00:00\", \"old_value\": \"2022-10-21 16:24:06.968000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n\\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\n\\nWindows may also store information about recent RDP connections in files such as C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\nServer Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n\\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\", \"old_value\": \"Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n\\nNetwork connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\n\\nWindows may also store information about recent RDP connections in files such as C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\nServer Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n\\nMalicious network connections may also require changes to network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n-Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n+Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n \\n-Network connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n+Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n \\n * HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\\n * HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\n@@ -8,4 +8,4 @@\\n Windows may also store information about recent RDP connections in files such as C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\n Server Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n \\n-Malicious network connections may also require changes to network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\\n+Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may clear or remove evidence of malicious networt1Adversaries may clear or remove evidence of malicious networ
    >k connections in order to clean up traces of their operation>k connections in order to clean up traces of their operation
    >s. Configuration settings as well as various artifacts that >s. Configuration settings as well as various artifacts that 
    >highlight connection history may be created on a system from>highlight connection history may be created on a system and/
    > behaviors that require network connections, such as [Remote>or in application logs from behaviors that require network c
    > Services](https://attack.mitre.org/techniques/T1021) or [Ex>onnections, such as [Remote Services](https://attack.mitre.o
    >ternal Remote Services](https://attack.mitre.org/techniques/>rg/techniques/T1021) or [External Remote Services](https://a
    >T1133). Defenders may use these artifacts to monitor or othe>ttack.mitre.org/techniques/T1133). Defenders may use these a
    >rwise analyze network connections created by adversaries.  N>rtifacts to monitor or otherwise analyze network connections
    >etwork connection history may be stored in various locations> created by adversaries.  Network connection history may be 
    > on a system. For example, RDP connection history may be sto>stored in various locations. For example, RDP connection his
    >red in Windows Registry values under (Citation: Microsoft RD>tory may be stored in Windows Registry values under (Citatio
    >P Removal):  * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Te>n: Microsoft RDP Removal):  * <code>HKEY_CURRENT_USER\\Softwa
    >rminal Server Client\\Default</code> * <code>HKEY_CURRENT_USE>re\\Microsoft\\Terminal Server Client\\Default</code> * <code>H
    >R\\Software\\Microsoft\\Terminal Server Client\\Servers</code>  >KEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\S
    >Windows may also store information about recent RDP connecti>ervers</code>  Windows may also store information about rece
    >ons in files such as <code>C:\\Users\\\\%username%\\Documents\\De>nt RDP connections in files such as <code>C:\\Users\\\\%usernam
    >fault.rdp</code> and `C:\\Users\\%username%\\AppData\\Local\\Micr>e%\\Documents\\Default.rdp</code> and `C:\\Users\\%username%\\App
    >osoft\\Terminal Server Client\\Cache\\`.(Citation: Moran RDPiec>Data\\Local\\Microsoft\\Terminal Server Client\\Cache\\`.(Citatio
    >es) Similarly, macOS and Linux hosts may store information h>n: Moran RDPieces) Similarly, macOS and Linux hosts may stor
    >ighlighting connection history in system logs (such as those>e information highlighting connection history in system logs
    > stored in `/Library/Logs` and/or `/var/log/`).(Citation: Ap> (such as those stored in `/Library/Logs` and/or `/var/log/`
    >ple Culprit Access)(Citation: FreeDesktop Journal)(Citation:>).(Citation: Apple Culprit Access)(Citation: FreeDesktop Jou
    > Apple Unified Log Analysis Remote Login and Screen Sharing)>rnal)(Citation: Apple Unified Log Analysis Remote Login and 
    >  Malicious network connections may also require changes to >Screen Sharing)  Malicious network connections may also requ
    >network configuration settings, such as [Disable or Modify S>ire changes to third-party applications or network configura
    >ystem Firewall](https://attack.mitre.org/techniques/T1562/00>tion settings, such as [Disable or Modify System Firewall](h
    >4) or tampering to enable [Proxy](https://attack.mitre.org/t>ttps://attack.mitre.org/techniques/T1562/004) or tampering t
    >echniques/T1090). Adversaries may delete or modify this data>o enable [Proxy](https://attack.mitre.org/techniques/T1090).
    > to conceal indicators and/or impede defensive analysis.> Adversaries may delete or modify this data to conceal indic
     >ators and/or impede defensive analysis.
    ", + "changelog_mitigations": { + "shared": [ + "M1024: Restrict Registry Permissions", + "M1029: Remote Data Storage" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0018: Firewall (Firewall Rule Modification)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-28 17:05:14.707000+00:00", + "modified": "2023-08-11 21:43:04.568000+00:00", + "name": "Clear Windows Event Logs", + "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nThe event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1070/001", + "external_id": "T1070.001" + }, + { + "source_name": "disable_win_evt_logging", + "description": "Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.", + "url": "https://ptylu.github.io/content/report/report.html?report=25" + }, + { + "source_name": "Microsoft Clear-EventLog", + "description": "Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018.", + "url": "https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog" + }, + { + "source_name": "Microsoft EventLog.Clear", + "description": "Microsoft. (n.d.). EventLog.Clear Method (). Retrieved July 2, 2018.", + "url": "https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx" + }, + { + "source_name": "Microsoft wevtutil Oct 2017", + "description": "Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.", + "url": "https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Lucas Heiligenstein" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "File: File Deletion", + "Process: OS API Execution", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Anti Virus", + "Host Intrusion Prevention Systems", + "Log Analysis" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_system_requirements": [ + "Clearing the Windows event logs requires Administrator permissions" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 21:43:04.568000+00:00\", \"old_value\": \"2023-04-12 15:32:03.205000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][3]\": \"Process: Process Creation\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1029: Remote Data Storage", + "M1041: Encrypt Sensitive Information" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Deletion)" + ], + "new": [ + "DS0009: Process (Process Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:16.408000+00:00", + "modified": "2023-10-03 21:27:20.702000+00:00", + "name": "Ingress Tool Transfer", + "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1105", + "external_id": "T1105" + }, + { + "source_name": "Dropbox Malware Sync", + "description": "David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.", + "url": "https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + }, + { + "source_name": "t1105_lolbas", + "description": "LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022.", + "url": "https://lolbas-project.github.io/#t1105" + }, + { + "source_name": "PTSecurity Cobalt Dec 2016", + "description": "Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.", + "url": "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "John Page (aka hyp3rlinx), ApparitionSec", + "Mark Wee", + "Shailesh Tiwary (Indian Army)", + "The DFIR Report", + "Alain Homewood" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Command: Command Execution", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as [ftp](https://attack.mitre.org/software/S0095), that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Specifically, for the finger utility on Windows and Linux systems, monitor command line or terminal execution for the finger command. Monitor network activity for TCP port 79, which is used by the finger utility, and Windows netsh interface portproxy modifications to well-known ports such as 80 and 443. Furthermore, monitor file system for the download/creation and execution of suspicious files, which may indicate adversary-downloaded payloads. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "2.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 21:27:20.702000+00:00\", \"old_value\": \"2023-04-14 19:27:57.370000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \\n\\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\\n\\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\\n\\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)\", \"old_value\": \"Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \\n\\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\\n\\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \\n \\n-Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\\n+On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\\n \\n-On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\\n+Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\\n+\\n+Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Dropbox Malware Sync\", \"description\": \"David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.\", \"url\": \"https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/\"}, \"root['x_mitre_contributors'][2]\": \"Shailesh Tiwary (Indian Army)\", \"root['x_mitre_contributors'][3]\": \"The DFIR Report\", \"root['x_mitre_contributors'][4]\": \"Alain Homewood\", \"root['x_mitre_data_sources'][3]\": \"Command: Command Execution\"}}", + "previous_version": "2.2", + "version_change": "2.2 \u2192 2.3", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may transfer tools or other files from an externt1Adversaries may transfer tools or other files from an extern
    >al system into a compromised environment. Tools or files may>al system into a compromised environment. Tools or files may
    > be copied from an external adversary-controlled system to t> be copied from an external adversary-controlled system to t
    >he victim network through the command and control channel or>he victim network through the command and control channel or
    > through alternate protocols such as [ftp](https://attack.mi> through alternate protocols such as [ftp](https://attack.mi
    >tre.org/software/S0095). Once present, adversaries may also >tre.org/software/S0095). Once present, adversaries may also 
    >transfer/spread tools between victim devices within a compro>transfer/spread tools between victim devices within a compro
    >mised environment (i.e. [Lateral Tool Transfer](https://atta>mised environment (i.e. [Lateral Tool Transfer](https://atta
    >ck.mitre.org/techniques/T1570)).   Files can also be transfe>ck.mitre.org/techniques/T1570)).   On Windows, adversaries m
    >rred using various [Web Service](https://attack.mitre.org/te>ay use various utilities to download tools, such as `copy`, 
    >chniques/T1102)s as well as native or otherwise present tool>`finger`, [certutil](https://attack.mitre.org/software/S0160
    >s on the victim system.(Citation: PTSecurity Cobalt Dec 2016>), and [PowerShell](https://attack.mitre.org/techniques/T105
    >)  On Windows, adversaries may use various utilities to down>9/001) commands such as <code>IEX(New-Object Net.WebClient).
    >load tools, such as `copy`, `finger`, [certutil](https://att>downloadString()</code> and <code>Invoke-WebRequest</code>. 
    >ack.mitre.org/software/S0160), and [PowerShell](https://atta>On Linux and macOS systems, a variety of utilities also exis
    >ck.mitre.org/techniques/T1059/001) commands such as <code>IE>t, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`,
    >X(New-Object Net.WebClient).downloadString()</code> and <cod> and `wget`.(Citation: t1105_lolbas)  Adversaries may also a
    >e>Invoke-WebRequest</code>. On Linux and macOS systems, a va>buse installers and package managers, such as `yum` or `wing
    >riety of utilities also exist, such as `curl`, `scp`, `sftp`>et`, to download tools to victim hosts.  Files can also be t
    >, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lol>ransferred using various [Web Service](https://attack.mitre.
    >bas)>org/techniques/T1102)s as well as native or otherwise presen
     >t tools on the victim system.(Citation: PTSecurity Cobalt De
     >c 2016) In some cases, adversaries may be able to leverage s
     >ervices that sync between a web-based and an on-premises cli
     >ent, such as Dropbox or OneDrive, to transfer files onto vic
     >tim systems. For example, by compromising a cloud account an
     >d logging into the service's web portal, an adversary may be
     > able to trigger an automatic syncing process that transfers
     > the file onto the victim's machine.(Citation: Dropbox Malwa
     >re Sync)
    ", + "changelog_mitigations": { + "shared": [ + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Creation)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [ + "DS0017: Command (Command Execution)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-04-02 13:54:43.136000+00:00", + "modified": "2023-10-03 17:30:59.482000+00:00", + "name": "Inhibit System Recovery", + "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n\nOn network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete \u201conline\u201d backups that are connected to their network \u2013 whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1490", + "external_id": "T1490" + }, + { + "source_name": "Dark Reading Code Spaces Cyber Attack", + "description": " Brian Prince. (2014, June 20). Code Hosting Service Shuts Down After Cyber Attack. Retrieved March 21, 2023.", + "url": "https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack" + }, + { + "source_name": "FireEye WannaCry 2017", + "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" + }, + { + "source_name": "Talos Olympic Destroyer 2018", + "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.", + "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" + }, + { + "source_name": "Rhino Security Labs AWS S3 Ransomware", + "description": "Spencer Gietzen. (n.d.). AWS Simple Storage Service S3 Ransomware Part 2: Prevention and Defense. Retrieved March 21, 2023.", + "url": "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/" + }, + { + "source_name": "ZDNet Ransomware Backups 2020", + "description": "Steve Ranger. (2020, February 27). Ransomware victims thought their backups were safe. They were wrong. Retrieved March 21, 2023.", + "url": "https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/" + }, + { + "source_name": "disable_notif_synology_ransom", + "description": "TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved October 19, 2022.", + "url": "https://twitter.com/TheDFIRReport/status/1498657590259109894" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Yonatan Gotlib, Deep Instinct", + "Austin Clark, @c2defense", + "Pallavi Sivakumaran, WithSecure", + "Joey Lei" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification", + "Cloud Storage: Cloud Storage Deletion", + "Command: Command Execution", + "Service: Service Metadata", + "Snapshot: Snapshot Deletion", + "File: File Deletion" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, bcdedit and REAgentC. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.\n\nMonitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\PreviousVersions\\DisableLocalPage).\n\nFor network infrastructure devices, collect AAA logging to monitor for `erase`, `format`, and `reload` commands being run in succession.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_impact_type": [ + "Availability" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux", + "Network", + "IaaS", + "Containers" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 17:30:59.482000+00:00\", \"old_value\": \"2023-05-04 18:05:57.725000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][3]\": \"Joey Lei\", \"root['x_mitre_platforms'][5]\": \"Containers\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1028: Operating System Configuration", + "M1053: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0010: Cloud Storage (Cloud Storage Deletion)", + "DS0017: Command (Command Execution)", + "DS0019: Service (Service Metadata)", + "DS0020: Snapshot (Snapshot Deletion)", + "DS0022: File (File Deletion)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:58:11.791000+00:00", + "modified": "2023-10-01 14:01:12.167000+00:00", + "name": "Keylogging", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1056/001", + "external_id": "T1056.001" + }, + { + "source_name": "Talos Kimsuky Nov 2021", + "description": "An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.", + "url": "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" + }, + { + "source_name": "Adventures of a Keystroke", + "description": "Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.", + "url": "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "TruKno" + ], + "x_mitre_data_sources": [ + "Driver: Driver Load", + "Process: OS API Execution", + "Windows Registry: Windows Registry Key Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux", + "Network" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"TruKno\"], \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\", \"root\", \"SYSTEM\", \"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 14:01:12.167000+00:00\", \"old_value\": \"2023-03-30 21:01:37.930000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)\\n\\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\\n\\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\\n* Reading raw keystroke data from the hardware buffer.\\n* Windows Registry modifications.\\n* Custom drivers.\\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) \", \"old_value\": \"Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\\n\\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\\n\\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\\n* Reading raw keystroke data from the hardware buffer.\\n* Windows Registry modifications.\\n* Custom drivers.\\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) \", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\\n+Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)\\n \\n Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Talos Kimsuky Nov 2021\", \"description\": \"An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.\", \"url\": \"https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may log user keystrokes to intercept credentialst1Adversaries may log user keystrokes to intercept credentials
    > as the user types them. Keylogging is likely to be used to > as the user types them. Keylogging is likely to be used to 
    >acquire credentials for new access opportunities when [OS Cr>acquire credentials for new access opportunities when [OS Cr
    >edential Dumping](https://attack.mitre.org/techniques/T1003)>edential Dumping](https://attack.mitre.org/techniques/T1003)
    > efforts are not effective, and may require an adversary to > efforts are not effective, and may require an adversary to 
    >intercept keystrokes on a system for a substantial period of>intercept keystrokes on a system for a substantial period of
    > time before credentials can be successfully captured.  Keyl> time before credentials can be successfully captured. In or
    >ogging is the most prevalent type of input capture, with man>der to increase the likelihood of capturing credentials quic
    >y different ways of intercepting keystrokes.(Citation: Adven>kly, an adversary may also perform actions such as clearing 
    >tures of a Keystroke) Some methods include:  * Hooking API c>browser cookies to force users to reauthenticate to systems.
    >allbacks used for processing keystrokes. Unlike [Credential >(Citation: Talos Kimsuky Nov 2021)  Keylogging is the most p
    >API Hooking](https://attack.mitre.org/techniques/T1056/004),>revalent type of input capture, with many different ways of 
    > this focuses solely on API functions intended for processin>intercepting keystrokes.(Citation: Adventures of a Keystroke
    >g keystroke data. * Reading raw keystroke data from the hard>) Some methods include:  * Hooking API callbacks used for pr
    >ware buffer. * Windows Registry modifications. * Custom driv>ocessing keystrokes. Unlike [Credential API Hooking](https:/
    >ers. * [Modify System Image](https://attack.mitre.org/techni>/attack.mitre.org/techniques/T1056/004), this focuses solely
    >ques/T1601) may provide adversaries with hooks into the oper> on API functions intended for processing keystroke data. * 
    >ating system of network devices to read raw keystrokes for l>Reading raw keystroke data from the hardware buffer. * Windo
    >ogin sessions.(Citation: Cisco Blog Legacy Device Attacks) >ws Registry modifications. * Custom drivers. * [Modify Syste
     >m Image](https://attack.mitre.org/techniques/T1601) may prov
     >ide adversaries with hooks into the operating system of netw
     >ork devices to read raw keystrokes for login sessions.(Citat
     >ion: Cisco Blog Legacy Device Attacks) 
    ", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0024: Windows Registry (Windows Registry Key Modification)", + "DS0027: Driver (Driver Load)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-12 14:10:50.699000+00:00", + "modified": "2023-09-15 18:57:21.881000+00:00", + "name": "Dynamic Data Exchange", + "description": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\n\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017)\n\nMicrosoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection )\n\nDDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1559/002", + "external_id": "T1559.002" + }, + { + "source_name": "OWASP CSV Injection", + "description": " Albinowax Timo Goosen. (n.d.). CSV Injection. Retrieved February 7, 2022.", + "url": "https://owasp.org/www-community/attacks/CSV_Injection" + }, + { + "source_name": "CSV Excel Macro Injection ", + "description": " Ishaq Mohammed . (2021, January 10). Everything about CSV Injection and CSV Excel Macro Injection. Retrieved February 7, 2022.", + "url": "https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/" + }, + { + "source_name": "BleepingComputer DDE Disabled in Word Dec 2017", + "description": "Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.", + "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/" + }, + { + "source_name": "SensePost PS DDE May 2016", + "description": "El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The Power Within. Retrieved November 22, 2017.", + "url": "https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/" + }, + { + "source_name": "Fireeye Hunting COM June 2019", + "description": "Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html" + }, + { + "source_name": "Kettle CSV DDE Aug 2014", + "description": "Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017.", + "url": "https://www.contextis.com/blog/comma-separated-vulnerabilities" + }, + { + "source_name": "Microsoft ADV170021 Dec 2017", + "description": "Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.", + "url": "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021" + }, + { + "source_name": "Microsoft DDE Advisory Nov 2017", + "description": "Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.", + "url": "https://technet.microsoft.com/library/security/4053440" + }, + { + "source_name": "Enigma Reviving DDE Jan 2018", + "description": "Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.", + "url": "https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee" + }, + { + "source_name": "NVisio Labs DDE Detection Oct 2017", + "description": "NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017.", + "url": "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/" + }, + { + "source_name": "SensePost MacroLess DDE Oct 2017", + "description": "Stalmans, E., El-Sherei, S. (2017, October 9). Macro-less Code Exec in MSWord. Retrieved November 21, 2017.", + "url": "https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Module: Module Load", + "Script: Script Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe).\n\nOLE, Office Open XML, CSV, and other files can be scanned for \u2018DDEAUTO', \u2018DDE\u2019, and other strings indicative of DDE execution.(Citation: NVisio Labs DDE Detection Oct 2017)(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection )", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_remote_support": true, + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-15 18:57:21.881000+00:00\", \"old_value\": \"2022-02-22 13:22:30.191000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint", + "M1042: Disable or Remove Feature or Program", + "M1048: Application Isolation and Sandboxing", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0012: Script (Script Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-11 21:01:00.959000+00:00", + "modified": "2023-10-01 13:48:28.738000+00:00", + "name": "Lateral Tool Transfer", + "description": "Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.\n\nAdversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\n\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1570", + "external_id": "T1570" + }, + { + "source_name": "Dropbox Malware Sync", + "description": "David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.", + "url": "https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/" + }, + { + "source_name": "Unit42 LockerGoga 2019", + "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.", + "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Shailesh Tiwary (Indian Army)" + ], + "x_mitre_data_sources": [ + "Named Pipe: Named Pipe Metadata", + "Network Share: Network Share Access", + "Network Traffic: Network Traffic Flow", + "Command: Command Execution", + "Process: Process Creation", + "File: File Creation", + "Network Traffic: Network Traffic Content", + "File: File Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for file creation and files transferred within a network using protocols such as SMB or FTP. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Shailesh Tiwary (Indian Army)\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 13:48:28.738000+00:00\", \"old_value\": \"2022-04-19 15:34:49.016000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.\\n\\nAdversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\\n\\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)\", \"old_value\": \"Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\\n\\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095).\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\\n+Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.\\n \\n-Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095).\\n+Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\\n+\\n+Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Dropbox Malware Sync\", \"description\": \"David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.\", \"url\": \"https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may transfer tools or other files between systemt1Adversaries may transfer tools or other files between system
    >s in a compromised environment. Once brought into the victim>s in a compromised environment. Once brought into the victim
    > environment (i.e. [Ingress Tool Transfer](https://attack.mi> environment (i.e., [Ingress Tool Transfer](https://attack.m
    >tre.org/techniques/T1105)) files may then be copied from one>itre.org/techniques/T1105)) files may then be copied from on
    > system to another to stage adversary tools or other files o>e system to another to stage adversary tools or other files 
    >ver the course of an operation. Adversaries may copy files b>over the course of an operation.  Adversaries may copy files
    >etween internal victim systems to support lateral movement u> between internal victim systems to support lateral movement
    >sing inherent file sharing protocols such as file sharing ov> using inherent file sharing protocols such as file sharing 
    >er [SMB/Windows Admin Shares](https://attack.mitre.org/techn>over [SMB/Windows Admin Shares](https://attack.mitre.org/tec
    >iques/T1021/002) to connected network shares or with authent>hniques/T1021/002) to connected network shares or with authe
    >icated connections via [Remote Desktop Protocol](https://att>nticated connections via [Remote Desktop Protocol](https://a
    >ack.mitre.org/techniques/T1021/001).(Citation: Unit42 Locker>ttack.mitre.org/techniques/T1021/001).(Citation: Unit42 Lock
    >Goga 2019)  Files can also be transferred using native or ot>erGoga 2019)  Files can also be transferred using native or 
    >herwise present tools on the victim system, such as scp, rsy>otherwise present tools on the victim system, such as scp, r
    >nc, curl, sftp, and [ftp](https://attack.mitre.org/software/>sync, curl, sftp, and [ftp](https://attack.mitre.org/softwar
    >S0095).>e/S0095). In some cases, adversaries may be able to leverage
     > [Web Service](https://attack.mitre.org/techniques/T1102)s s
     >uch as Dropbox or OneDrive to copy files from one machine to
     > another via shared, automatically synced folders.(Citation:
     > Dropbox Malware Sync)
    ", + "changelog_mitigations": { + "shared": [ + "M1031: Network Intrusion Prevention", + "M1037: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0022: File (File Metadata)", + "DS0023: Named Pipe (Named Pipe Metadata)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0033: Network Share (Network Share Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:38.511000+00:00", + "modified": "2023-10-15 09:52:11.875000+00:00", + "name": "Masquerading", + "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1036", + "external_id": "T1036" + }, + { + "source_name": "Twitter ItsReallyNick Masquerading Update", + "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.", + "url": "https://twitter.com/ItsReallyNick/status/1055321652777619457" + }, + { + "source_name": "Elastic Masquerade Ball", + "description": "Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.", + "url": "https://www.elastic.co/blog/how-hunt-masquerade-ball" + }, + { + "source_name": "LOLBAS Main Site", + "description": "LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.", + "url": "https://lolbas-project.github.io/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Oleg Kolesnikov, Securonix", + "Nick Carr, Mandiant", + "David Lu, Tripwire", + "Felipe Esp\u00f3sito, @Pr0teus", + "Elastic", + "Bartosz Jerzman", + "Goldstein Menachem" + ], + "x_mitre_data_sources": [ + "File: File Modification", + "Process: Process Metadata", + "Service: Service Creation", + "Service: Service Metadata", + "Process: Process Creation", + "Image: Image Metadata", + "Scheduled Job: Scheduled Job Metadata", + "File: File Metadata", + "Scheduled Job: Scheduled Job Modification", + "Command: Command Execution", + "Process: OS API Execution" + ], + "x_mitre_defense_bypassed": [ + "Application Control" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nLook for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\u201d.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Containers" + ], + "x_mitre_version": "1.6", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-15 09:52:11.875000+00:00\", \"old_value\": \"2023-04-07 17:04:34.648000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\\n\\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.\", \"old_value\": \"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\\n\\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\\n \\n-Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)\\n+Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://www.elastic.co/blog/how-hunt-masquerade-ball\", \"old_value\": \"http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.6\", \"old_value\": \"1.5\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][6]\": \"Goldstein Menachem\", \"root['x_mitre_data_sources'][4]\": \"Process: Process Creation\", \"root['x_mitre_data_sources'][10]\": \"Process: OS API Execution\"}}", + "previous_version": "1.5", + "version_change": "1.5 \u2192 1.6", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may attempt to manipulate features of their artit1Adversaries may attempt to manipulate features of their arti
    >facts to make them appear legitimate or benign to users and/>facts to make them appear legitimate or benign to users and/
    >or security tools. Masquerading occurs when the name or loca>or security tools. Masquerading occurs when the name or loca
    >tion of an object, legitimate or malicious, is manipulated o>tion of an object, legitimate or malicious, is manipulated o
    >r abused for the sake of evading defenses and observation. T>r abused for the sake of evading defenses and observation. T
    >his may include manipulating file metadata, tricking users i>his may include manipulating file metadata, tricking users i
    >nto misidentifying the file type, and giving legitimate task>nto misidentifying the file type, and giving legitimate task
    > or service names.  Renaming abusable system utilities to ev> or service names.  Renaming abusable system utilities to ev
    >ade security monitoring is also a form of [Masquerading](htt>ade security monitoring is also a form of [Masquerading](htt
    >ps://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Ma>ps://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Ma
    >in Site)>in Site) Masquerading may also include the use of [Proxy](ht
     >tps://attack.mitre.org/techniques/T1090) or VPNs to disguise
     > IP addresses, which can allow adversaries to blend in with 
     >normal network traffic and bypass conditional access policie
     >s or anti-abuse protections.
    ", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1038: Execution Prevention", + "M1040: Behavior Prevention on Endpoint", + "M1045: Code Signing", + "M1049: Antivirus/Antimalware" + ], + "new": [ + "M1017: User Training" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0003: Scheduled Job (Scheduled Job Metadata)", + "DS0003: Scheduled Job (Scheduled Job Modification)", + "DS0007: Image (Image Metadata)", + "DS0009: Process (Process Metadata)", + "DS0017: Command (Command Execution)", + "DS0019: Service (Service Creation)", + "DS0019: Service (Service Metadata)", + "DS0022: File (File Metadata)", + "DS0022: File (File Modification)" + ], + "new": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-10 20:30:07.426000+00:00", + "modified": "2023-09-29 20:30:58.300000+00:00", + "name": "Masquerade Task or Service", + "description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\n\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1036/004", + "external_id": "T1036.004" + }, + { + "source_name": "Fysbis Dr Web Analysis", + "description": "Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.", + "url": "https://vms.drweb.com/virus/?i=4276269" + }, + { + "source_name": "Palo Alto Shamoon Nov 2016", + "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" + }, + { + "source_name": "Systemd Service Units", + "description": "Freedesktop.org. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 16, 2020.", + "url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html" + }, + { + "source_name": "TechNet Schtasks", + "description": "Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490996.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Scheduled Job: Scheduled Job Modification", + "Service: Service Creation", + "Command: Command Execution", + "Service: Service Metadata", + "Scheduled Job: Scheduled Job Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\", \"Administrator\", \"SYSTEM\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 20:30:58.300000+00:00\", \"old_value\": \"2021-10-18 13:24:52.618000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0003: Scheduled Job (Scheduled Job Metadata)", + "DS0003: Scheduled Job (Scheduled Job Modification)", + "DS0017: Command (Command Execution)", + "DS0019: Service (Service Creation)", + "DS0019: Service (Service Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-10 20:43:10.239000+00:00", + "modified": "2023-09-14 21:12:48.409000+00:00", + "name": "Match Legitimate Name or Location", + "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1036/005", + "external_id": "T1036.005" + }, + { + "source_name": "Twitter ItsReallyNick Masquerading Update", + "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.", + "url": "https://twitter.com/ItsReallyNick/status/1055321652777619457" + }, + { + "source_name": "Docker Images", + "description": "Docker. (n.d.). Docker Images. Retrieved April 6, 2021.", + "url": "https://docs.docker.com/engine/reference/commandline/images/" + }, + { + "source_name": "Elastic Masquerade Ball", + "description": "Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.", + "url": "https://www.elastic.co/blog/how-hunt-masquerade-ball" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Yossi Weizman, Azure Defender Research Team", + "Vishwas Manral, McAfee" + ], + "x_mitre_data_sources": [ + "File: File Metadata", + "Image: Image Metadata", + "Process: Process Metadata", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Application Control" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nIn containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.(Citation: Docker Images) Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Containers" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-14 21:12:48.409000+00:00\", \"old_value\": \"2023-03-30 21:01:42.277000+00:00\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://www.elastic.co/blog/how-hunt-masquerade-ball\", \"old_value\": \"http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][3]\": \"Process: Process Creation\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1038: Execution Prevention", + "M1045: Code Signing" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0007: Image (Image Metadata)", + "DS0009: Process (Process Metadata)", + "DS0022: File (File Metadata)" + ], + "new": [ + "DS0009: Process (Process Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b4409cd8-0da9-46e1-a401-a241afd4d1cc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-05-31 19:31:38.431000+00:00", + "modified": "2023-10-16 16:47:26.119000+00:00", + "name": "Multi-Factor Authentication", + "description": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions)\n\nFor example, modifying the Windows hosts file (`C:\\windows\\system32\\drivers\\etc\\hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a \"fail open\" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) \n\nDepending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1556/006", + "external_id": "T1556.006" + }, + { + "source_name": "Russians Exploit Default MFA Protocol - CISA March 2022", + "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability. Retrieved May 31, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" + }, + { + "source_name": "Mandiant APT42", + "description": "Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.", + "url": "https://www.mandiant.com/media/17826" + }, + { + "source_name": "Azure AD Conditional Access Exclusions", + "description": "Microsoft. (2022, August 26). Use Azure AD access reviews to manage users excluded from Conditional Access policies. Retrieved August 30, 2022.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Liran Ravich, CardinalOps", + "Muhammad Moiz Arshad, @5T34L7H" + ], + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Active Directory: Active Directory Object Modification", + "User Account: User Account Authentication", + "User Account: User Account Modification" + ], + "x_mitre_defense_bypassed": [ + "Multi-Factor Authentication" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Google Workspace", + "Linux", + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 16:47:26.119000+00:00\", \"old_value\": \"2023-02-09 14:18:59.080000+00:00\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.\", \"old_value\": \"Manidant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1032: Multi-factor Authentication", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0002: User Account (User Account Modification)", + "DS0026: Active Directory (Active Directory Object Modification)", + "DS0028: Logon Session (Logon Session Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-08-30 18:03:05.864000+00:00", + "modified": "2023-09-05 20:45:22.041000+00:00", + "name": "Modify Cloud Compute Infrastructure", + "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1578", + "external_id": "T1578" + }, + { + "source_name": "Mandiant M-Trends 2020", + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.", + "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Instance: Instance Metadata", + "Instance: Instance Stop", + "Snapshot: Snapshot Creation", + "Volume: Volume Modification", + "Instance: Instance Modification", + "Instance: Instance Creation", + "Volume: Volume Metadata", + "Instance: Instance Start", + "Cloud Service: Cloud Service Metadata", + "Volume: Volume Creation", + "Snapshot: Snapshot Modification", + "Snapshot: Snapshot Metadata", + "Volume: Volume Deletion", + "Snapshot: Snapshot Deletion", + "Instance: Instance Deletion" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time or the mount of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-05 20:45:22.041000+00:00\", \"old_value\": \"2021-04-20 14:51:01.759000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][8]\": \"Cloud Service: Cloud Service Metadata\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0020: Snapshot (Snapshot Creation)", + "DS0020: Snapshot (Snapshot Deletion)", + "DS0020: Snapshot (Snapshot Metadata)", + "DS0020: Snapshot (Snapshot Modification)", + "DS0030: Instance (Instance Creation)", + "DS0030: Instance (Instance Deletion)", + "DS0030: Instance (Instance Metadata)", + "DS0030: Instance (Instance Modification)", + "DS0030: Instance (Instance Start)", + "DS0030: Instance (Instance Stop)", + "DS0034: Volume (Volume Creation)", + "DS0034: Volume (Volume Deletion)", + "DS0034: Volume (Volume Metadata)", + "DS0034: Volume (Volume Modification)" + ], + "new": [ + "DS0025: Cloud Service (Cloud Service Metadata)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:23.587000+00:00", + "modified": "2023-08-14 19:19:54.148000+00:00", + "name": "Modify Registry", + "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1112", + "external_id": "T1112" + }, + { + "source_name": "Microsoft Reg", + "description": "Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.", + "url": "https://technet.microsoft.com/en-us/library/cc732643.aspx" + }, + { + "source_name": "Microsoft Remote", + "description": "Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.", + "url": "https://technet.microsoft.com/en-us/library/cc754820.aspx" + }, + { + "source_name": "Microsoft 4657 APR 2017", + "description": "Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.", + "url": "https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657" + }, + { + "source_name": "SpectorOps Hiding Reg Jul 2017", + "description": "Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.", + "url": "https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353" + }, + { + "source_name": "Microsoft Reghide NOV 2006", + "description": "Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.", + "url": "https://docs.microsoft.com/sysinternals/downloads/reghide" + }, + { + "source_name": "Microsoft RegDelNull July 2016", + "description": "Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.", + "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull" + }, + { + "source_name": "TrendMicro POWELIKS AUG 2014", + "description": "Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Bartosz Jerzman", + "Travis Smith, Tripwire", + "David Lu, Tripwire" + ], + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Modification", + "Process: OS API Execution", + "Network Traffic: Network Traffic Flow", + "Command: Command Execution", + "Windows Registry: Windows Registry Key Deletion", + "Windows Registry: Windows Registry Key Creation", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Host forensic analysis" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 19:19:54.148000+00:00\", \"old_value\": \"2023-04-21 12:19:38.962000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][2]\": \"Network Traffic: Network Traffic Flow\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1024: Restrict Registry Permissions" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0024: Windows Registry (Windows Registry Key Creation)", + "DS0024: Windows Registry (Windows Registry Key Deletion)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [ + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:17.472000+00:00", + "modified": "2023-10-13 16:01:07.538000+00:00", + "name": "Native API", + "description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.\n\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1106", + "external_id": "T1106" + }, + { + "source_name": "MACOS Cocoa", + "description": "Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.", + "url": "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1" + }, + { + "source_name": "Apple Core Services", + "description": "Apple. (n.d.). Core Services. Retrieved June 25, 2020.", + "url": "https://developer.apple.com/documentation/coreservices" + }, + { + "source_name": "macOS Foundation", + "description": "Apple. (n.d.). Foundation. Retrieved July 1, 2020.", + "url": "https://developer.apple.com/documentation/foundation" + }, + { + "source_name": "OutFlank System Calls", + "description": "de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.", + "url": "https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/" + }, + { + "source_name": "Redops Syscalls", + "description": "Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.", + "url": "https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls" + }, + { + "source_name": "GNU Fork", + "description": "Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.", + "url": "https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html" + }, + { + "source_name": "CyberBit System Calls", + "description": "Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021.", + "url": "https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/" + }, + { + "source_name": "GLIBC", + "description": "glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.", + "url": "https://www.gnu.org/software/libc/" + }, + { + "source_name": "LIBC", + "description": "Kerrisk, M. (2016, December 12). libc(7) \u2014 Linux manual page. Retrieved June 25, 2020.", + "url": "https://man7.org/linux/man-pages//man7/libc.7.html" + }, + { + "source_name": "Linux Kernel API", + "description": "Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020.", + "url": "https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html" + }, + { + "source_name": "MDSec System Calls", + "description": "MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.", + "url": "https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/" + }, + { + "source_name": "Microsoft CreateProcess", + "description": "Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.", + "url": "http://msdn.microsoft.com/en-us/library/ms682425" + }, + { + "source_name": "Microsoft Win32", + "description": "Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020.", + "url": "https://docs.microsoft.com/en-us/windows/win32/api/" + }, + { + "source_name": "Microsoft NET", + "description": "Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020.", + "url": "https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework" + }, + { + "source_name": "NT API Windows", + "description": "The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020.", + "url": "https://undocumented.ntinternals.net/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Gordon Long, Box, Inc., @ethicalhax", + "Stefan Kanthak", + "Tristan Madani (Cybereason)" + ], + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Module: Module Load" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \n\nUtilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_remote_support": false, + "x_mitre_version": "2.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 16:01:07.538000+00:00\", \"old_value\": \"2022-04-19 20:30:00.118000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\\n\\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.\\n\\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\\n\\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\\n\\nAdversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).\", \"old_value\": \"Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\\n\\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\\n\\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\\n\\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).\", \"diff\": \"--- \\n+++ \\n@@ -1,7 +1,9 @@\\n Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\\n+\\n+Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.\\n \\n Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\\n \\n Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\\n \\n-Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).\\n+Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"Redops Syscalls\", \"description\": \"Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.\", \"url\": \"https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls\"}, \"root['x_mitre_contributors'][2]\": \"Tristan Madani (Cybereason)\"}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may interact with the native OS application progt1Adversaries may interact with the native OS application prog
    >ramming interface (API) to execute behaviors. Native APIs pr>ramming interface (API) to execute behaviors. Native APIs pr
    >ovide a controlled means of calling low-level OS services wi>ovide a controlled means of calling low-level OS services wi
    >thin the kernel, such as those involving hardware/devices, m>thin the kernel, such as those involving hardware/devices, m
    >emory, and processes.(Citation: NT API Windows)(Citation: Li>emory, and processes.(Citation: NT API Windows)(Citation: Li
    >nux Kernel API) These native APIs are leveraged by the OS du>nux Kernel API) These native APIs are leveraged by the OS du
    >ring system boot (when other system components are not yet i>ring system boot (when other system components are not yet i
    >nitialized) as well as carrying out tasks and requests durin>nitialized) as well as carrying out tasks and requests durin
    >g routine operations.  Native API functions (such as <code>N>g routine operations.  Adversaries may abuse these OS API fu
    >tCreateProcess</code>) may be directed invoked via system ca>nctions as a means of executing behaviors. Similar to [Comma
    >lls / syscalls, but these features are also often exposed to>nd and Scripting Interpreter](https://attack.mitre.org/techn
    > user-mode applications via interfaces and libraries.(Citati>iques/T1059), the native API and its hierarchy of interfaces
    >on: OutFlank System Calls)(Citation: CyberBit System Calls)(> provide mechanisms to interact with and utilize various com
    >Citation: MDSec System Calls) For example, functions such as>ponents of a victimized system.  Native API functions (such 
    > the Windows API <code>CreateProcess()</code> or GNU <code>f>as <code>NtCreateProcess</code>) may be directed invoked via
    >ork()</code> will allow programs and scripts to start other > system calls / syscalls, but these features are also often 
    >processes.(Citation: Microsoft CreateProcess)(Citation: GNU >exposed to user-mode applications via interfaces and librari
    >Fork) This may allow API callers to execute a binary, run a >es.(Citation: OutFlank System Calls)(Citation: CyberBit Syst
    >CLI command, load modules, etc. as thousands of similar API >em Calls)(Citation: MDSec System Calls) For example, functio
    >functions exist for various system operations.(Citation: Mic>ns such as the Windows API <code>CreateProcess()</code> or G
    >rosoft Win32)(Citation: LIBC)(Citation: GLIBC)  Higher level>NU <code>fork()</code> will allow programs and scripts to st
    > software frameworks, such as Microsoft .NET and macOS Cocoa>art other processes.(Citation: Microsoft CreateProcess)(Cita
    >, are also available to interact with native APIs. These fra>tion: GNU Fork) This may allow API callers to execute a bina
    >meworks typically provide language wrappers/abstractions to >ry, run a CLI command, load modules, etc. as thousands of si
    >API functionalities and are designed for ease-of-use/portabi>milar API functions exist for various system operations.(Cit
    >lity of code.(Citation: Microsoft NET)(Citation: Apple Core >ation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)  Hi
    >Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)>gher level software frameworks, such as Microsoft .NET and m
    >  Adversaries may abuse these OS API functions as a means of>acOS Cocoa, are also available to interact with native APIs.
    > executing behaviors. Similar to [Command and Scripting Inte> These frameworks typically provide language wrappers/abstra
    >rpreter](https://attack.mitre.org/techniques/T1059), the nat>ctions to API functionalities and are designed for ease-of-u
    >ive API and its hierarchy of interfaces provide mechanisms t>se/portability of code.(Citation: Microsoft NET)(Citation: A
    >o interact with and utilize various components of a victimiz>pple Core Services)(Citation: MACOS Cocoa)(Citation: macOS F
    >ed system. While invoking API functions, adversaries may als>oundation)  Adversaries may use assembly to directly or in-d
    >o attempt to bypass defensive tools (ex: unhooking monitored>irectly invoke syscalls in an attempt to subvert defensive s
    > functions via [Disable or Modify Tools](https://attack.mitr>ensors and detection signatures such as user mode API-hooks.
    >e.org/techniques/T1562/001)).>(Citation: Redops Syscalls) Adversaries may also attempt to 
     >tamper with sensors and defensive tools associated with API 
     >monitoring, such as unhooking monitored functions via [Disab
     >le or Modify Tools](https://attack.mitre.org/techniques/T156
     >2/001).
    ", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention", + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0011: Module (Module Load)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:43.915000+00:00", + "modified": "2023-08-11 21:10:09.547000+00:00", + "name": "Network Service Discovery", + "description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021) \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.\n\nWithin macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host\u2019s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1046", + "external_id": "T1046" + }, + { + "source_name": "apple doco bonjour description", + "description": "Apple Inc. (2013, April 23). Bonjour Overview. Retrieved October 11, 2021.", + "url": "https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/NetServices/Introduction.html" + }, + { + "source_name": "CISA AR21-126A FIVEHANDS May 2021", + "description": "CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" + }, + { + "source_name": "macOS APT Activity Bradley", + "description": "Jaron Bradley. (2021, November 14). What does APT Activity Look Like on macOS?. Retrieved January 19, 2022.", + "url": "https://themittenmac.com/what-does-apt-activity-look-like-on-macos/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Praetorian" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Command: Command Execution", + "Cloud Service: Cloud Service Enumeration" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "IaaS", + "Linux", + "macOS", + "Containers", + "Network" + ], + "x_mitre_version": "3.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 21:10:09.547000+00:00\", \"old_value\": \"2023-03-30 21:01:43.682000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.1\", \"old_value\": \"3.0\"}}}", + "previous_version": "3.0", + "version_change": "3.0 \u2192 3.1", + "changelog_mitigations": { + "shared": [ + "M1030: Network Segmentation", + "M1031: Network Intrusion Prevention", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0025: Cloud Service (Cloud Service Enumeration)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2023-09-29 19:44:43.870000+00:00", + "name": "Network Share Discovery", + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1135", + "external_id": "T1135" + }, + { + "source_name": "TechNet Shared Folder", + "description": "Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.", + "url": "https://technet.microsoft.com/library/cc770880.aspx" + }, + { + "source_name": "Wikipedia Shared Resource", + "description": "Wikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017.", + "url": "https://en.wikipedia.org/wiki/Shared_resource" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Praetorian" + ], + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS", + "Windows", + "Linux" + ], + "x_mitre_version": "3.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 19:44:43.870000+00:00\", \"old_value\": \"2023-03-30 21:01:46.370000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.2\", \"old_value\": \"3.1\"}}}", + "previous_version": "3.1", + "version_change": "3.1 \u2192 3.2", + "changelog_mitigations": { + "shared": [ + "M1028: Operating System Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:41.399000+00:00", + "modified": "2023-07-10 15:48:01.560000+00:00", + "name": "Network Sniffing", + "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1040", + "external_id": "T1040" + }, + { + "source_name": "AWS Traffic Mirroring", + "description": "Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.", + "url": "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html" + }, + { + "source_name": "capture_embedded_packet_on_software", + "description": "Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022.", + "url": "https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html" + }, + { + "source_name": "GCP Packet Mirroring", + "description": "Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.", + "url": "https://cloud.google.com/vpc/docs/packet-mirroring" + }, + { + "source_name": "SpecterOps AWS Traffic Mirroring", + "description": "Luke Paine. (2020, March 11). Through the Looking Glass \u2014 Part 1. Retrieved March 17, 2022.", + "url": "https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512" + }, + { + "source_name": "Azure Virtual Network TAP", + "description": "Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.", + "url": "https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview" + }, + { + "source_name": "Rhino Security Labs AWS VPC Traffic Mirroring", + "description": "Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.", + "url": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + }, + { + "source_name": "US-CERT-TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Oleg Kolesnikov, Securonix", + "Tiago Faria, 3CORESec", + "Austin Clark, @c2defense", + "Itamar Mizrahi, Cymptom" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.\n\nIn cloud-based environments, monitor for the creation of new traffic mirrors or modification of existing traffic mirrors. For network infrastructure devices, collect AAA logging to monitor for the capture of network traffic.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network", + "IaaS" + ], + "x_mitre_system_requirements": [ + "Network interface access and packet capture driver" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-10 15:48:01.560000+00:00\", \"old_value\": \"2023-04-12 23:31:49.085000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][3]\": \"Itamar Mizrahi, Cymptom\"}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1032: Multi-factor Authentication", + "M1041: Encrypt Sensitive Information" + ], + "new": [ + "M1030: Network Segmentation" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:10.728000+00:00", + "modified": "2023-09-29 21:07:31.570000+00:00", + "name": "Non-Application Layer Protocol", + "description": "Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1095", + "external_id": "T1095" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" + }, + { + "source_name": "Microsoft ICMP", + "description": "Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.", + "url": "http://support.microsoft.com/KB/170292" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" + }, + { + "source_name": "Wikipedia OSI", + "description": "Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.", + "url": "http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Ryan Becwar", + "Duane Michael" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) \n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "x_mitre_version": "2.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 21:07:31.570000+00:00\", \"old_value\": \"2023-04-20 19:11:53.499000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}}", + "previous_version": "2.2", + "version_change": "2.2 \u2192 2.3", + "changelog_mitigations": { + "shared": [ + "M1030: Network Segmentation", + "M1031: Network Intrusion Prevention", + "M1037: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:41:44.783000+00:00", + "modified": "2023-07-24 18:52:29.338000+00:00", + "name": "LSASS Memory", + "description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run using:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\nBuilt-in Windows tools such as comsvcs.dll can also be used:\n\n* rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\n\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1003/001", + "external_id": "T1003.001" + }, + { + "source_name": "Medium Detecting Attempts to Steal Passwords from Memory", + "description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.", + "url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea" + }, + { + "source_name": "Graeber 2014", + "description": "Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.", + "url": "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html" + }, + { + "source_name": "Volexity Exchange Marauder March 2021", + "description": "Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.", + "url": "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" + }, + { + "source_name": "Powersploit", + "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", + "url": "https://github.com/mattifestation/PowerSploit" + }, + { + "source_name": "Symantec Attacks Against Government Sector", + "description": "Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021.", + "url": "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf" + }, + { + "source_name": "TechNet Blogs Credential Protection", + "description": "Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.", + "url": "https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Edward Millington", + "Ed Williams, Trustwave, SpiderLabs", + "Olaf Hartong, Falcon Force" + ], + "x_mitre_data_sources": [ + "Process: Process Access", + "Windows Registry: Windows Registry Key Modification", + "Process: Process Creation", + "Process: OS API Execution", + "Logon Session: Logon Session Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-24 18:52:29.338000+00:00\", \"old_value\": \"2023-04-03 18:54:21.492000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][2]\": \"Olaf Hartong, Falcon Force\", \"root['x_mitre_data_sources'][1]\": \"Windows Registry: Windows Registry Key Modification\", \"root['x_mitre_data_sources'][4]\": \"Logon Session: Logon Session Creation\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1025: Privileged Process Integrity", + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1028: Operating System Configuration", + "M1040: Behavior Prevention on Endpoint", + "M1043: Credential Access Protection" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Access)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [ + "DS0024: Windows Registry (Windows Registry Key Modification)", + "DS0028: Logon Session (Logon Session Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:42:35.572000+00:00", + "modified": "2023-07-28 14:41:38.908000+00:00", + "name": "NTDS", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)\n\nIn addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)\n\nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1003/003", + "external_id": "T1003.003" + }, + { + "source_name": "Metcalf 2015", + "description": "Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015.", + "url": "http://adsecurity.org/?p=1275" + }, + { + "source_name": "Wikipedia Active Directory", + "description": "Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018.", + "url": "https://en.wikipedia.org/wiki/Active_Directory" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Ed Williams, Trustwave, SpiderLabs" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "File: File Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_system_requirements": [ + "Access to Domain Controller or backup" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-28 14:41:38.908000+00:00\", \"old_value\": \"2022-03-08 21:00:52.774000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1041: Encrypt Sensitive Information" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:42:07.281000+00:00", + "modified": "2023-07-24 18:53:10.860000+00:00", + "name": "Security Account Manager", + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)\n\nNotes: \n\n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1003/002", + "external_id": "T1003.002" + }, + { + "source_name": "GitHub Creddump7", + "description": "Flathers, R. (2018, February 19). creddump7. Retrieved April 11, 2018.", + "url": "https://github.com/Neohapsis/creddump7" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Ed Williams, Trustwave, SpiderLabs", + "Olaf Hartong, Falcon Force" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "File: File Access", + "Windows Registry: Windows Registry Key Access", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-24 18:53:10.860000+00:00\", \"old_value\": \"2022-06-15 16:17:19.049000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][1]\": \"Olaf Hartong, Falcon Force\", \"root['x_mitre_data_sources'][3]\": \"File: File Creation\"}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1028: Operating System Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0024: Windows Registry (Windows Registry Key Access)" + ], + "new": [ + "DS0022: File (File Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:32.662000+00:00", + "modified": "2023-08-28 19:17:53.015000+00:00", + "name": "Obfuscated Files or Information", + "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1027", + "external_id": "T1027" + }, + { + "source_name": "Volexity PowerDuke November 2016", + "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.", + "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + }, + { + "source_name": "GitHub Revoke-Obfuscation", + "description": "Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.", + "url": "https://github.com/danielbohannon/Revoke-Obfuscation" + }, + { + "source_name": "FireEye Obfuscation June 2017", + "description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.", + "url": "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" + }, + { + "source_name": "FireEye Revoke-Obfuscation July 2017", + "description": "Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf" + }, + { + "source_name": "GitHub Office-Crackros Aug 2016", + "description": "Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.", + "url": "https://github.com/itsreallynick/office-crackros" + }, + { + "source_name": "Linux/Cdorked.A We Live Security Analysis", + "description": "Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.", + "url": "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/" + }, + { + "source_name": "Carbon Black Obfuscation Sept 2016", + "description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.", + "url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/" + }, + { + "source_name": "PaloAlto EncodedCommand March 2017", + "description": "White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Red Canary", + "Christiaan Beek, @ChristiaanBeek" + ], + "x_mitre_data_sources": [ + "WMI: WMI Creation", + "Script: Script Execution", + "File: File Creation", + "Module: Module Load", + "Command: Command Execution", + "File: File Metadata", + "Process: OS API Execution", + "Windows Registry: Windows Registry Key Creation", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Host Forensic Analysis", + "Signature-based Detection", + "Host Intrusion Prevention Systems", + "Application Control", + "Log Analysis" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). \n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) \n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. \n\nThe first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-28 19:17:53.015000+00:00\", \"old_value\": \"2023-03-30 21:01:43.857000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint", + "M1047: Audit", + "M1049: Antivirus/Antimalware" + ], + "new": [ + "M1017: User Training" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0005: WMI (WMI Creation)", + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0012: Script (Script Execution)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0022: File (File Metadata)", + "DS0024: Windows Registry (Windows Registry Key Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-09-30 18:50:14.351000+00:00", + "modified": "2023-09-29 21:14:57.263000+00:00", + "name": "Embedded Payloads", + "description": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) \n\nAdversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) \n\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) \n\nEmbedded content may also be used as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1027/009", + "external_id": "T1027.009" + }, + { + "source_name": "GitHub PSImage", + "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", + "url": "https://github.com/peewpw/Invoke-PSImage" + }, + { + "source_name": "Malware Analysis Report ComRAT", + "description": "CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 \u2013 PowerShell Script: ComRAT. Retrieved September 30, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a" + }, + { + "source_name": "Trend Micro", + "description": "Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.", + "url": "https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html" + }, + { + "source_name": "Securelist Dtrack2", + "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", + "url": "https://securelist.com/my-name-is-dtrack/93338/" + }, + { + "source_name": "Microsoft Learn", + "description": "Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.", + "url": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1" + }, + { + "source_name": "SentinelLabs reversing run-only applescripts 2021", + "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.", + "url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + }, + { + "source_name": "Sentinel Labs", + "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", + "url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Nick Cairns, @grotezinfosec" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "File: File Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS", + "Windows", + "Linux" + ], + "x_mitre_system_requirements": [ + "User" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 21:14:57.263000+00:00\", \"old_value\": \"2022-10-21 14:40:48.074000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint", + "M1049: Antivirus/Antimalware" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Creation)", + "DS0022: File (File Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d4dc46e3-5ba5-45b9-8204-010867cacfcb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-05-20 12:20:42.219000+00:00", + "modified": "2023-07-14 14:01:41.475000+00:00", + "name": "HTML Smuggling", + "description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\n\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1027/006", + "external_id": "T1027.006" + }, + { + "source_name": "Outlflank HTML Smuggling 2018", + "description": "Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.", + "url": "https://outflank.nl/blog/2018/08/14/html-smuggling-explained/" + }, + { + "source_name": "MSTIC NOBELIUM May 2021", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + }, + { + "source_name": "HTML Smuggling Menlo Security 2020", + "description": "Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.", + "url": "https://www.menlosecurity.com/blog/new-attack-alert-duri" + }, + { + "source_name": "nccgroup Smuggling HTA 2017", + "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved May 20, 2021.", + "url": "https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Stan Hegt, Outflank", + "Jonathan Boucher, @crash_wave, Bank of Canada", + "Krishnan Subramanian, @krish203", + "Vinay Pidathala" + ], + "x_mitre_data_sources": [ + "File: File Creation" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "Web Content Filters", + "Static File Analysis" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detection of HTML Smuggling is difficult as HTML5 and JavaScript attributes are used by legitimate services and applications. HTML Smuggling can be performed in many ways via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging.(Citation: Outlflank HTML Smuggling 2018) Detecting specific JavaScript and/or HTML5 attribute strings such as Blob, msSaveOrOpenBlob, and/or download may be a good indicator of HTML Smuggling. These strings may also be used by legitimate services therefore it is possible to raise false positives.\n\nConsider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-14 14:01:41.475000+00:00\", \"old_value\": \"2022-05-19 16:29:47.637000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [], + "new": [ + "M1048: Application Isolation and Sandboxing" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-02 18:45:07.892000+00:00", + "modified": "2023-09-08 20:27:52.947000+00:00", + "name": "Phishing", + "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1566", + "external_id": "T1566" + }, + { + "source_name": "ACSC Email Spoofing", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + }, + { + "source_name": "CISA Remote Monitoring and Management Software", + "description": "CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa23-025a" + }, + { + "source_name": "cyberproof-double-bounce", + "description": "Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.", + "url": "https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends" + }, + { + "source_name": "Unit42 Luna Moth", + "description": "Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.", + "url": "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/" + }, + { + "source_name": "Microsoft Anti Spoofing", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" + }, + { + "source_name": "Microsoft OAuth Spam 2022", + "description": "Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/" + }, + { + "source_name": "sygnia Luna Month", + "description": "Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.", + "url": "https://blog.sygnia.co/luna-moth-false-subscription-scams" + }, + { + "source_name": "Proofpoint-spoof", + "description": "Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.", + "url": "https://www.proofpoint.com/us/threat-reference/email-spoofing" + }, + { + "source_name": "Palo Alto Unit 42 VBA Infostealer 2014", + "description": "Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.", + "url": "https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Philip Winther", + "Ohad Zaidenberg, @ohad_mz", + "Liora Itkin", + "Liran Ravich, CardinalOps", + "Scott Cook, Capital One" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nURL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "SaaS", + "Office 365", + "Google Workspace" + ], + "x_mitre_version": "2.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 20:27:52.947000+00:00\", \"old_value\": \"2023-04-14 17:42:15.871000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.4\", \"old_value\": \"2.3\"}}}", + "previous_version": "2.3", + "version_change": "2.3 \u2192 2.4", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1021: Restrict Web-Based Content", + "M1031: Network Intrusion Prevention", + "M1049: Antivirus/Antimalware", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0022: File (File Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-02 19:15:44.182000+00:00", + "modified": "2023-09-06 14:08:51.616000+00:00", + "name": "Spearphishing Link", + "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.\n\nAdversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \u201c@\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1566/002", + "external_id": "T1566.002" + }, + { + "source_name": "ACSC Email Spoofing", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + }, + { + "source_name": "CISA IDN ST05-016", + "description": "CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.", + "url": "https://us-cert.cisa.gov/ncas/tips/ST05-016" + }, + { + "source_name": "Trend Micro Pawn Storm OAuth 2017", + "description": "Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" + }, + { + "source_name": "Microsoft OAuth 2.0 Consent Phishing 2021", + "description": "Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/" + }, + { + "source_name": "Microsoft Anti Spoofing", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" + }, + { + "source_name": "Mandiant URL Obfuscation 2023", + "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", + "url": "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Philip Winther", + "Shailesh Tiwary (Indian Army)", + "Mark Wee", + "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)", + "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)", + "Kobi Haimovich, CardinalOps", + "Menachem Goldstein" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites as well as links redirecting to adversary infrastructure based by upon suspicious OAuth patterns with unusual TLDs.(Citation: Microsoft OAuth 2.0 Consent Phishing 2021). Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nBecause this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "x_mitre_version": "2.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-06 14:08:51.616000+00:00\", \"old_value\": \"2023-04-11 00:44:21.193000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.\\n\\nAdversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \\\"IDN homograph attack\\\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \\u201c@\\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\\n\\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\", \"old_value\": \"Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \\\"IDN homograph attack\\\").(Citation: CISA IDN ST05-016)\\n\\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\\n \\n-All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \\\"IDN homograph attack\\\").(Citation: CISA IDN ST05-016)\\n+All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.\\n+\\n+Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \\\"IDN homograph attack\\\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \\u201c@\\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\\n \\n Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.5\", \"old_value\": \"2.4\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"Mandiant URL Obfuscation 2023\", \"description\": \"Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\"}}}", + "previous_version": "2.4", + "version_change": "2.4 \u2192 2.5", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may send spearphishing emails with a malicious lt1Adversaries may send spearphishing emails with a malicious l
    >ink in an attempt to gain access to victim systems. Spearphi>ink in an attempt to gain access to victim systems. Spearphi
    >shing with a link is a specific variant of spearphishing. It>shing with a link is a specific variant of spearphishing. It
    > is different from other forms of spearphishing in that it e> is different from other forms of spearphishing in that it e
    >mploys the use of links to download malware contained in ema>mploys the use of links to download malware contained in ema
    >il, instead of attaching malicious files to the email itself>il, instead of attaching malicious files to the email itself
    >, to avoid defenses that may inspect email attachments. Spea>, to avoid defenses that may inspect email attachments. Spea
    >rphishing may also involve social engineering techniques, su>rphishing may also involve social engineering techniques, su
    >ch as posing as a trusted source.  All forms of spearphishin>ch as posing as a trusted source.  All forms of spearphishin
    >g are electronically delivered social engineering targeted a>g are electronically delivered social engineering targeted a
    >t a specific individual, company, or industry. In this case,>t a specific individual, company, or industry. In this case,
    > the malicious emails contain links. Generally, the links wi> the malicious emails contain links. Generally, the links wi
    >ll be accompanied by social engineering text and require the>ll be accompanied by social engineering text and require the
    > user to actively click or copy and paste a URL into a brows> user to actively click or copy and paste a URL into a brows
    >er, leveraging [User Execution](https://attack.mitre.org/tec>er, leveraging [User Execution](https://attack.mitre.org/tec
    >hniques/T1204). The visited website may compromise the web b>hniques/T1204). The visited website may compromise the web b
    >rowser using an exploit, or the user will be prompted to dow>rowser using an exploit, or the user will be prompted to dow
    >nload applications, documents, zip files, or even executable>nload applications, documents, zip files, or even executable
    >s depending on the pretext for the email in the first place.>s depending on the pretext for the email in the first place.
    > Adversaries may also include links that are intended to int>  Adversaries may also include links that are intended to in
    >eract directly with an email reader, including embedded imag>teract directly with an email reader, including embedded ima
    >es intended to exploit the end system directly. Additionally>ges intended to exploit the end system directly. Additionall
    >, adversaries may use seemingly benign links that abuse spec>y, adversaries may use seemingly benign links that abuse spe
    >ial characters to mimic legitimate websites (known as an \"ID>cial characters to mimic legitimate websites (known as an \"I
    >N homograph attack\").(Citation: CISA IDN ST05-016)  Adversar>DN homograph attack\").(Citation: CISA IDN ST05-016) URLs may
    >ies may also utilize links to perform consent phishing, typi> also be obfuscated by taking advantage of quirks in the URL
    >cally with OAuth 2.0 request URLs that when accepted by the > schema, such as the acceptance of integer- or hexadecimal-b
    >user provide permissions/access for malicious applications, >ased hostname formats and the automatic discarding of text b
    >allowing adversaries to  [Steal Application Access Token](ht>efore an \u201c@\u201d symbol: for example, `hxxp://google.com@1157586
    >tps://attack.mitre.org/techniques/T1528)s.(Citation: Trend M>937`.(Citation: Mandiant URL Obfuscation 2023)  Adversaries 
    >icro Pawn Storm OAuth 2017) These stolen access tokens allow>may also utilize links to perform consent phishing, typicall
    > the adversary to perform various actions on behalf of the u>y with OAuth 2.0 request URLs that when accepted by the user
    >ser via API calls. (Citation: Microsoft OAuth 2.0 Consent Ph> provide permissions/access for malicious applications, allo
    >ishing 2021)>wing adversaries to  [Steal Application Access Token](https:
     >//attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro
     > Pawn Storm OAuth 2017) These stolen access tokens allow the
     > adversary to perform various actions on behalf of the user 
     >via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishi
     >ng 2021)
    ", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1018: User Account Management", + "M1021: Restrict Web-Based Content", + "M1047: Audit", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-02 17:07:01.502000+00:00", + "modified": "2023-09-08 20:28:49.600000+00:00", + "name": "Phishing for Information", + "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)\n\nPhishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nPhishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1598", + "external_id": "T1598" + }, + { + "source_name": "ACSC Email Spoofing", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + }, + { + "source_name": "Avertium callback phishing", + "description": "Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.", + "url": "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing" + }, + { + "source_name": "TrendMictro Phishing", + "description": "Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.", + "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html" + }, + { + "source_name": "Sophos Attachment", + "description": "Ducklin, P. (2020, October 2). Serious Security: Phishing without links \u2013 when phishers bring along their own web pages. Retrieved October 20, 2020.", + "url": "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/" + }, + { + "source_name": "cyberproof-double-bounce", + "description": "Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.", + "url": "https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends" + }, + { + "source_name": "PCMag FakeLogin", + "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.", + "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages" + }, + { + "source_name": "Microsoft Anti Spoofing", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" + }, + { + "source_name": "Microsoft OAuth Spam 2022", + "description": "Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/" + }, + { + "source_name": "ThreatPost Social Media Phishing", + "description": "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.", + "url": "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/" + }, + { + "source_name": "Proofpoint-spoof", + "description": "Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.", + "url": "https://www.proofpoint.com/us/threat-reference/email-spoofing" + }, + { + "source_name": "GitHub Phishery", + "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.", + "url": "https://github.com/ryhanson/phishery" + }, + { + "source_name": "Palo Alto Unit 42 VBA Infostealer 2014", + "description": "Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.", + "url": "https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Philip Winther", + "Sebastian Salla, McAfee", + "Robert Simmons, @MalwareUtkonos", + "Ohad Zaidenberg, @ohad_mz", + "Liora Itkin", + "Liran Ravich, CardinalOps", + "Scott Cook, Capital One" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nWhen it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.\n\nMonitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 20:28:49.600000+00:00\", \"old_value\": \"2023-04-14 17:42:38.063000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-02 17:09:50.723000+00:00", + "modified": "2023-10-02 01:44:28.081000+00:00", + "name": "Spearphishing Link", + "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \u201c@\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also link to \"web bugs\" or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\n\nAdversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\n\nAdversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)\n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1598/003", + "external_id": "T1598.003" + }, + { + "source_name": "ACSC Email Spoofing", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + }, + { + "source_name": "TrendMictro Phishing", + "description": "Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.", + "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html" + }, + { + "source_name": "PCMag FakeLogin", + "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.", + "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages" + }, + { + "source_name": "Microsoft Anti Spoofing", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" + }, + { + "source_name": "Mr. D0x BitB 2022", + "description": "mr.d0x. (2022, March 15). Browser In The Browser (BITB) Attack. Retrieved March 8, 2023.", + "url": "https://mrd0x.com/browser-in-the-browser-phishing-attack/" + }, + { + "source_name": "Mandiant URL Obfuscation 2023", + "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", + "url": "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" + }, + { + "source_name": "NIST Web Bug", + "description": "NIST Information Technology Laboratory. (n.d.). web bug. Retrieved March 22, 2023.", + "url": "https://csrc.nist.gov/glossary/term/web_bug" + }, + { + "source_name": "Proofpoint Human Factor", + "description": "Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.", + "url": "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf" + }, + { + "source_name": "ZScaler BitB 2020", + "description": "ZScaler. (2020, February 11). Fake Sites Stealing Steam Credentials. Retrieved March 8, 2023.", + "url": "https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Philip Winther", + "Sebastian Salla, McAfee", + "Menachem Goldstein", + "Robert Simmons, @MalwareUtkonos", + "Elpidoforos Maragkos, @emaragkos", + "Joas Antonio dos Santos, @C0d3Cr4zy", + "Austin Herrin" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nMonitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 01:44:28.081000+00:00\", \"old_value\": \"2023-04-15 17:38:48.406000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \\u201c@\\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\\n\\nAdversaries may also link to \\\"web bugs\\\" or \\\"web beacons\\\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\\n\\nAdversaries may also be able to spoof a complete website using what is known as a \\\"browser-in-the-browser\\\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\\n\\nAdversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)\\n\\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.\", \"old_value\": \"Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site.\\n\\nAdversaries may also link to \\\"web bugs\\\" or \\\"web beacons\\\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\\n\\nAdversaries may also be able to spoof a complete website using what is known as a \\\"browser-in-the-browser\\\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\\n\\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.\", \"diff\": \"--- \\n+++ \\n@@ -1,9 +1,11 @@\\n Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\\n \\n-All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site.\\n+All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \\u201c@\\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\\n \\n Adversaries may also link to \\\"web bugs\\\" or \\\"web beacons\\\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\\n \\n Adversaries may also be able to spoof a complete website using what is known as a \\\"browser-in-the-browser\\\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\\n \\n+Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)\\n+\\n From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"Mandiant URL Obfuscation 2023\", \"description\": \"Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\"}, \"root['external_references'][8]\": {\"source_name\": \"Proofpoint Human Factor\", \"description\": \"Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.\", \"url\": \"https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf\"}, \"root['x_mitre_contributors'][6]\": \"Austin Herrin\"}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may send spearphishing messages with a malicioust1Adversaries may send spearphishing messages with a malicious
    > link to elicit sensitive information that can be used durin> link to elicit sensitive information that can be used durin
    >g targeting. Spearphishing for information is an attempt to >g targeting. Spearphishing for information is an attempt to 
    >trick targets into divulging information, frequently credent>trick targets into divulging information, frequently credent
    >ials or other actionable information. Spearphishing for info>ials or other actionable information. Spearphishing for info
    >rmation frequently involves social engineering techniques, s>rmation frequently involves social engineering techniques, s
    >uch as posing as a source with a reason to collect informati>uch as posing as a source with a reason to collect informati
    >on (ex: [Establish Accounts](https://attack.mitre.org/techni>on (ex: [Establish Accounts](https://attack.mitre.org/techni
    >ques/T1585) or [Compromise Accounts](https://attack.mitre.or>ques/T1585) or [Compromise Accounts](https://attack.mitre.or
    >g/techniques/T1586)) and/or sending multiple, seemingly urge>g/techniques/T1586)) and/or sending multiple, seemingly urge
    >nt messages.  All forms of spearphishing are electronically >nt messages.  All forms of spearphishing are electronically 
    >delivered social engineering targeted at a specific individu>delivered social engineering targeted at a specific individu
    >al, company, or industry. In this scenario, the malicious em>al, company, or industry. In this scenario, the malicious em
    >ails contain links generally accompanied by social engineeri>ails contain links generally accompanied by social engineeri
    >ng text to coax the user to actively click or copy and paste>ng text to coax the user to actively click or copy and paste
    > a URL into a browser.(Citation: TrendMictro Phishing)(Citat> a URL into a browser.(Citation: TrendMictro Phishing)(Citat
    >ion: PCMag FakeLogin) The given website may be a clone of a >ion: PCMag FakeLogin) The given website may be a clone of a 
    >legitimate site (such as an online or corporate login portal>legitimate site (such as an online or corporate login portal
    >) or may closely resemble a legitimate site in appearance an>) or may closely resemble a legitimate site in appearance an
    >d have a URL containing elements from the real site.  Advers>d have a URL containing elements from the real site. URLs ma
    >aries may also link to \"web bugs\" or \"web beacons\" within ph>y also be obfuscated by taking advantage of quirks in the UR
    >ishing messages to verify the receipt of an emailwhile als>L schemasuch as the acceptance of integer- or hexadecimal-
    >o potentially profiling and tracking victim information such>based hostname formats and the automatic discarding of text 
    > as IP address.(Citation: NIST Web Bug)  Adversaries may als>before an \u201c@\u201d symbol: for example, `hxxp://google.com@115758
    >o be able to spoof a complete website using what is known as>6937`.(Citation: Mandiant URL Obfuscation 2023)  Adversaries
    > a \"browser-in-the-browser\" (BitB) attack. By generating a f> may also link to \"web bugs\" or \"web beacons\" within phishin
    >ake browser popup window with an HTML-based address bar that>g messages to verify the receipt of an email, while also pot
    > appears to contain a legitimate URL (such as an authenticat>entially profiling and tracking victim information such as I
    >ion portal), they may be able to prompt users to enter their>P address.(Citation: NIST Web Bug)  Adversaries may also be 
    > credentials while bypassing typical URL verification method>able to spoof a complete website using what is known as a \"b
    >s.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)>rowser-in-the-browser\" (BitB) attack. By generating a fake b
    >  From the fake website, information is gathered in web form>rowser popup window with an HTML-based address bar that appe
    >s and sent to the adversary. Adversaries may also use inform>ars to contain a legitimate URL (such as an authentication p
    >ation from previous reconnaissance efforts (ex: [Search Open>ortal), they may be able to prompt users to enter their cred
    > Websites/Domains](https://attack.mitre.org/techniques/T1593>entials while bypassing typical URL verification methods.(Ci
    >) or [Search Victim-Owned Websites](https://attack.mitre.org>tation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)  Adv
    >/techniques/T1594)) to craft persuasive and believable lures>ersaries can use phishing kits such as `EvilProxy` and `Evil
    >.>ginx2` to proxy the connection between the victim and the le
     >gitimate website. On a successful login, the victim is redir
     >ected to the legitimate website, while the adversary capture
     >s their session cookie (i.e., [Steal Web Session Cookie](htt
     >ps://attack.mitre.org/techniques/T1539)) in addition to thei
     >r username and password. This may enable the adversary to th
     >en bypass MFA via [Web Session Cookie](https://attack.mitre.
     >org/techniques/T1550/004).(Citation: Proofpoint Human Factor
     >)  From the fake website, information is gathered in web for
     >ms and sent to the adversary. Adversaries may also use infor
     >mation from previous reconnaissance efforts (ex: [Search Ope
     >n Websites/Domains](https://attack.mitre.org/techniques/T159
     >3) or [Search Victim-Owned Websites](https://attack.mitre.or
     >g/techniques/T1594)) to craft persuasive and believable lure
     >s.
    ", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:48.728000+00:00", + "modified": "2023-08-11 21:40:56.448000+00:00", + "name": "Process Discovery", + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1057", + "external_id": "T1057" + }, + { + "source_name": "show_processes_cisco_cmd", + "description": "Cisco. (2022, August 16). show processes - . Retrieved July 13, 2022.", + "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_monitor_permit_list_through_show_process_memory.html#wp3599497760" + }, + { + "source_name": "US-CERT-TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Austin Clark, @c2defense" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Process: OS API Execution", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nFor network infrastructure devices, collect AAA logging to monitor for `show` commands being run by non-standard users from non-standard locations.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "x_mitre_system_requirements": [ + "Administrator, SYSTEM may provide better process ownership details" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 21:40:56.448000+00:00\", \"old_value\": \"2023-04-12 23:34:02.125000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-14 01:26:08.145000+00:00", + "modified": "2023-08-11 21:34:38.558000+00:00", + "name": "Dynamic-link Library Injection", + "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) \n\nAnother variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055/001", + "external_id": "T1055.001" + }, + { + "source_name": "Hiding Malicious Code with Module Stomping", + "description": "Aliz Hammond. (2019, August 15). Hiding Malicious Code with \"Module Stomping\": Part 1. Retrieved July 14, 2022.", + "url": "https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/" + }, + { + "source_name": "Elastic HuntingNMemory June 2017", + "description": "Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017.", + "url": "https://www.endgame.com/blog/technical-blog/hunting-memory" + }, + { + "source_name": "Elastic Process Injection July 2017", + "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + }, + { + "source_name": "Module Stomping for Shellcode Injection", + "description": "Red Teaming Experiments. (n.d.). Module Stomping for Shellcode Injection. Retrieved July 14, 2022.", + "url": "https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Boominathan Sundaram" + ], + "x_mitre_data_sources": [ + "Process: Process Metadata", + "Process: Process Access", + "Process: Process Modification", + "Module: Module Load", + "Process: OS API Execution" + ], + "x_mitre_defense_bypassed": [ + "Application control", + "Anti-virus" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 21:34:38.558000+00:00\", \"old_value\": \"2022-10-18 21:07:23.748000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Access)", + "DS0009: Process (Process Metadata)", + "DS0009: Process (Process Modification)", + "DS0011: Module (Module Load)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-14 17:21:54.470000+00:00", + "modified": "2023-08-11 21:37:00.009000+00:00", + "name": "Process Hollowing", + "description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. \n\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055/012", + "external_id": "T1055.012" + }, + { + "source_name": "Nviso Spoof Command Line 2020", + "description": "Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.", + "url": "https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/" + }, + { + "source_name": "Elastic Process Injection July 2017", + "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + }, + { + "source_name": "Leitch Hollowing", + "description": "Leitch, J. (n.d.). Process Hollowing. Retrieved November 12, 2014.", + "url": "http://www.autosectools.com/process-hollowing.pdf" + }, + { + "source_name": "Mandiant Endpoint Evading 2019", + "description": "Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.", + "url": "https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Process: Process Modification", + "Process: OS API Execution", + "Process: Process Access" + ], + "x_mitre_defense_bypassed": [ + "Application control", + "Anti-virus" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nProcessing hollowing commonly involves spawning an otherwise benign victim process. Consider correlating detections of processes created in a suspended state (ex: through API flags or process\u2019 thread metadata) with other malicious activity such as attempts to modify a process' memory, especially by its parent process, or other abnormal process behavior.(Citation: Nviso Spoof Command Line 2020)(Citation: Mandiant Endpoint Evading 2019)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 21:37:00.009000+00:00\", \"old_value\": \"2021-11-29 17:22:32.704000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Process: Process Creation\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Access)", + "DS0009: Process (Process Modification)" + ], + "new": [ + "DS0009: Process (Process Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-05 01:15:06.293000+00:00", + "modified": "2023-09-29 21:09:49.267000+00:00", + "name": "Reflective Code Loading", + "description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)\n\nReflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the \u201cinjection\u201d loads code into the processes\u2019 own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1620", + "external_id": "T1620" + }, + { + "source_name": "00sec Droppers", + "description": "0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021.", + "url": "https://0x00sec.org/t/super-stealthy-droppers/3715" + }, + { + "source_name": "S1 Custom Shellcode Tool", + "description": "Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021.", + "url": "https://www.sentinelone.com/blog/building-a-custom-tool-for-shellcode-analysis/" + }, + { + "source_name": "Mandiant BYOL", + "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) \u2013 A Novel Red Teaming Technique. Retrieved October 4, 2021.", + "url": "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique" + }, + { + "source_name": "S1 Old Rat New Tricks", + "description": "Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021.", + "url": "https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/" + }, + { + "source_name": "MDSec Detecting DOTNET", + "description": "MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021.", + "url": "https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/" + }, + { + "source_name": "Intezer ACBackdoor", + "description": "Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021.", + "url": "https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/" + }, + { + "source_name": "Stuart ELF Memory", + "description": "Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021.", + "url": "https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html" + }, + { + "source_name": "Introducing Donut", + "description": "The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.", + "url": "https://thewover.github.io/Introducing-Donut/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jo\u00e3o Paulo de A. Filho, @Hug1nN__", + "Shlomi Salem, SentinelOne", + "Lior Ribak, SentinelOne", + "Rex Guo, @Xiaofei_REX, Confluera", + "Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics" + ], + "x_mitre_data_sources": [ + "Module: Module Load", + "Script: Script Execution", + "Process: OS API Execution" + ], + "x_mitre_defense_bypassed": [ + "Application control", + "Anti-virus" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as Assembly.Load() and [Native API](https://attack.mitre.org/techniques/T1106) functions such as CreateThread(), memfd_create(), execve(), and/or execveat().(Citation: 00sec Droppers)(Citation: S1 Old Rat New Tricks)\n\nMonitor for artifacts of abnormal process execution. For example, a common signature related to reflective code loading on Windows is mechanisms related to the .NET Common Language Runtime (CLR) -- such as mscor.dll, mscoree.dll, and clr.dll -- loading into abnormal processes (such as notepad.exe). Similarly, AMSI / ETW traces can be used to identify signs of arbitrary code execution from within the memory of potentially compromised processes.(Citation: MDSec Detecting DOTNET)(Citation: Introducing Donut)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS", + "Linux", + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 21:09:49.267000+00:00\", \"old_value\": \"2022-04-21 16:21:09.679000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0011: Module (Module Load)", + "DS0012: Script (Script Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-09-28 16:23:51.194000+00:00", + "name": "Remote Access Software", + "description": "An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1219", + "external_id": "T1219" + }, + { + "source_name": "CrowdStrike 2015 Global Threat Report", + "description": "CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018.", + "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf" + }, + { + "source_name": "CrySyS Blog TeamSpy", + "description": "CrySyS Lab. (2013, March 20). TeamSpy \u2013 Obshie manevri. Ispolzovat\u2019 tolko s razreshenija S-a. Retrieved April 11, 2018.", + "url": "https://blog.crysys.hu/2013/03/teamspy/" + }, + { + "source_name": "Symantec Living off the Land", + "description": "Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018.", + "url": "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Matt Kelly, @breakersall", + "Zachary Stanford, @svch0st" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.\n\n[Domain Fronting](https://attack.mitre.org/techniques/T1090/004) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_version": "2.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-28 16:23:51.194000+00:00\", \"old_value\": \"2022-04-21 14:54:10.899000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\\n\\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\\n \\nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\\n\\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\", \"old_value\": \"An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.(Citation: Symantec Living off the Land)\\n\\nRemote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Installation of many remote access tools may also include persistence (ex: the tool's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\\n\\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns.(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.(Citation: Symantec Living off the Land)\\n+An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\\n \\n-Remote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Installation of many remote access tools may also include persistence (ex: the tool's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\\n+Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\\n+ \\n+Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\\n \\n-Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns.(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\\n+Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1An adversary may use legitimate desktop support and remote at1An adversary may use legitimate desktop support and remote a
    >ccess software, such as Team Viewer, AnyDesk, Go2Assist, Log>ccess software to establish an interactive command and contr
    >Mein, AmmyyAdmin, etc, to establish an interactive command a>ol channel to target systems within networks. These services
    >nd control channel to target systems within networks. These >, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, 
    >services are commonly used as legitimate technical support s>`LogMein`, `AmmyyAdmin`, and other remote monitoring and man
    >oftware, and may be allowed by application control within a >agement (RMM) tools, are commonly used as legitimate technic
    >target environment. Remote access tools like VNC, Ammyy, and>al support software and may be allowed by application contro
    > Teamviewer are used frequently when compared with other leg>l within a target environment.(Citation: Symantec Living off
    >itimate software commonly used by adversaries.(Citation: Sym> the Land)(Citation: CrowdStrike 2015 Global Threat Report)(
    >antec Living off the Land)  Remote access tools may be insta>Citation: CrySyS Blog TeamSpy)  Remote access software may b
    >lled and used post-compromise as alternate communications ch>e installed and used post-compromise as an alternate communi
    >annel for redundant access or as a way to establish an inter>cations channel for redundant access or as a way to establis
    >active remote desktop session with the target system. They m>h an interactive remote desktop session with the target syst
    >ay also be used as a component of malware to establish a rev>em. They may also be used as a component of malware to estab
    >erse connection or back-connect to a service or adversary co>lish a reverse connection or back-connect to a service or ad
    >ntrolled system. Installation of many remote access tools ma>versary controlled system.   Adversaries may similarly abuse
    >y also include persistence (ex: the tool's installation rout> response features included in EDR and other defensive tools
    >ine creates a [Windows Service](https://attack.mitre.org/tec> that enable remote access.  Installation of many remote acc
    >hniques/T1543/003)).  Admin tools such as TeamViewer have be>ess software may also include persistence (e.g., the softwar
    >en used by several groups targeting institutions in countrie>e's installation routine creates a [Windows Service](https:/
    >s of interest to the Russian state and criminal campaigns.(C>/attack.mitre.org/techniques/T1543/003)).
    >itation: CrowdStrike 2015 Global Threat Report)(Citation: Cr 
    >ySyS Blog TeamSpy) 
    ", + "changelog_mitigations": { + "shared": [ + "M1031: Network Intrusion Prevention", + "M1037: Filter Network Traffic", + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-25 18:35:42.765000+00:00", + "modified": "2023-08-14 15:37:02.771000+00:00", + "name": "RDP Hijacking", + "description": "Adversaries may hijack a legitimate user\u2019s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)\n\nAdversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, `c:\\windows\\system32\\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1563/002", + "external_id": "T1563.002" + }, + { + "source_name": "RDP Hijacking Medium", + "description": "Beaumont, K. (2017, March 19). RDP hijacking\u200a\u2014\u200ahow to hijack RDS and RemoteApp sessions transparently to move through an organisation. Retrieved December 11, 2017.", + "url": "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6" + }, + { + "source_name": "RDP Hijacking Korznikov", + "description": "Korznikov, A. (2017, March 17). Passwordless RDP Session Hijacking Feature All Windows versions. Retrieved December 11, 2017.", + "url": "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html" + }, + { + "source_name": "TechNet Remote Desktop Services", + "description": "Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.", + "url": "https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx" + }, + { + "source_name": "Kali Redsnarf", + "description": "NCC Group PLC. (2016, November 1). Kali Redsnarf. Retrieved December 11, 2017.", + "url": "https://github.com/nccgroup/redsnarf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Process: Process Creation", + "Command: Command Execution", + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Consider monitoring processes for `tscon.exe` usage and monitor service creation that uses `cmd.exe /k` or `cmd.exe /c` in its arguments to detect RDP session hijacking.\n\nUse of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"SYSTEM\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 15:37:02.771000+00:00\", \"old_value\": \"2020-03-23 23:24:39.182000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1028: Operating System Configuration", + "M1030: Network Segmentation", + "M1035: Limit Access to Resource Over Network", + "M1042: Disable or Remove Feature or Program", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:29.858000+00:00", + "modified": "2023-06-02 15:31:40.498000+00:00", + "name": "Remote Services", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain. \n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1021", + "external_id": "T1021" + }, + { + "source_name": "Apple Remote Desktop Admin Guide 3.3", + "description": "Apple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021.", + "url": "https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf" + }, + { + "source_name": "Remote Management MDM macOS", + "description": "Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021.", + "url": "https://support.apple.com/en-us/HT209161" + }, + { + "source_name": "Kickstart Apple Remote Desktop commands", + "description": "Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021.", + "url": "https://support.apple.com/en-us/HT201710" + }, + { + "source_name": "Lockboxx ARD 2019", + "description": "Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021.", + "url": "http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html" + }, + { + "source_name": "FireEye 2019 Apple Remote Desktop", + "description": "Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html" + }, + { + "source_name": "TechNet Remote Desktop Services", + "description": "Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.", + "url": "https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx" + }, + { + "source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing", + "description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.", + "url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins" + }, + { + "source_name": "SSH Secure Shell", + "description": "SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020.", + "url": "https://www.ssh.com/ssh" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Dan Borges, @1njection" + ], + "x_mitre_data_sources": [ + "Module: Module Load", + "Network Traffic: Network Connection Creation", + "Command: Command Execution", + "Network Share: Network Share Access", + "WMI: WMI Creation", + "Logon Session: Logon Session Creation", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. \n\nUse of applications such as ARD may be legitimate depending on the environment and how it\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using these applications. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. \n\nIn macOS, you can review logs for \"screensharingd\" and \"Authentication\" event messages. Monitor network connections regarding remote management (ports tcp:3283 and tcp:5900) and for remote login (port tcp:22).(Citation: Lockboxx ARD 2019)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "IaaS" + ], + "x_mitre_system_requirements": [ + "Active remote service accepting connections and valid credentials" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-06-02 15:31:40.498000+00:00\", \"old_value\": \"2023-03-30 21:01:42.821000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][4]\": \"WMI: WMI Creation\", \"root['x_mitre_platforms'][3]\": \"IaaS\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1032: Multi-factor Authentication" + ], + "new": [ + "M1042: Disable or Remove Feature or Program" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0017: Command (Command Execution)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0033: Network Share (Network Share Access)" + ], + "new": [ + "DS0005: WMI (WMI Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:26:36.444000+00:00", + "modified": "2023-08-11 20:21:55.610000+00:00", + "name": "Distributed Component Object Model", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.\n\nThe Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)\n\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)\n\nThrough DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1021/003", + "external_id": "T1021.003" + }, + { + "source_name": "Fireeye Hunting COM June 2019", + "description": "Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html" + }, + { + "source_name": "Microsoft COM", + "description": "Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx" + }, + { + "source_name": "Microsoft COM ACL", + "description": "Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.", + "url": "https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1" + }, + { + "source_name": "Microsoft Process Wide Com Keys", + "description": "Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.", + "url": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx" + }, + { + "source_name": "MSDN WMI", + "description": "Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.", + "url": "https://msdn.microsoft.com/en-us/library/aa394582.aspx" + }, + { + "source_name": "Enigma DCOM Lateral Movement Jan 2017", + "description": "Nelson, M. (2017, January 23). Lateral Movement via DCOM: Round 2. Retrieved November 21, 2017.", + "url": "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" + }, + { + "source_name": "Enigma MMC20 COM Jan 2017", + "description": "Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.", + "url": "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" + }, + { + "source_name": "Enigma Outlook DCOM Lateral Movement Nov 2017", + "description": "Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.", + "url": "https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/" + }, + { + "source_name": "Enigma Excel DCOM Sept 2017", + "description": "Nelson, M. (2017, September 11). Lateral Movement using Excel.Application and DCOM. Retrieved November 21, 2017.", + "url": "https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/" + }, + { + "source_name": "Cyberreason DCOM DDE Lateral Movement Nov 2017", + "description": "Tsukerman, P. (2017, November 8). Leveraging Excel DDE for lateral movement via DCOM. Retrieved November 21, 2017.", + "url": "https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Connection Creation", + "Module: Module Load", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017) Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.\n\nMonitor for any influxes or abnormal increases in DCOM related Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic (typically over port 135).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 20:21:55.610000+00:00\", \"old_value\": \"2023-04-03 18:58:54.034000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1030: Network Segmentation", + "M1042: Disable or Remove Feature or Program", + "M1048: Application Isolation and Sandboxing" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0029: Network Traffic (Network Connection Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:23:26.059000+00:00", + "modified": "2023-08-07 14:23:30.265000+00:00", + "name": "Remote Desktop Protocol", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1021/001", + "external_id": "T1021.001" + }, + { + "source_name": "Alperovitch Malware", + "description": "Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 4, 2014.", + "url": "http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/" + }, + { + "source_name": "TechNet Remote Desktop Services", + "description": "Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.", + "url": "https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Matthew Demaske, Adaptforward" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Logon Session: Logon Session Creation", + "Network Traffic: Network Connection Creation", + "Process: Process Creation", + "Logon Session: Logon Session Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_system_requirements": [ + "RDP service enabled, account in the Remote Desktop Users group" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Remote Desktop Users\", \"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-07 14:23:30.265000+00:00\", \"old_value\": \"2023-03-30 21:01:41.927000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][4]\": \"Logon Session: Logon Session Metadata\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1028: Operating System Configuration", + "M1030: Network Segmentation", + "M1032: Multi-factor Authentication", + "M1035: Limit Access to Resource Over Network", + "M1042: Disable or Remove Feature or Program", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [ + "DS0028: Logon Session (Logon Session Metadata)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:25:28.212000+00:00", + "modified": "2023-07-28 17:34:51.250000+00:00", + "name": "SMB/Windows Admin Shares", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\n\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\n\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1021/002", + "external_id": "T1021.002" + }, + { + "source_name": "Medium Detecting WMI Persistence", + "description": "French, D. (2018, October 9). Detecting & Removing an Attacker\u2019s WMI Persistence. Retrieved October 11, 2019.", + "url": "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96" + }, + { + "source_name": "TechNet RPC", + "description": "Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.", + "url": "https://technet.microsoft.com/en-us/library/cc787851.aspx" + }, + { + "source_name": "Microsoft Admin Shares", + "description": "Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014.", + "url": "http://support.microsoft.com/kb/314984" + }, + { + "source_name": "Windows Event Forwarding Payne", + "description": "Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016.", + "url": "https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem" + }, + { + "source_name": "Lateral Movement Payne", + "description": "Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016.", + "url": "https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts" + }, + { + "source_name": "Wikipedia Server Message Block", + "description": "Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.", + "url": "https://en.wikipedia.org/wiki/Server_Message_Block" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Network Share: Network Share Access", + "Network Traffic: Network Traffic Flow", + "Logon Session: Logon Session Creation", + "Network Traffic: Network Connection Creation", + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne)(Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as [Net](https://attack.mitre.org/software/S0039), on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.(Citation: Medium Detecting WMI Persistence)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_system_requirements": [ + "SMB enabled; Host/network firewalls not blocking SMB ports between source and destination; Use of domain account in administrator group on remote system or default system admin account." + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-28 17:34:51.250000+00:00\", \"old_value\": \"2023-04-03 18:57:59.554000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][4]\": \"Process: Process Creation\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1035: Limit Access to Resource Over Network", + "M1037: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0033: Network Share (Network Share Access)" + ], + "new": [ + "DS0009: Process (Process Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:27:15.774000+00:00", + "modified": "2023-08-11 20:24:03.069000+00:00", + "name": "SSH", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\n\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user\u2019s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1021/004", + "external_id": "T1021.004" + }, + { + "source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing", + "description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.", + "url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Process: Process Creation", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use of SSH may be legitimate depending on the environment and how it\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\n\nOn macOS systems log show --predicate 'process = \"sshd\"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = \"ssh\" or eventMessage contains \"ssh\"' can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nOn Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS" + ], + "x_mitre_system_requirements": [ + "An SSH server is configured and running." + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 20:24:03.069000+00:00\", \"old_value\": \"2023-03-30 21:01:49.323000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1032: Multi-factor Authentication", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Connection Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 18:29:47.757000+00:00", + "modified": "2023-08-11 15:26:41.941000+00:00", + "name": "Windows Remote Management", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\n\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1021/006", + "external_id": "T1021.006" + }, + { + "source_name": "Medium Detecting Lateral Movement", + "description": "French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019.", + "url": "https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc" + }, + { + "source_name": "Jacobsen 2014", + "description": "Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014.", + "url": "https://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2" + }, + { + "source_name": "MSDN WMI", + "description": "Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.", + "url": "https://msdn.microsoft.com/en-us/library/aa394582.aspx" + }, + { + "source_name": "Microsoft WinRM", + "description": "Microsoft. (n.d.). Windows Remote Management. Retrieved November 12, 2014.", + "url": "http://msdn.microsoft.com/en-us/library/aa384426" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Logon Session: Logon Session Creation", + "Network Traffic: Network Connection Creation", + "Command: Command Execution", + "Network Traffic: Network Traffic Flow", + "Service: Service Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.(Citation: Medium Detecting Lateral Movement) Also monitor for remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\", \"Administrator\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 15:26:41.941000+00:00\", \"old_value\": \"2021-06-23 19:22:52.870000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][4]\": \"Network Traffic: Network Traffic Flow\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1030: Network Segmentation", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0019: Service (Service Metadata)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Connection Creation)" + ], + "new": [ + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:28.187000+00:00", + "modified": "2023-08-14 19:08:59.741000+00:00", + "name": "Remote System Discovery", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039).\n\nAdversaries may also analyze data from local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.\n\nAdversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021) \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1018", + "external_id": "T1018" + }, + { + "source_name": "CISA AR21-126A FIVEHANDS May 2021", + "description": "CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" + }, + { + "source_name": "Elastic - Koadiac Detection with EQL", + "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", + "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + }, + { + "source_name": "US-CERT-TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Daniel Stepanic, Elastic", + "RedHuntLabs, @redhuntlabs", + "Austin Clark, @c2defense" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Connection Creation", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "x_mitre_version": "3.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 19:08:59.741000+00:00\", \"old_value\": \"2023-03-30 21:01:50.033000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.5\", \"old_value\": \"3.4\"}}}", + "previous_version": "3.4", + "version_change": "3.4 \u2192 3.5", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0029: Network Traffic (Network Connection Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-04-17 14:50:05.682000+00:00", + "modified": "2023-10-02 01:11:32.822000+00:00", + "name": "Resource Hijacking", + "description": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it\u2019s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1496", + "external_id": "T1496" + }, + { + "source_name": "Unit 42 Hildegard Malware", + "description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.", + "url": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" + }, + { + "source_name": "CloudSploit - Unused AWS Regions", + "description": "CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.", + "url": "https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc" + }, + { + "source_name": "Sysdig Proxyjacking", + "description": "Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.", + "url": "https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/" + }, + { + "source_name": "Kaspersky Lazarus Under The Hood Blog 2017", + "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", + "url": "https://securelist.com/lazarus-under-the-hood/77908/" + }, + { + "source_name": "Trend Micro Exposed Docker APIs", + "description": "Oliveira, A. (2019, May 30). Infected Containers Target Docker via Exposed APIs. Retrieved April 6, 2021.", + "url": "https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html" + }, + { + "source_name": "Trend Micro War of Crypto Miners", + "description": "Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency Miners: A Battle for Resources. Retrieved April 6, 2021.", + "url": "https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html" + }, + { + "source_name": "GoBotKR", + "description": "Zuzana Hromcov\u00e1. (2019, July 8). Malicious campaign targets South Korean users with backdoor\u2011laced torrents. Retrieved March 31, 2022.", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "David Fiser, @anu4is, Trend Micro", + "Alfredo Oliveira, Trend Micro", + "Jay Chen, Palo Alto Networks", + "Magno Logan, @magnologan, Trend Micro", + "Vishwas Manral, McAfee", + "Yossi Weizman, Azure Defender Research Team", + "Goldstein Menachem" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "File: File Creation", + "Network Traffic: Network Connection Creation", + "Sensor Health: Host Status", + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_impact_type": [ + "Availability" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "IaaS", + "Linux", + "macOS", + "Containers" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 01:11:32.822000+00:00\", \"old_value\": \"2022-04-18 20:16:44.560000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \\n\\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\\n\\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it\\u2019s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\\n\\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)\", \"old_value\": \"Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. \\n\\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\\n\\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it\\u2019s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\\n\\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR)\", \"diff\": \"--- \\n+++ \\n@@ -1,7 +1,7 @@\\n-Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. \\n+Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \\n \\n One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\\n \\n Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it\\u2019s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\\n \\n-Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR)\\n+Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Sysdig Proxyjacking\", \"description\": \"Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.\", \"url\": \"https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\"}, \"root['x_mitre_contributors'][6]\": \"Goldstein Menachem\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may leverage the resources of co-opted systems it1Adversaries may leverage the resources of co-opted systems t
    >n order to solve resource intensive problems, which may impa>o complete resource-intensive tasks, which may impact system
    >ct system and/or hosted service availability.   One common p> and/or hosted service availability.   One common purpose fo
    >urpose for Resource Hijacking is to validate transactions of>r Resource Hijacking is to validate transactions of cryptocu
    > cryptocurrency networks and earn virtual currency. Adversar>rrency networks and earn virtual currency. Adversaries may c
    >ies may consume enough system resources to negatively impact>onsume enough system resources to negatively impact and/or c
    > and/or cause affected machines to become unresponsive.(Cita>ause affected machines to become unresponsive.(Citation: Kas
    >tion: Kaspersky Lazarus Under The Hood Blog 2017) Servers an>persky Lazarus Under The Hood Blog 2017) Servers and cloud-b
    >d cloud-based systems are common targets because of the high>ased systems are common targets because of the high potentia
    > potential for available resources, but user endpoint system>l for available resources, but user endpoint systems may als
    >s may also be compromised and used for Resource Hijacking an>o be compromised and used for Resource Hijacking and cryptoc
    >d cryptocurrency mining.(Citation: CloudSploit - Unused AWS >urrency mining.(Citation: CloudSploit - Unused AWS Regions) 
    >Regions) Containerized environments may also be targeted due>Containerized environments may also be targeted due to the e
    > to the ease of deployment via exposed APIs and the potentia>ase of deployment via exposed APIs and the potential for sca
    >l for scaling mining activities by deploying or compromising>ling mining activities by deploying or compromising multiple
    > multiple containers within an environment or cluster.(Citat> containers within an environment or cluster.(Citation: Unit
    >ion: Unit 42 Hildegard Malware)(Citation: Trend Micro Expose> 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker 
    >d Docker APIs)  Additionally, some cryptocurrency mining mal>APIs)  Additionally, some cryptocurrency mining malware iden
    >ware identify then kill off processes for competing malware >tify then kill off processes for competing malware to ensure
    >to ensure it\u2019s not competing for resources.(Citation: Trend > it\u2019s not competing for resources.(Citation: Trend Micro War
    >Micro War of Crypto Miners)  Adversaries may also use malwar> of Crypto Miners)  Adversaries may also use malware that le
    >e that leverages a system's network bandwidth as part of a b>verages a system's network bandwidth as part of a botnet in 
    >otnet in order to facilitate [Network Denial of Service](htt>order to facilitate [Network Denial of Service](https://atta
    >ps://attack.mitre.org/techniques/T1498) campaigns and/or to >ck.mitre.org/techniques/T1498) campaigns and/or to seed mali
    >seed malicious torrents.(Citation: GoBotKR)>cious torrents.(Citation: GoBotKR) Alternatively, they may e
     >ngage in proxyjacking by selling use of the victims' network
     > bandwidth and IP address to proxyware services.(Citation: S
     >ysdig Proxyjacking)
    ", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0013: Sensor Health (Host Status)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-11-27 13:52:45.853000+00:00", + "modified": "2023-08-11 21:13:52.767000+00:00", + "name": "At", + "description": "Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.\n\nOn Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the at.deny exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)\n\nAdversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).\n\nIn Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1053/002", + "external_id": "T1053.002" + }, + { + "source_name": "rowland linux at 2019", + "description": "Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021.", + "url": "https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/" + }, + { + "source_name": "GTFObins at", + "description": "Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved September 28, 2021.", + "url": "https://gtfobins.github.io/gtfobins/at/" + }, + { + "source_name": "Linux at", + "description": "IEEE/The Open Group. (2017). at(1p) \u2014 Linux manual page. Retrieved February 25, 2022.", + "url": "https://man7.org/linux/man-pages/man1/at.1p.html" + }, + { + "source_name": "Twitter Leoloobeek Scheduled Task", + "description": "Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017.", + "url": "https://twitter.com/leoloobeek/status/939248813465853953" + }, + { + "source_name": "Microsoft Scheduled Task Events Win10", + "description": "Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events" + }, + { + "source_name": "TechNet Scheduled Task Events", + "description": "Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.", + "url": "https://technet.microsoft.com/library/dd315590.aspx" + }, + { + "source_name": "TechNet Autoruns", + "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.", + "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902" + }, + { + "source_name": "TechNet Forum Scheduled Task Operational Setting", + "description": "Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.", + "url": "https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Scheduled Job: Scheduled Job Creation", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation", + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.\n\nIn Linux and macOS environments, monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nReview all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All [at](https://attack.mitre.org/software/S0110) jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)\n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for [Command and Control](https://attack.mitre.org/tactics/TA0011), learning details about the environment through [Discovery](https://attack.mitre.org/tactics/TA0007), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "Administrator", + "User" + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_remote_support": true, + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 21:13:52.767000+00:00\", \"old_value\": \"2022-04-18 20:12:04.110000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][2]\": \"Network Traffic: Network Traffic Flow\"}}", + "previous_version": "2.0", + "version_change": "2.0 \u2192 2.1", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1028: Operating System Configuration", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0003: Scheduled Job (Scheduled Job Creation)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Modification)" + ], + "new": [ + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-11-27 14:58:00.429000+00:00", + "modified": "2023-08-11 21:20:10.882000+00:00", + "name": "Scheduled Task", + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1053/005", + "external_id": "T1053.005" + }, + { + "source_name": "ProofPoint Serpent", + "description": "Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain" + }, + { + "source_name": "Defending Against Scheduled Task Attacks in Windows Environments", + "description": "Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled Tasks. Retrieved July 5, 2022.", + "url": "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments" + }, + { + "source_name": "Twitter Leoloobeek Scheduled Task", + "description": "Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017.", + "url": "https://twitter.com/leoloobeek/status/939248813465853953" + }, + { + "source_name": "Tarrask scheduled task", + "description": "Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.", + "url": "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" + }, + { + "source_name": "Microsoft Scheduled Task Events Win10", + "description": "Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events" + }, + { + "source_name": "TechNet Scheduled Task Events", + "description": "Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.", + "url": "https://technet.microsoft.com/library/dd315590.aspx" + }, + { + "source_name": "TechNet Autoruns", + "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.", + "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902" + }, + { + "source_name": "TechNet Forum Scheduled Task Operational Setting", + "description": "Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.", + "url": "https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen" + }, + { + "source_name": "SigmaHQ", + "description": "Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022.", + "url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Andrew Northern, @ex_raritas", + "Bryan Campbell, @bry_campbell", + "Zachary Abzug, @ZackDoesML", + "Selena Larson, @selenalarson", + "Sittikorn Sangrattanapitak" + ], + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Creation", + "File: File Modification", + "File: File Creation", + "Process: Process Creation", + "Command: Command Execution", + "Network Traffic: Network Traffic Flow", + "Scheduled Job: Scheduled Job Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_remote_support": true, + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-11 21:20:10.882000+00:00\", \"old_value\": \"2023-04-07 17:11:17.807000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022.\", \"old_value\": \"BlackB0lt. (2022, April 15). https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml. Retrieved June 1, 2022.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml\", \"old_value\": \"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][2]\": \"File: File Creation\", \"root['x_mitre_data_sources'][5]\": \"Network Traffic: Network Traffic Flow\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1028: Operating System Configuration", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0003: Scheduled Job (Scheduled Job Creation)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Creation)" + ], + "new": [ + "DS0022: File (File Creation)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-12 17:50:31.584000+00:00", + "modified": "2023-09-08 11:56:26.862000+00:00", + "name": "Systemd Timers", + "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1053/006", + "external_id": "T1053.006" + }, + { + "source_name": "Systemd Remote Control", + "description": "Aaron Kili. (2018, January 16). How to Control Systemd Services on Remote Linux Server. Retrieved July 26, 2021.", + "url": "https://www.tecmint.com/control-systemd-services-on-remote-linux-server/" + }, + { + "source_name": "archlinux Systemd Timers Aug 2020", + "description": "archlinux. (2020, August 11). systemd/Timers. Retrieved October 12, 2020.", + "url": "https://wiki.archlinux.org/index.php/Systemd/Timers" + }, + { + "source_name": "gist Arch package compromise 10JUL2018", + "description": "Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.", + "url": "https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a" + }, + { + "source_name": "Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018", + "description": "Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.", + "url": "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/" + }, + { + "source_name": "acroread package compromised Arch Linux Mail 8JUL2018", + "description": "Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.", + "url": "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html" + }, + { + "source_name": "Falcon Sandbox smp: 28553b3a9d", + "description": "Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7. Retrieved September 8, 2023.", + "url": "https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300" + }, + { + "source_name": "Linux man-pages: systemd January 2014", + "description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.", + "url": "http://man7.org/linux/man-pages/man1/systemd.1.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "SarathKumar Rajendran, Trimble Inc" + ], + "x_mitre_data_sources": [ + "File: File Modification", + "Process: Process Creation", + "Command: Command Execution", + "Scheduled Job: Scheduled Job Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of \u2018systemd\u2019, a parent process ID of 1, and will usually execute as the \u2018root\u2019 user.\n\nSuspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers \u2013all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAudit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User", + "root" + ], + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_remote_support": true, + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 11:56:26.862000+00:00\", \"old_value\": \"2021-07-27 16:43:25.027000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\\n\\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\\n\\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)\", \"old_value\": \"Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\\n\\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\\n\\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\\n \\n-An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.\\n+An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"Falcon Sandbox smp: 28553b3a9d\", \"description\": \"Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7. Retrieved September 8, 2023.\", \"url\": \"https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may abuse systemd timers to perform task schedult1Adversaries may abuse systemd timers to perform task schedul
    >ing for initial or recurring execution of malicious code. Sy>ing for initial or recurring execution of malicious code. Sy
    >stemd timers are unit files with file extension <code>.timer>stemd timers are unit files with file extension <code>.timer
    ></code> that control services. Timers can be set to run on a></code> that control services. Timers can be set to run on a
    > calendar event or after a time span relative to a starting > calendar event or after a time span relative to a starting 
    >point. They can be used as an alternative to [Cron](https://>point. They can be used as an alternative to [Cron](https://
    >attack.mitre.org/techniques/T1053/003) in Linux environments>attack.mitre.org/techniques/T1053/003) in Linux environments
    >.(Citation: archlinux Systemd Timers Aug 2020) Systemd timer>.(Citation: archlinux Systemd Timers Aug 2020) Systemd timer
    >s may be activated remotely via the <code>systemctl</code> c>s may be activated remotely via the <code>systemctl</code> c
    >ommand line utility, which operates over [SSH](https://attac>ommand line utility, which operates over [SSH](https://attac
    >k.mitre.org/techniques/T1021/004).(Citation: Systemd Remote >k.mitre.org/techniques/T1021/004).(Citation: Systemd Remote 
    >Control)  Each <code>.timer</code> file must have a correspo>Control)  Each <code>.timer</code> file must have a correspo
    >nding <code>.service</code> file with the same name, e.g., <>nding <code>.service</code> file with the same name, e.g., <
    >code>example.timer</code> and <code>example.service</code>. >code>example.timer</code> and <code>example.service</code>. 
    ><code>.service</code> files are [Systemd Service](https://at><code>.service</code> files are [Systemd Service](https://at
    >tack.mitre.org/techniques/T1543/002) unit files that are man>tack.mitre.org/techniques/T1543/002) unit files that are man
    >aged by the systemd system and service manager.(Citation: Li>aged by the systemd system and service manager.(Citation: Li
    >nux man-pages: systemd January 2014) Privileged timers are w>nux man-pages: systemd January 2014) Privileged timers are w
    >ritten to <code>/etc/systemd/system/</code> and <code>/usr/l>ritten to <code>/etc/systemd/system/</code> and <code>/usr/l
    >ib/systemd/system</code> while user level are written to <co>ib/systemd/system</code> while user level are written to <co
    >de>~/.config/systemd/user/</code>.  An adversary may use sys>de>~/.config/systemd/user/</code>.  An adversary may use sys
    >temd timers to execute malicious code at system startup or o>temd timers to execute malicious code at system startup or o
    >n a scheduled basis for persistence.(Citation: Arch Linux Pa>n a scheduled basis for persistence.(Citation: Arch Linux Pa
    >ckage Systemd Compromise BleepingComputer 10JUL2018)(Citatio>ckage Systemd Compromise BleepingComputer 10JUL2018)(Citatio
    >n: gist Arch package compromise 10JUL2018)(Citation: acrorea>n: gist Arch package compromise 10JUL2018)(Citation: acrorea
    >d package compromised Arch Linux Mail 8JUL2018) Timers insta>d package compromised Arch Linux Mail 8JUL2018) Timers insta
    >lled using privileged paths may be used to maintain root lev>lled using privileged paths may be used to maintain root lev
    >el persistence. Adversaries may also install user level time>el persistence. Adversaries may also install user level time
    >rs to achieve user level persistence.>rs to achieve user level persistence.(Citation: Falcon Sandb
     >ox smp: 28553b3a9d)
    ", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1022: Restrict File and Directory Permissions", + "M1026: Privileged Account Management" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0003: Scheduled Job (Scheduled Job Creation)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:40.542000+00:00", + "modified": "2023-10-12 21:17:14.868000+00:00", + "name": "Shared Modules", + "description": "Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\n\nThe Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)\n\nThe Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1129", + "external_id": "T1129" + }, + { + "source_name": "RotaJakiro 2021 netlab360 analysis", + "description": " Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.", + "url": "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" + }, + { + "source_name": "Apple Dev Dynamic Libraries", + "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.", + "url": "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" + }, + { + "source_name": "Unit42 OceanLotus 2017", + "description": "Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.", + "url": "https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/" + }, + { + "source_name": "Microsoft DLL", + "description": "Microsoft. (2023, April 28). What is a DLL. Retrieved September 7, 2023.", + "url": "https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library" + }, + { + "source_name": "Linux Shared Libraries", + "description": "Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.", + "url": "https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Stefan Kanthak" + ], + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Module: Module Load" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to `%SystemRoot%` and `%ProgramFiles%` directories will protect against module loads from unsafe paths. \n\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_remote_support": false, + "x_mitre_version": "2.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-12 21:17:14.868000+00:00\", \"old_value\": \"2022-04-19 20:31:10.657000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).\\n\\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\\n\\nThe Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)\\n\\nThe Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)\", \"old_value\": \"Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files)\\n\\nThe module loader can load DLLs:\\n\\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\\n \\n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\\n \\n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\\n \\n* via <file name=\\\"filename.extension\\\" loadFrom=\\\"fully-qualified or relative pathname\\\"> in an embedded or external \\\"application manifest\\\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\\n\\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.\", \"diff\": \"--- \\n+++ \\n@@ -1,13 +1,7 @@\\n-Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files)\\n+Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).\\n \\n-The module loader can load DLLs:\\n+Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\\n \\n-* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\\n- \\n-* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\\n- \\n-* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\\n- \\n-* via <file name=\\\"filename.extension\\\" loadFrom=\\\"fully-qualified or relative pathname\\\"> in an embedded or external \\\"application manifest\\\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\\n+The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)\\n \\n-Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.\\n+The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"RotaJakiro 2021 netlab360 analysis\", \"old_value\": \"Wikipedia Windows Library Files\"}, \"root['external_references'][1]['description']\": {\"new_value\": \" Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.\", \"old_value\": \"Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/\", \"old_value\": \"https://en.wikipedia.org/wiki/Microsoft_Windows_library_files\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to `%SystemRoot%` and `%ProgramFiles%` directories will protect against module loads from unsafe paths. \\n\\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.\", \"old_value\": \"Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. \\n\\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. \\n+Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to `%SystemRoot%` and `%ProgramFiles%` directories will protect against module loads from unsafe paths. \\n \\n Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Apple Dev Dynamic Libraries\", \"description\": \"Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.\", \"url\": \"https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html\"}, \"root['external_references'][3]\": {\"source_name\": \"Unit42 OceanLotus 2017\", \"description\": \"Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.\", \"url\": \"https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/\"}, \"root['external_references'][4]\": {\"source_name\": \"Microsoft DLL\", \"description\": \"Microsoft. (2023, April 28). What is a DLL. Retrieved September 7, 2023.\", \"url\": \"https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library\"}, \"root['external_references'][5]\": {\"source_name\": \"Linux Shared Libraries\", \"description\": \"Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.\", \"url\": \"https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html\"}, \"root['x_mitre_platforms'][1]\": \"macOS\", \"root['x_mitre_platforms'][2]\": \"Linux\"}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may execute malicious payloads via loading sharet1Adversaries may execute malicious payloads via loading share
    >d modules. The Windows module loader can be instructed to lo>d modules. Shared modules are executable files that are load
    >ad DLLs from arbitrary local paths and arbitrary Universal N>ed into processes to provide access to reusable code, such a
    >aming Convention (UNC) network paths. This functionality res>s specific custom functions or invoking OS API functions (i.
    >ides in NTDLL.dll and is part of the Windows [Native API](ht>e., [Native API](https://attack.mitre.org/techniques/T1106))
    >tps://attack.mitre.org/techniques/T1106) which is called fro>.  Adversaries may use this functionality as a way to execut
    >m functions like <code>CreateProcess</code>, <code>LoadLibra>e arbitrary payloads on a victim system. For example, advers
    >ry</code>, etc. of the Win32 API.(Citation: Wikipedia Window>aries can modularize functionality of their malware into sha
    >s Library Files)  The module loader can load DLLs:  * via sp>red objects that perform various functions such as managing 
    >ecification of the (fully-qualified or relative) DLL pathnam>C2 network communications or execution of specific actions o
    >e in the IMPORT directory;      * via EXPORT forwarded to an>n objective.  The Linux & macOS module loader can load and e
    >other DLL, specified with (fully-qualified or relative) path>xecute shared objects from arbitrary local paths. This funct
    >name (but without extension);      * via an NTFS junction or>ionality resides in `dlfcn.h` in functions such as `dlopen` 
    > symlink program.exe.local with the fully-qualified or relat>and `dlsym`. Although macOS can execute `.so` files, common 
    >ive pathname of a directory containing the DLLs specified in>practice uses `.dylib` files.(Citation: Apple Dev Dynamic Li
    > the IMPORT directory or forwarded EXPORTs;      * via <code>braries)(Citation: Linux Shared Libraries)(Citation: RotaJak
    >>&#x3c;file name=\"filename.extension\" loadFrom=\"fully-qualif>iro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 201
    >ied or relative pathname\"&#x3e;</code> in an embedded or ext>7)  The Windows module loader can be instructed to load DLLs
    >ernal \"application manifest\". The file name refers to an ent> from arbitrary local paths and arbitrary Universal Naming C
    >ry in the IMPORT directory or a forwarded EXPORT.  Adversari>onvention (UNC) network paths. This functionality resides in
    >es may use this functionality as a way to execute arbitrary > `NTDLL.dll` and is part of the Windows [Native API](https:/
    >payloads on a victim system. For example, malware may execut>/attack.mitre.org/techniques/T1106) which is called from fun
    >e share modules to load additional components or features.>ctions like `LoadLibrary` at run time.(Citation: Microsoft D
     >LL)
    ", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0011: Module (Module Load)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:57.201000+00:00", + "modified": "2023-09-27 20:31:36.724000+00:00", + "name": "Software Deployment Tools", + "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). \n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1072", + "external_id": "T1072" + }, + { + "source_name": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation", + "description": "ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.", + "url": "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Shane Tully, @securitygypsy", + "Joe Gumke, U.S. Bank" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detection methods will vary depending on the type of third-party software or system and how it is typically used. \n\nThe same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. \n\nOften these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.\n\nPerform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "x_mitre_remote_support": true, + "x_mitre_version": "2.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\", \"Administrator\", \"SYSTEM\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-27 20:31:36.724000+00:00\", \"old_value\": \"2023-03-30 21:01:36.669000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). \\n\\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\\n\\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.\", \"old_value\": \"Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\\n\\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\\n\\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\\n+Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). \\n \\n-Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\\n+Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\\n \\n The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation\", \"description\": \"ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem\"}, \"root['x_mitre_contributors'][1]\": \"Joe Gumke, U.S. Bank\", \"root['x_mitre_platforms'][3]\": \"Network\"}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may gain access to and use third-party software t1Adversaries may gain access to and use third-party software 
    >suites installed within an enterprise network, such as admin>suites installed within an enterprise network, such as admin
    >istration, monitoring, and deployment systems, to move later>istration, monitoring, and deployment systems, to move later
    >ally through the network. Third-party applications and softw>ally through the network. Third-party applications and softw
    >are deployment systems may be in use in the network environm>are deployment systems may be in use in the network environm
    >ent for administration purposes (e.g., SCCM, HBSS, Altiris, >ent for administration purposes (e.g., SCCM, HBSS, Altiris, 
    >etc.).  Access to a third-party network-wide or enterprise-w>etc.).    Access to a third-party network-wide or enterprise
    >ide software system may enable an adversary to have remote c>-wide software system may enable an adversary to have remote
    >ode execution on all systems that are connected to such a sy> code execution on all systems that are connected to such a 
    >stem. The access may be used to laterally move to other syst>system. The access may be used to laterally move to other sy
    >ems, gather information, or cause a specific effect, such as>stems, gather information, or cause a specific effect, such 
    > wiping the hard drives on all endpoints.  The permissions r>as wiping the hard drives on all endpoints. Network infrastr
    >equired for this action vary by system configuration; local >ucture may also have administration tools that can be simila
    >credentials may be sufficient with direct access to the thir>rly abused by adversaries. (Citation: Fortinet Zero-Day and 
    >d-party system, or specific domain credentials may be requir>Custom Malware Used by Suspected Chinese Actor in Espionage 
    >ed. However, the system may require an administrative accoun>Operation)  The permissions required for this action vary by
    >t to log in or to perform it's intended purpose.> system configuration; local credentials may be sufficient w
     >ith direct access to the third-party system, or specific dom
     >ain credentials may be required. However, the system may req
     >uire an administrative account to log in or to perform it's 
     >intended purpose.
    ", + "changelog_mitigations": { + "shared": [ + "M1015: Active Directory Configuration", + "M1017: User Training", + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1029: Remote Data Storage", + "M1030: Network Segmentation", + "M1032: Multi-factor Authentication", + "M1051: Update Software" + ], + "new": [ + "M1033: Limit Software Installation" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0015: Application Log (Application Log Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-21 21:05:32.844000+00:00", + "modified": "2023-09-15 17:26:02.203000+00:00", + "name": "Install Root Certificate", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)\n\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)\n\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)\n\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1553/004", + "external_id": "T1553.004" + }, + { + "source_name": "SpectorOps Code Signing Dec 2017", + "description": "Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.", + "url": "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" + }, + { + "source_name": "Kaspersky Superfish", + "description": "Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017.", + "url": "https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/" + }, + { + "source_name": "objective-see ay mami 2018", + "description": "Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018.", + "url": "https://objective-see.com/blog/blog_0x26.html" + }, + { + "source_name": "Microsoft Sigcheck May 2017", + "description": "Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018.", + "url": "https://docs.microsoft.com/sysinternals/downloads/sigcheck" + }, + { + "source_name": "Operation Emmental", + "description": "Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016.", + "url": "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf" + }, + { + "source_name": "Tripwire AppUNBlocker", + "description": "Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.", + "url": "https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/" + }, + { + "source_name": "Wikipedia Root Certificate", + "description": "Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017.", + "url": "https://en.wikipedia.org/wiki/Root_certificate" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Matt Graeber, @mattifestation, SpecterOps", + "Red Canary", + "Travis Smith, Tripwire", + "Itzik Kotler, SafeBreach" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification", + "Windows Registry: Windows Registry Key Creation" + ], + "x_mitre_defense_bypassed": [ + "Digital Certificate Validation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl.(Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.(Citation: Microsoft Sigcheck May 2017)\n\nInstalled root certificates are located in the Registry under HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\ and [HKLM or HKCU]\\Software[\\Policies\\]\\Microsoft\\SystemCertificates\\Root\\Certificates\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison:(Citation: Tripwire AppUNBlocker)\n\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\n* CDD4EEAE6000AC7F40C3802C171E30148030C072", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\", \"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-15 17:26:02.203000+00:00\", \"old_value\": \"2023-03-30 21:01:45.661000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1028: Operating System Configuration", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0024: Windows Registry (Windows Registry Key Creation)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-23 18:03:46.248000+00:00", + "modified": "2023-08-14 15:35:28.965000+00:00", + "name": "Rundll32", + "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).\n\nAdditionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1218/011", + "external_id": "T1218.011" + }, + { + "source_name": "rundll32.exe defense evasion", + "description": "Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022.", + "url": "https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques/" + }, + { + "source_name": "Attackify Rundll32.exe Obscurity", + "description": "Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.", + "url": "https://www.attackify.com/blog/rundll32_execution_order/" + }, + { + "source_name": "This is Security Command Line Confusion", + "description": "B. Ancel. (2014, August 20). Poweliks \u2013 Command Line Confusion. Retrieved March 5, 2018.", + "url": "https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/" + }, + { + "source_name": "Github NoRunDll", + "description": "gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.", + "url": "https://github.com/gtworek/PSBits/tree/master/NoRunDll" + }, + { + "source_name": "Trend Micro CPL", + "description": "Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.", + "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Gareth Phillips, Seek Ltd.", + "Casey Smith", + "Ricardo Dias", + "James_inthe_box, Me" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution", + "File: File Metadata", + "Module: Module Load" + ], + "x_mitre_defense_bypassed": [ + "Digital Certificate Validation", + "Application control", + "Anti-virus" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\n\nCommand arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 15:35:28.965000+00:00\", \"old_value\": \"2023-04-21 12:25:32.096000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2", + "changelog_mitigations": { + "shared": [ + "M1050: Exploit Protection" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:27.342000+00:00", + "modified": "2023-07-28 14:40:54.580000+00:00", + "name": "System Network Configuration Discovery", + "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1016", + "external_id": "T1016" + }, + { + "source_name": "Mandiant APT41 Global Intrusion ", + "description": "Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.", + "url": "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits" + }, + { + "source_name": "US-CERT-TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Austin Clark, @c2defense" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Script: Script Execution", + "Process: Process Creation", + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "x_mitre_version": "1.6", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-28 14:40:54.580000+00:00\", \"old_value\": \"2023-03-30 21:01:38.842000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.6\", \"old_value\": \"1.5\"}}}", + "previous_version": "1.5", + "version_change": "1.5 \u2192 1.6", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0012: Script (Script Execution)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:35.733000+00:00", + "modified": "2023-09-29 19:50:06.736000+00:00", + "name": "System Owner/User Discovery", + "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1033", + "external_id": "T1033" + }, + { + "source_name": "show_ssh_users_cmd_cisco", + "description": "Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.", + "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html" + }, + { + "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", + "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Austin Clark, @c2defense" + ], + "x_mitre_data_sources": [ + "Active Directory: Active Directory Object Access", + "Process: OS API Execution", + "Command: Command Execution", + "Network Traffic: Network Traffic Content", + "Process: Process Creation", + "Network Traffic: Network Traffic Flow", + "Windows Registry: Windows Registry Key Access", + "File: File Access", + "Process: Process Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "`System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nFor network infrastructure devices, collect AAA logging to monitor `show` commands being run by non-standard users from non-standard locations.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 19:50:06.736000+00:00\", \"old_value\": \"2023-04-12 23:35:40.261000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Access)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0024: Windows Registry (Windows Registry Key Access)", + "DS0026: Active Directory (Active Directory Object Access)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-10 18:33:36.159000+00:00", + "modified": "2023-08-14 15:53:00.999000+00:00", + "name": "Service Execution", + "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1569/002", + "external_id": "T1569.002" + }, + { + "source_name": "Microsoft Service Control Manager", + "description": "Microsoft. (2018, May 31). Service Control Manager. Retrieved March 28, 2020.", + "url": "https://docs.microsoft.com/windows/win32/services/service-control-manager" + }, + { + "source_name": "Russinovich Sysinternals", + "description": "Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.", + "url": "https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Modification", + "Network Traffic: Network Traffic Flow", + "Service: Service Creation", + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Changes to service Registry entries and command line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool [PsExec](https://attack.mitre.org/software/S0029).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_remote_support": true, + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\", \"SYSTEM\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 15:53:00.999000+00:00\", \"old_value\": \"2021-08-30 17:42:40.945000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][1]\": \"Network Traffic: Network Traffic Flow\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1026: Privileged Account Management", + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0019: Service (Service Creation)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [ + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:01.759000+00:00", + "modified": "2023-05-31 12:33:20.915000+00:00", + "name": "Taint Shared Content", + "description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1080", + "external_id": "T1080" + }, + { + "source_name": "Retwin Directory Share Pivot", + "description": "Routin, D. (2017, November 13). Abusing network shares for efficient lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018.", + "url": "https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Michal Dida, ESET", + "David Routin" + ], + "x_mitre_data_sources": [ + "Network Share: Network Share Access", + "Process: Process Creation", + "File: File Modification", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.\n\nFrequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Office 365", + "SaaS", + "Linux", + "macOS" + ], + "x_mitre_system_requirements": [ + "Access to shared folders and content with write permissions" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-05-31 12:33:20.915000+00:00\", \"old_value\": \"2023-03-30 21:01:36.145000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1038: Execution Prevention", + "M1050: Exploit Protection" + ], + "new": [ + "M1049: Antivirus/Antimalware" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)", + "DS0033: Network Share (Network Share Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-27 21:50:26.042000+00:00", + "modified": "2023-08-14 19:23:58.317000+00:00", + "name": "MSBuild", + "description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)\n\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1127/001", + "external_id": "T1127.001" + }, + { + "source_name": "LOLBAS Msbuild", + "description": "LOLBAS. (n.d.). Msbuild.exe. Retrieved July 31, 2019.", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/" + }, + { + "source_name": "Microsoft MSBuild Inline Tasks 2017", + "description": "Microsoft. (2017, September 21). MSBuild inline tasks. Retrieved March 5, 2021.", + "url": "https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view=vs-2019#code-element" + }, + { + "source_name": "MSDN MSBuild", + "description": "Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.", + "url": "https://msdn.microsoft.com/library/dd393574.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "@ionstorm", + "Carrie Roberts, @OrOneEqualsOne" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_system_requirements": [ + ".NET Framework version 4 or higher" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 19:23:58.317000+00:00\", \"old_value\": \"2021-10-15 23:57:07.973000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-04 12:52:13.006000+00:00", + "modified": "2023-08-23 22:24:50.812000+00:00", + "name": "Credentials In Files", + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1552/001", + "external_id": "T1552.001" + }, + { + "source_name": "CG 2014", + "description": "CG. (2014, May 20). Mimikatz Against Virtual Machine Memory Part 1. Retrieved November 12, 2014.", + "url": "http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html" + }, + { + "source_name": "Unit 42 Hildegard Malware", + "description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.", + "url": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" + }, + { + "source_name": "Unit 42 Unsecured Docker Daemons", + "description": "Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.", + "url": "https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/" + }, + { + "source_name": "Specter Ops - Cloud Credential Storage", + "description": "Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019.", + "url": "https://posts.specterops.io/head-in-the-clouds-bd038bb69e48" + }, + { + "source_name": "SRD GPP", + "description": "Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015.", + "url": "http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Rory McCune, Aqua Security", + "Jay Chen, Palo Alto Networks", + "Yossi Weizman, Azure Defender Research Team", + "Vishwas Manral, McAfee", + "Microsoft Threat Intelligence Center (MSTIC)" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "File: File Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "IaaS", + "Linux", + "macOS", + "Containers" + ], + "x_mitre_system_requirements": [ + "Access to files" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\", \"SYSTEM\", \"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-23 22:24:50.812000+00:00\", \"old_value\": \"2023-03-30 21:01:44.951000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][1]\": \"Process: Process Creation\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1022: Restrict File and Directory Permissions", + "M1027: Password Policies", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)" + ], + "new": [ + "DS0009: Process (Process Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-04 12:58:40.678000+00:00", + "modified": "2023-07-28 18:29:56.525000+00:00", + "name": "Credentials in Registry", + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\n\nExample commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)\n\n* Local Machine Hive: reg query HKLM /f password /t REG_SZ /s\n* Current User Hive: reg query HKCU /f password /t REG_SZ /s", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1552/002", + "external_id": "T1552.002" + }, + { + "source_name": "Pentestlab Stored Credentials", + "description": "netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018.", + "url": "https://pentestlab.blog/2017/04/19/stored-credentials/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Sudhanshu Chauhan, @Sudhanshu_C" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution", + "Windows Registry: Windows Registry Key Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_system_requirements": [ + "Ability to query some Registry locations depends on the adversary's level of access. User permissions are usually limited to access of user-related Registry keys." + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\", \"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-28 18:29:56.525000+00:00\", \"old_value\": \"2020-02-07 20:49:18.834000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0024: Windows Registry (Windows Registry Key Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-30 16:36:51.184000+00:00", + "modified": "2023-07-28 18:24:16.246000+00:00", + "name": "Pass the Hash", + "description": "Adversaries may \u201cpass the hash\u201d using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\n\nWhen performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\n\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1550/002", + "external_id": "T1550.002" + }, + { + "source_name": "Stealthbits Overpass-the-Hash", + "description": "Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.", + "url": "https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Blake Strom, Microsoft 365 Defender", + "Travis Smith, Tripwire" + ], + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Active Directory: Active Directory Credential Request", + "User Account: User Account Authentication" + ], + "x_mitre_defense_bypassed": [ + "System Access Controls" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.\n\nEvent ID 4768 and 4769 will also be generated on the Domain Controller when a user requests a new ticket granting ticket or service ticket. These events combined with the above activity may be indicative of an overpass the hash attempt.(Citation: Stealthbits Overpass-the-Hash)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-28 18:24:16.246000+00:00\", \"old_value\": \"2023-03-30 21:01:45.141000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1051: Update Software", + "M1052: User Account Control" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0026: Active Directory (Active Directory Credential Request)", + "DS0028: Logon Session (Logon Session Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-13 20:36:57.378000+00:00", + "modified": "2023-10-16 17:25:38.546000+00:00", + "name": "Cloud Accounts", + "description": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.\n\nAn adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1078/004", + "external_id": "T1078.004" + }, + { + "source_name": "AWS Identity Federation", + "description": "Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13, 2020.", + "url": "https://aws.amazon.com/identity/federation/" + }, + { + "source_name": "Google Federating GC", + "description": "Google. (n.d.). Federating Google Cloud with Active Directory. Retrieved March 13, 2020.", + "url": "https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction" + }, + { + "source_name": "Microsoft Deploying AD Federation", + "description": "Microsoft. (n.d.). Deploying Active Directory Federation Services in Azure. Retrieved March 13, 2020.", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jon Sternstein, Stern Security" + ], + "x_mitre_data_sources": [ + "User Account: User Account Authentication", + "Logon Session: Logon Session Metadata", + "Logon Session: Logon Session Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User", + "Administrator" + ], + "x_mitre_platforms": [ + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Google Workspace" + ], + "x_mitre_version": "1.6", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 17:25:38.546000+00:00\", \"old_value\": \"2023-03-21 13:17:14.441000+00:00\"}, \"root['description']\": {\"new_value\": \"Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n\\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.\\n\\nAn adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. \\n\\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. \\n\", \"old_value\": \"Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n\\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\\n\\nOnce a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n+Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n \\n-Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\\n+Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.\\n \\n-Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.\\n+An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. \\n+\\n+Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.6\", \"old_value\": \"1.5\"}}}", + "previous_version": "1.5", + "version_change": "1.5 \u2192 1.6", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may obtain and abuse credentials of a cloud accot1Valid accounts in cloud environments may allow adversaries t
    >unt as a means of gaining Initial Access, Persistence, Privi>o perform actions to achieve Initial Access, Persistence, Pr
    >lege Escalation, or Defense Evasion. Cloud accounts are thos>ivilege Escalation, or Defense Evasion. Cloud accounts are t
    >e created and configured by an organization for use by users>hose created and configured by an organization for use by us
    >, remote support, services, or for administration of resourc>ers, remote support, services, or for administration of reso
    >es within a cloud service provider or SaaS application. In s>urces within a cloud service provider or SaaS application. C
    >ome cases, cloud accounts may be federated with traditional >loud Accounts can exist solely in the cloud or be hybrid joi
    >identity management systems, such as Windows Active Director>ned between on-premises systems and the cloud through federa
    >y.(Citation: AWS Identity Federation)(Citation: Google Feder>tion with other identity sources such as Windows Active Dire
    >ating GC)(Citation: Microsoft Deploying AD Federation)  Comp>ctory. (Citation: AWS Identity Federation)(Citation: Google 
    >romised credentials for cloud accounts can be used to harves>Federating GC)(Citation: Microsoft Deploying AD Federation) 
    >t sensitive data from online storage accounts and databases.> Service or user accounts may be targeted by adversaries thr
    > Access to cloud accounts can also be abused to gain Initial>ough [Brute Force](https://attack.mitre.org/techniques/T1110
    > Access to a network by abusing a [Trusted Relationship](htt>), [Phishing](https://attack.mitre.org/techniques/T1566), or
    >ps://attack.mitre.org/techniques/T1199). Similar to [Domain > various other means to gain access to the environment. Fede
    >Accounts](https://attack.mitre.org/techniques/T1078/002), co>rated accounts may be a pathway for the adversary to affect 
    >mpromise of federated cloud accounts may allow adversaries t>both on-premises systems and cloud environments.  An adversa
    >o more easily move laterally within an environment.  Once a >ry may create long lasting [Additional Cloud Credentials](ht
    >cloud account is compromised, an adversary may perform [Acco>tps://attack.mitre.org/techniques/T1098/001) on a compromise
    >unt Manipulation](https://attack.mitre.org/techniques/T1098)>d cloud account to maintain persistence in the environment. 
    > - for example, by adding [Additional Cloud Roles](https://a>Such credentials may also be used to bypass security control
    >ttack.mitre.org/techniques/T1098/003) - to maintain persiste>s such as multi-factor authentication.   Cloud accounts may 
    >nce and potentially escalate their privileges.>also be able to assume [Temporary Elevated Cloud Access](htt
     >ps://attack.mitre.org/techniques/T1548/005) or other privile
     >ges through various means within the environment. Misconfigu
     >rations in role assignments or role assumption policies may 
     >allow an adversary to use these mechanisms to leverage permi
     >ssions outside the intended scope of the account. Such over 
     >privileged accounts may be used to harvest sensitive data fr
     >om online storage accounts and databases through [Cloud API]
     >(https://attack.mitre.org/techniques/T1059/009) or other met
     >hods.  
    ", + "changelog_mitigations": { + "shared": [ + "M1015: Active Directory Configuration", + "M1017: User Training", + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1032: Multi-factor Authentication", + "M1036: Account Use Policies" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0028: Logon Session (Logon Session Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-13 20:21:54.758000+00:00", + "modified": "2023-08-14 14:55:07.432000+00:00", + "name": "Domain Accounts", + "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1078/002", + "external_id": "T1078.002" + }, + { + "source_name": "TechNet Credential Theft", + "description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.", + "url": "https://technet.microsoft.com/en-us/library/dn535501.aspx" + }, + { + "source_name": "TechNet Audit Policy", + "description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.", + "url": "https://technet.microsoft.com/en-us/library/dn487457.aspx" + }, + { + "source_name": "Microsoft AD Accounts", + "description": "Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020.", + "url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts" + }, + { + "source_name": "Ubuntu SSSD Docs", + "description": "Ubuntu. (n.d.). SSSD. Retrieved September 23, 2021.", + "url": "https://ubuntu.com/server/docs/service-sssd" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Jon Sternstein, Stern Security" + ], + "x_mitre_data_sources": [ + "User Account: User Account Authentication", + "Logon Session: Logon Session Creation", + "Logon Session: Logon Session Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nOn Linux, check logs and other artifacts created by use of domain authentication services, such as the System Security Services Daemon (sssd).(Citation: Ubuntu SSSD Docs) \n\nPerform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User", + "Administrator" + ], + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 14:55:07.432000+00:00\", \"old_value\": \"2023-04-13 17:17:03.605000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1026: Privileged Account Management", + "M1032: Multi-factor Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0028: Logon Session (Logon Session Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-13 20:26:46.695000+00:00", + "modified": "2023-07-14 13:04:04.591000+00:00", + "name": "Local Accounts", + "description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\n\nLocal Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1078/003", + "external_id": "T1078.003" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Logon Session: Logon Session Metadata", + "User Account: User Account Authentication" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "Administrator", + "User" + ], + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Containers", + "Network" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-14 13:04:04.591000+00:00\", \"old_value\": \"2023-04-13 17:17:49.889000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][4]\": \"Network\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1027: Password Policies" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0028: Logon Session (Logon Session Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:44.329000+00:00", + "modified": "2023-07-24 20:38:58.283000+00:00", + "name": "Windows Management Instrumentation", + "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1047", + "external_id": "T1047" + }, + { + "source_name": "FireEye WMI 2015", + "description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" + }, + { + "source_name": "FireEye WMI SANS 2015", + "description": "Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf" + }, + { + "source_name": "MSDN WMI", + "description": "Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.", + "url": "https://msdn.microsoft.com/en-us/library/aa394582.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "@ionstorm", + "Olaf Hartong, Falcon Force" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Connection Creation", + "Process: Process Creation", + "WMI: WMI Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of \"wmic\" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_remote_support": true, + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-24 20:38:58.283000+00:00\", \"old_value\": \"2023-04-07 17:10:13.696000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][1]\": \"Olaf Hartong, Falcon Force\", \"root['x_mitre_data_sources'][2]\": \"WMI: WMI Creation\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1038: Execution Prevention", + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0029: Network Traffic (Network Connection Creation)" + ], + "new": [ + "DS0005: WMI (WMI Creation)" + ], + "dropped": [] + } + } + ], + "other_version_changes": [], + "patches": [ + { + "type": "attack-pattern", + "id": "attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-08-30 13:01:10.120000+00:00", + "modified": "2023-05-04 18:01:44.086000+00:00", + "name": "Cloud Service Discovery", + "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1526", + "external_id": "T1526" + }, + { + "source_name": "Azure AD Graph API", + "description": "Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020.", + "url": "https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview" + }, + { + "source_name": "Azure - Resource Manager API", + "description": "Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020.", + "url": "https://docs.microsoft.com/en-us/rest/api/resources/" + }, + { + "source_name": "Azure - Stormspotter", + "description": "Microsoft. (2020). Azure Stormspotter GitHub. Retrieved June 17, 2020.", + "url": "https://github.com/Azure/Stormspotter" + }, + { + "source_name": "GitHub Pacu", + "description": "Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.", + "url": "https://github.com/RhinoSecurityLabs/pacu" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Suzy Schapperle - Microsoft Azure Red Team", + "Praetorian", + "Thanabodi Phrakhun, I-SECURE" + ], + "x_mitre_data_sources": [ + "Cloud Service: Cloud Service Enumeration" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nNormal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Google Workspace" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\\n\\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\\n\\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\\n\\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).\", \"old_value\": \"An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\\n\\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\\n\\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\\n\\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008).\", \"diff\": \"--- \\n+++ \\n@@ -4,4 +4,4 @@\\n \\n For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\\n \\n-Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008).\\n+Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).\"}}}", + "previous_version": "1.3", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1An adversary may attempt to enumerate the cloud services runt1An adversary may attempt to enumerate the cloud services run
    >ning on a system after gaining access. These methods can dif>ning on a system after gaining access. These methods can dif
    >fer from platform-as-a-service (PaaS), to infrastructure-as->fer from platform-as-a-service (PaaS), to infrastructure-as-
    >a-service (IaaS), or software-as-a-service (SaaS). Many serv>a-service (IaaS), or software-as-a-service (SaaS). Many serv
    >ices exist throughout the various cloud providers and can in>ices exist throughout the various cloud providers and can in
    >clude Continuous Integration and Continuous Delivery (CI/CD)>clude Continuous Integration and Continuous Delivery (CI/CD)
    >, Lambda Functions, Azure AD, etc. They may also include sec>, Lambda Functions, Azure AD, etc. They may also include sec
    >urity services, such as AWS GuardDuty and Microsoft Defender>urity services, such as AWS GuardDuty and Microsoft Defender
    > for Cloud, and logging services, such as AWS CloudTrail and> for Cloud, and logging services, such as AWS CloudTrail and
    > Google Cloud Audit Logs.  Adversaries may attempt to discov> Google Cloud Audit Logs.  Adversaries may attempt to discov
    >er information about the services enabled throughout the env>er information about the services enabled throughout the env
    >ironment. Azure tools and APIs, such as the Azure AD Graph A>ironment. Azure tools and APIs, such as the Azure AD Graph A
    >PI and Azure Resource Manager API, can enumerate resources a>PI and Azure Resource Manager API, can enumerate resources a
    >nd services, including applications, management groups, reso>nd services, including applications, management groups, reso
    >urces and policy definitions, and their relationships that a>urces and policy definitions, and their relationships that a
    >re accessible by an identity.(Citation: Azure - Resource Man>re accessible by an identity.(Citation: Azure - Resource Man
    >ager API)(Citation: Azure AD Graph API)  For example, Storms>ager API)(Citation: Azure AD Graph API)  For example, Storms
    >potter is an open source tool for enumerating and constructi>potter is an open source tool for enumerating and constructi
    >ng a graph for Azure resources and services, and Pacu is an >ng a graph for Azure resources and services, and Pacu is an 
    >open source AWS exploitation framework that supports several>open source AWS exploitation framework that supports several
    > methods for discovering cloud services.(Citation: Azure - S> methods for discovering cloud services.(Citation: Azure - S
    >tormspotter)(Citation: GitHub Pacu)  Adversaries may use the>tormspotter)(Citation: GitHub Pacu)  Adversaries may use the
    > information gained to shape follow-on behaviors, such as ta> information gained to shape follow-on behaviors, such as ta
    >rgeting data or credentials from enumerated services or evad>rgeting data or credentials from enumerated services or evad
    >ing identified defenses through [Disable or Modify Tools](ht>ing identified defenses through [Disable or Modify Tools](ht
    >tps://attack.mitre.org/techniques/T1562/001) or [Disable Clo>tps://attack.mitre.org/techniques/T1562/001) or [Disable or 
    >ud Logs](https://attack.mitre.org/techniques/T1562/008).>Modify Cloud Logs](https://attack.mitre.org/techniques/T1562
     >/008).
    ", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0025: Cloud Service (Cloud Service Enumeration)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-24 15:11:02.758000+00:00", + "modified": "2023-10-20 17:04:13.976000+00:00", + "name": "PowerShell Profile", + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) \n\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) \n\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1546/013", + "external_id": "T1546.013" + }, + { + "source_name": "Wits End and Shady PowerShell Profiles", + "description": "DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege Elevation using the Powershell Profile. Retrieved July 8, 2019.", + "url": "https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html" + }, + { + "source_name": "ESET Turla PowerShell May 2019", + "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.", + "url": "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + }, + { + "source_name": "Malware Archaeology PowerShell Cheat Sheet", + "description": "Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.", + "url": "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf" + }, + { + "source_name": "Microsoft About Profiles", + "description": "Microsoft. (2017, November 29). About Profiles. Retrieved June 14, 2019.", + "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6" + }, + { + "source_name": "Microsoft Profiles", + "description": "Microsoft. (2021, September 27). about_Profiles. Retrieved February 4, 2022.", + "url": "https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_profiles" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Allen DeRyke, ICE", + "Matt Green, @mgreen27" + ], + "x_mitre_data_sources": [ + "File: File Modification", + "Command: Command Execution", + "Process: Process Creation", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet)(Citation: Microsoft Profiles) Example profile locations (user defaults as well as program-specific) include:\n\n* $PsHome\\Profile.ps1\n* $PsHome\\Microsoft.{HostProgram}_profile.ps1\n* $Home\\\\\\[My ]Documents\\PowerShell\\Profile.ps1\n* $Home\\\\\\[My ]Documents\\PowerShell\\Microsoft.{HostProgram}_profile.ps1\n\nMonitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User", + "Administrator" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-20 17:04:13.976000+00:00\", \"old_value\": \"2022-02-08 16:39:08.851000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][1]\": \"Matt Green, @mgreen27\"}, \"iterable_item_removed\": {\"root['x_mitre_contributors'][0]\": \"Matthew Green\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1045: Code Signing", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--1f9c2bae-b441-4f66-a8af-b65946ee72f2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-17 15:24:12.240000+00:00", + "modified": "2023-09-19 21:25:46.568000+00:00", + "name": "SAML Tokens", + "description": "An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)\n\nAn adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nAn adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1606/002", + "external_id": "T1606.002" + }, + { + "source_name": "Microsoft SolarWinds Steps", + "description": "Lambert, J. (2020, December 13). Important steps for customers to protect themselves from recent nation-state cyberattacks. Retrieved December 17, 2020.", + "url": "https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/" + }, + { + "source_name": "Microsoft SAML Token Lifetimes", + "description": "Microsoft. (2020, December 14). Configurable token lifetimes in Microsoft Identity Platform. Retrieved December 22, 2020.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes" + }, + { + "source_name": "Microsoft SolarWinds Customer Guidance", + "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.", + "url": "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + }, + { + "source_name": "Cyberark Golden SAML", + "description": "Reiner, S. (2017, November 21). Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps. Retrieved December 17, 2020.", + "url": "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps" + }, + { + "source_name": "Sygnia Golden SAML", + "description": "Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021.", + "url": "https://www.sygnia.co/golden-saml-advisory" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Blake Strom, Microsoft 365 Defender", + "Oleg Kolesnikov, Securonix", + "Jack Burns, HubSpot" + ], + "x_mitre_data_sources": [ + "Web Credential: Web Credential Usage", + "Web Credential: Web Credential Creation", + "Logon Session: Logon Session Creation", + "User Account: User Account Authentication", + "Logon Session: Logon Session Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "This technique may be difficult to detect as SAML tokens are signed by a trusted certificate. The forging process may not be detectable since it is likely to happen outside of a defender's visibility, but subsequent usage of the forged token may be seen. Monitor for anomalous logins using SAML tokens created by a compromised or adversary generated token-signing certificate. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the certificate.(Citation: Microsoft SolarWinds Customer Guidance) Search for logins to service providers using SAML SSO which do not have corresponding 4769, 1200, and 1202 events in the Domain.(Citation: Sygnia Golden SAML)\n\nConsider modifying SAML responses to include custom elements for each service provider. Monitor these custom elements in service provider access logs to detect any anomalous requests.(Citation: Sygnia Golden SAML)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Azure AD", + "SaaS", + "Windows", + "Office 365", + "Google Workspace", + "IaaS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:25:46.568000+00:00\", \"old_value\": \"2021-09-20 16:47:19.173000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][2]\": \"Jack Burns, HubSpot\"}, \"iterable_item_removed\": {\"root['x_mitre_contributors'][0]\": \"Jen Burns, HubSpot\"}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1015: Active Directory Configuration", + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0006: Web Credential (Web Credential Creation)", + "DS0006: Web Credential (Web Credential Usage)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0028: Logon Session (Logon Session Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-17 02:14:34.178000+00:00", + "modified": "2023-09-19 21:25:10.511000+00:00", + "name": "Web Cookies", + "description": "Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.\n\nAdversaries may generate these cookies in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.\n\nOnce forged, adversaries may use these web cookies to access resources ([Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1606/001", + "external_id": "T1606.001" + }, + { + "source_name": "Volexity SolarWinds", + "description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.", + "url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" + }, + { + "source_name": "Unit 42 Mac Crypto Cookies January 2019", + "description": "Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved October 14, 2019.", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" + }, + { + "source_name": "Pass The Cookie", + "description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.", + "url": "https://wunderwuzzi23.github.io/blog/passthecookie.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Jack Burns, HubSpot" + ], + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Web Credential: Web Credential Usage" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "SaaS", + "IaaS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:25:10.511000+00:00\", \"old_value\": \"2021-09-20 16:48:28.041000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Jack Burns, HubSpot\", \"old_value\": \"Jen Burns, HubSpot\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1047: Audit", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0006: Web Credential (Web Credential Usage)", + "DS0028: Logon Session (Logon Session Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--208884f1-7b83-4473-ac22-4e1cf6c41471", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-03-08 22:40:06.918000+00:00", + "modified": "2023-06-14 23:03:51.540000+00:00", + "name": "Masquerade File Type", + "description": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file\u2019s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file\u2019s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file\u2019s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. \n\nAdversaries may edit the header\u2019s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. \n\nCommon non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.\n\nPolygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1036/008", + "external_id": "T1036.008" + }, + { + "source_name": "polygot_icedID", + "description": "Lim, M. (2022, September 27). More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID. Retrieved September 29, 2022.", + "url": "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "CrowdStrike Falcon OverWatch", + "Ben Smith, @ezaspy" + ], + "x_mitre_data_sources": [ + "File: File Modification", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-06-14 23:03:51.540000+00:00\", \"old_value\": \"2023-04-11 22:37:42.319000+00:00\"}, \"root['x_mitre_contributors'][1]\": {\"new_value\": \"Ben Smith, @ezaspy\", \"old_value\": \"Ben Smith\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention", + "M1040: Behavior Prevention on Endpoint", + "M1049: Antivirus/Antimalware" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-10 20:03:11.691000+00:00", + "modified": "2023-09-14 21:12:48.411000+00:00", + "name": "Rename System Utilities", + "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1036/003", + "external_id": "T1036.003" + }, + { + "source_name": "Twitter ItsReallyNick Masquerading Update", + "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.", + "url": "https://twitter.com/ItsReallyNick/status/1055321652777619457" + }, + { + "source_name": "Elastic Masquerade Ball", + "description": "Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.", + "url": "https://www.elastic.co/blog/how-hunt-masquerade-ball" + }, + { + "source_name": "F-Secure CozyDuke", + "description": "F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.", + "url": "https://www.f-secure.com/documents/996508/1030745/CozyDuke" + }, + { + "source_name": "LOLBAS Main Site", + "description": "LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.", + "url": "https://lolbas-project.github.io/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "File: File Modification", + "Process: Process Metadata", + "Command: Command Execution", + "File: File Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-14 21:12:48.411000+00:00\", \"old_value\": \"2023-04-07 17:07:20.038000+00:00\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://www.elastic.co/blog/how-hunt-masquerade-ball\", \"old_value\": \"http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Metadata)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Metadata)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-21 15:42:25.991000+00:00", + "modified": "2023-10-19 18:37:57.025000+00:00", + "name": "Cached Domain Credentials", + "description": "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)\n\nOn Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)\n\nWith SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials.\n\nNote: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1003/005", + "external_id": "T1003.005" + }, + { + "source_name": "PassLib mscache", + "description": "Eli Collins. (2016, November 25). Windows' Domain Cached Credentials v2. Retrieved February 21, 2020.", + "url": "https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html" + }, + { + "source_name": "ired mscache", + "description": "Mantvydas Baranauskas. (2019, November 16). Dumping and Cracking mscash - Cached Domain Credentials. Retrieved February 21, 2020.", + "url": "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials" + }, + { + "source_name": "Microsoft - Cached Creds", + "description": "Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.", + "url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)" + }, + { + "source_name": "Powersploit", + "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", + "url": "https://github.com/mattifestation/PowerSploit" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Ed Williams, Trustwave, SpiderLabs" + ], + "x_mitre_data_sources": [ + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nDetection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"SYSTEM\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-19 18:37:57.025000+00:00\", \"old_value\": \"2020-03-24 20:41:08.996000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.\", \"old_value\": \"Microsfot. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M1015: Active Directory Configuration", + "M1017: User Training", + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1028: Operating System Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:08.977000+00:00", + "modified": "2023-10-17 20:42:21.453000+00:00", + "name": "Replication Through Removable Media", + "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.\n\nMobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1091", + "external_id": "T1091" + }, + { + "source_name": "Windows Malware Infecting Android", + "description": "Lucian Constantin. (2014, January 23). Windows malware tries to infect Android devices connected to PCs. Retrieved May 25, 2022.", + "url": "https://www.computerworld.com/article/2486903/windows-malware-tries-to-infect-android-devices-connected-to-pcs.html" + }, + { + "source_name": "iPhone Charging Cable Hack", + "description": "Zack Whittaker. (2019, August 12). This hacker\u2019s iPhone charging cable can hijack your computer. Retrieved May 25, 2022.", + "url": "https://techcrunch.com/2019/08/12/iphone-charging-cable-hack-computer-def-con/" + }, + { + "source_name": "Exploiting Smartphone USB ", + "description": "Zhaohui Wang & Angelos Stavrou. (n.d.). Exploiting Smart-Phone USB Connectivity For Fun And Profit. Retrieved May 25, 2022.", + "url": "https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.226.3427&rep=rep1&type=pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Joas Antonio dos Santos, @C0d3Cr4zy" + ], + "x_mitre_data_sources": [ + "File: File Access", + "Process: Process Creation", + "Drive: Drive Creation", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_system_requirements": [ + "Removable media allowed, Autorun enabled or vulnerability present that allows for code execution" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-17 20:42:21.453000+00:00\", \"old_value\": \"2022-10-21 19:14:13.179000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Joas Antonio dos Santos, @C0d3Cr4zy\", \"old_value\": \"Joas Antonio dos Santos, @Cr4zyC0d3\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1034: Limit Hardware Installation", + "M1040: Behavior Prevention on Endpoint", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0016: Drive (Drive Creation)", + "DS0022: File (File Access)", + "DS0022: File (File Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-04 15:54:25.684000+00:00", + "modified": "2023-09-19 21:23:50.233000+00:00", + "name": "Steal Application Access Token", + "description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nIn Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container\u2019s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user. \n\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1528", + "external_id": "T1528" + }, + { + "source_name": "Amnesty OAuth Phishing Attacks, August 2019", + "description": "Amnesty International. (2019, August 16). Evolving Phishing Attacks Targeting Journalists and Human Rights Defenders from the Middle-East and North Africa. Retrieved October 8, 2019.", + "url": "https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/" + }, + { + "source_name": "Auth0 Understanding Refresh Tokens", + "description": "Auth0 Inc.. (n.d.). Understanding Refresh Tokens. Retrieved December 16, 2021.", + "url": "https://auth0.com/learn/refresh-tokens/" + }, + { + "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019", + "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", + "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/" + }, + { + "source_name": "Trend Micro Pawn Storm OAuth 2017", + "description": "Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" + }, + { + "source_name": "Kubernetes Service Accounts", + "description": "Kubernetes. (2022, February 26). Configure Service Accounts for Pods. Retrieved April 1, 2022.", + "url": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" + }, + { + "source_name": "Microsoft - Azure AD Identity Tokens - Aug 2019", + "description": "Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" + }, + { + "source_name": "Microsoft - Azure AD App Registration - May 2019", + "description": "Microsoft. (2019, May 8). Quickstart: Register an application with the Microsoft identity platform. Retrieved September 12, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app" + }, + { + "source_name": "Microsoft - OAuth Code Authorization flow - June 2019", + "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow" + }, + { + "source_name": "Microsoft Identity Platform Protocols May 2019", + "description": "Microsoft. (n.d.). Retrieved September 12, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Suzy Schapperle - Microsoft Azure Red Team", + "Shailesh Tiwary (Indian Army)", + "Mark Wee", + "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)", + "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)", + "Ram Pliskin, Microsoft Azure Security Center", + "Jack Burns, HubSpot" + ], + "x_mitre_data_sources": [ + "User Account: User Account Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a \u201cHigh severity app permissions\u201d policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.\n\nSecurity analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app\u2019s purpose, or apps with old \u201cLast authorized\u201d fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.\n\nAdministrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace", + "Containers" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:23:50.233000+00:00\", \"old_value\": \"2022-04-21 16:25:11.482000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_contributors'][6]\": {\"new_value\": \"Jack Burns, HubSpot\", \"old_value\": \"Jen Burns, HubSpot\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1018: User Account Management", + "M1021: Restrict Web-Based Content", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-10-08 20:04:35.508000+00:00", + "modified": "2023-08-03 20:19:01.074000+00:00", + "name": "Steal Web Session Cookie", + "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1539", + "external_id": "T1539" + }, + { + "source_name": "Unit 42 Mac Crypto Cookies January 2019", + "description": "Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved October 14, 2019.", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" + }, + { + "source_name": "Kaspersky TajMahal April 2019", + "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019.", + "url": "https://securelist.com/project-tajmahal/90240/" + }, + { + "source_name": "Github evilginx2", + "description": "Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.", + "url": "https://github.com/kgretzky/evilginx2" + }, + { + "source_name": "GitHub Mauraena", + "description": "Orr\u00f9, M., Trotta, G.. (2019, September 11). Muraena. Retrieved October 14, 2019.", + "url": "https://github.com/muraenateam/muraena" + }, + { + "source_name": "Pass The Cookie", + "description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.", + "url": "https://wunderwuzzi23.github.io/blog/passthecookie.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Microsoft Threat Intelligence Center (MSTIC)", + "Johann Rehberger" + ], + "x_mitre_data_sources": [ + "Process: Process Access", + "File: File Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-03 20:19:01.074000+00:00\", \"old_value\": \"2021-07-28 01:26:51.971000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\\n\\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\\n\\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\\n\\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.\", \"old_value\": \"An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\\n\\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\\n\\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\\n\\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.\", \"diff\": \"--- \\n+++ \\n@@ -2,6 +2,6 @@\\n \\n Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\\n \\n-There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\\n+There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\\n \\n After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.\"}}}", + "previous_version": "1.2", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1An adversary may steal web application or service session cot1An adversary may steal web application or service session co
    >okies and use them to gain access to web applications or Int>okies and use them to gain access to web applications or Int
    >ernet services as an authenticated user without needing cred>ernet services as an authenticated user without needing cred
    >entials. Web applications and services often use session coo>entials. Web applications and services often use session coo
    >kies as an authentication token after a user has authenticat>kies as an authentication token after a user has authenticat
    >ed to a website.  Cookies are often valid for an extended pe>ed to a website.  Cookies are often valid for an extended pe
    >riod of time, even if the web application is not actively us>riod of time, even if the web application is not actively us
    >ed. Cookies can be found on disk, in the process memory of t>ed. Cookies can be found on disk, in the process memory of t
    >he browser, and in network traffic to remote systems. Additi>he browser, and in network traffic to remote systems. Additi
    >onally, other applications on the targets machine might stor>onally, other applications on the targets machine might stor
    >e sensitive authentication cookies in memory (e.g. apps whic>e sensitive authentication cookies in memory (e.g. apps whic
    >h authenticate to cloud services). Session cookies can be us>h authenticate to cloud services). Session cookies can be us
    >ed to bypasses some multi-factor authentication protocols.(C>ed to bypasses some multi-factor authentication protocols.(C
    >itation: Pass The Cookie)  There are several examples of mal>itation: Pass The Cookie)  There are several examples of mal
    >ware targeting cookies from web browsers on the local system>ware targeting cookies from web browsers on the local system
    >.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42>.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42
    > Mac Crypto Cookies January 2019) There are also open source> Mac Crypto Cookies January 2019) There are also open source
    > frameworks such as Evilginx 2 and Muraena that can gather s> frameworks such as `Evilginx2` and `Muraena` that can gathe
    >ession cookies through a malicious proxy (ex: [Adversary-in->r session cookies through a malicious proxy (ex: [Adversary-
    >the-Middle](https://attack.mitre.org/techniques/T1557)) that>in-the-Middle](https://attack.mitre.org/techniques/T1557)) t
    > can be set up by an adversary and used in phishing campaign>hat can be set up by an adversary and used in phishing campa
    >s.(Citation: Github evilginx2)(Citation: GitHub Mauraena)  A>igns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
    >fter an adversary acquires a valid cookie, they can then per>  After an adversary acquires a valid cookie, they can then 
    >form a [Web Session Cookie](https://attack.mitre.org/techniq>perform a [Web Session Cookie](https://attack.mitre.org/tech
    >ues/T1550/004) technique to login to the corresponding web a>niques/T1550/004) technique to login to the corresponding we
    >pplication.>b application.
    ", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1032: Multi-factor Authentication", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Access)", + "DS0022: File (File Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-23 18:53:54.377000+00:00", + "modified": "2023-10-18 16:31:56.936000+00:00", + "name": "Compiled HTML File", + "description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\n\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1218/001", + "external_id": "T1218.001" + }, + { + "source_name": "Microsoft CVE-2017-8625 Aug 2017", + "description": "Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018.", + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625" + }, + { + "source_name": "Microsoft HTML Help May 2018", + "description": "Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018.", + "url": "https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk" + }, + { + "source_name": "Microsoft HTML Help Executable Program", + "description": "Microsoft. (n.d.). About the HTML Help Executable Program. Retrieved October 3, 2018.", + "url": "https://msdn.microsoft.com/windows/desktop/ms524405" + }, + { + "source_name": "Microsoft HTML Help ActiveX", + "description": "Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018.", + "url": "https://msdn.microsoft.com/windows/desktop/ms644670" + }, + { + "source_name": "MsitPros CHM Aug 2017", + "description": "Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM \u2013 CVE-2017-8625. Retrieved October 3, 2018.", + "url": "https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_defense_bypassed": [ + "Digital Certificate Validation", + "Application control" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor and analyze the execution and arguments of hh.exe. (Citation: MsitPros CHM Aug 2017) Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.\n\nMonitor presence and use of CHM files, especially if they are not typically used within an environment.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-18 16:31:56.936000+00:00\", \"old_value\": \"2023-04-21 12:23:17.694000+00:00\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/\", \"old_value\": \"https://msitpros.com/?p=3909\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}}}", + "previous_version": "2.1", + "changelog_mitigations": { + "shared": [ + "M1021: Restrict Web-Based Content", + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-30 17:37:22.261000+00:00", + "modified": "2023-09-19 21:24:45.231000+00:00", + "name": "Application Access Token", + "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) \n\nOAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim\u2019s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured \u2013 for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)\n\nDirect API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user\u2019s AWS API credentials may be able to use the `sts:GetFederationToken` API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1550/001", + "external_id": "T1550.001" + }, + { + "source_name": "Crowdstrike AWS User Federation Persistence", + "description": " Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023.", + "url": "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" + }, + { + "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019", + "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", + "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/" + }, + { + "source_name": "AWS Logging IAM Calls", + "description": "AWS. (n.d.). Logging IAM and AWS STS API calls with AWS CloudTrail. Retrieved April 1, 2022.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html" + }, + { + "source_name": "AWS Temporary Security Credentials", + "description": "AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html" + }, + { + "source_name": "Microsoft Identity Platform Access 2019", + "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" + }, + { + "source_name": "Google Cloud Service Account Credentials", + "description": "Google Cloud. (2022, March 31). Creating short-lived service account credentials. Retrieved April 1, 2022.", + "url": "https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials" + }, + { + "source_name": "GCP Monitoring Service Account Usage", + "description": "Google Cloud. (2022, March 31). Monitor usage patterns for service accounts and keys . Retrieved April 1, 2022.", + "url": "https://cloud.google.com/iam/docs/service-account-monitoring" + }, + { + "source_name": "okta", + "description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.", + "url": "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen" + }, + { + "source_name": "Rhino Security Labs Enumerating AWS Roles", + "description": "Spencer Gietzen. (2018, August 8). Assume the Worst: Enumerating AWS Roles through \u2018AssumeRole\u2019. Retrieved April 1, 2022.", + "url": "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration" + }, + { + "source_name": "Staaldraad Phishing with OAuth 2017", + "description": "Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.", + "url": "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Shailesh Tiwary (Indian Army)", + "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)", + "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)", + "Mark Wee", + "Ian Davila, Tidal Cyber", + "Dylan Silva, AWS Security", + "Jack Burns, HubSpot" + ], + "x_mitre_data_sources": [ + "Web Credential: Web Credential Usage" + ], + "x_mitre_defense_bypassed": [ + "System Access Controls" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs. Additionally, administrators should review logs for calls to the AWS Security Token Service (STS) and usage of GCP service accounts in order to identify anomalous actions.(Citation: AWS Logging IAM Calls)(Citation: GCP Monitoring Service Account Usage)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Office 365", + "SaaS", + "Google Workspace", + "Containers", + "IaaS", + "Azure AD" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:24:45.231000+00:00\", \"old_value\": \"2023-05-04 18:04:17.588000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][6]\": \"Jack Burns, HubSpot\"}, \"iterable_item_removed\": {\"root['x_mitre_contributors'][4]\": \"Jen Burns, HubSpot\"}}", + "previous_version": "1.5", + "changelog_mitigations": { + "shared": [ + "M1021: Restrict Web-Based Content", + "M1041: Encrypt Sensitive Information", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0006: Web Credential (Web Credential Usage)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-30 17:48:49.395000+00:00", + "modified": "2023-09-19 21:26:24.725000+00:00", + "name": "Web Session Cookie", + "description": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\n\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\n\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1550/004", + "external_id": "T1550.004" + }, + { + "source_name": "Unit 42 Mac Crypto Cookies January 2019", + "description": "Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved October 14, 2019.", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" + }, + { + "source_name": "Pass The Cookie", + "description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.", + "url": "https://wunderwuzzi23.github.io/blog/passthecookie.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Johann Rehberger", + "Jack Burns, HubSpot" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Web Credential: Web Credential Usage" + ], + "x_mitre_defense_bypassed": [ + "System Access Controls" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Office 365", + "SaaS", + "Google Workspace", + "IaaS" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:26:24.725000+00:00\", \"old_value\": \"2023-03-30 21:01:51.836000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][1]\": \"Jack Burns, HubSpot\"}, \"iterable_item_removed\": {\"root['x_mitre_contributors'][0]\": \"Jen Burns, HubSpot\"}}", + "previous_version": "1.3", + "changelog_mitigations": { + "shared": [ + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0006: Web Credential (Web Credential Usage)", + "DS0015: Application Log (Application Log Content)" + ], + "new": [], + "dropped": [] + } + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "software": { + "additions": [ + { + "type": "malware", + "id": "malware--dcd9548e-df9e-47c2-81f3-bc084289959d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-05-16 19:24:37.394000+00:00", + "modified": "2023-09-29 18:11:31.659000+00:00", + "name": "ANDROMEDA", + "description": "[ANDROMEDA](https://attack.mitre.org/software/S1074) is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://attack.mitre.org/campaigns/C0026) campaign, threat actors re-registered expired [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains to spread malware to select targets in Ukraine.(Citation: Mandiant Suspected Turla Campaign February 2023)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1074", + "external_id": "S1074" + }, + { + "source_name": "Mandiant Suspected Turla Campaign February 2023", + "description": "Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.", + "url": "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ANDROMEDA" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Yoshihiro Kori, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "tool", + "id": "tool--6a5947f3-1a36-4653-8734-526df3e1d28d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-20 17:32:59.932000+00:00", + "modified": "2023-10-10 17:19:12.868000+00:00", + "name": "AsyncRAT", + "description": "[AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1087", + "external_id": "S1087" + }, + { + "source_name": "Telefonica Snip3 December 2021", + "description": "Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.", + "url": "https://telefonicatech.com/blog/snip3-investigacion-malware" + }, + { + "source_name": "Morphisec Snip3 May 2021", + "description": "Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.", + "url": "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" + }, + { + "source_name": "Cisco Operation Layover September 2021", + "description": "Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.", + "url": "https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "AsyncRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Aaron Jornet" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--3553b49d-d4ae-4fb6-ab17-0adbc520c888", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-08-01 18:07:26.353000+00:00", + "modified": "2023-10-04 16:53:23.530000+00:00", + "name": "BADHATCH", + "description": "[BADHATCH](https://attack.mitre.org/software/S1081) is a backdoor that has been utilized by [FIN8](https://attack.mitre.org/groups/G0061) since at least 2019. [BADHATCH](https://attack.mitre.org/software/S1081) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1081", + "external_id": "S1081" + }, + { + "source_name": "Gigamon BADHATCH Jul 2019", + "description": "Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.", + "url": "https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" + }, + { + "source_name": "BitDefender BADHATCH Mar 2021", + "description": "Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BADHATCH" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Serhii Melnyk, Trustwave SpiderLabs" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--e1445afd-c359-45ed-8f27-626dc4d5e157", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-25 20:29:37.737000+00:00", + "modified": "2023-10-04 17:18:07.384000+00:00", + "name": "Disco", + "description": "[Disco](https://attack.mitre.org/software/S1088) is a custom implant that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.(Citation: MoustachedBouncer ESET August 2023)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1088", + "external_id": "S1088" + }, + { + "source_name": "MoustachedBouncer ESET August 2023", + "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", + "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Disco" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--09fcc02f-f9d4-43fa-8609-5e5e186b7103", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-05-17 18:49:25.528000+00:00", + "modified": "2023-07-25 20:02:07.578000+00:00", + "name": "KOPILUWAK", + "description": "[KOPILUWAK](https://attack.mitre.org/software/S1075) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.(Citation: Mandiant Suspected Turla Campaign February 2023)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1075", + "external_id": "S1075" + }, + { + "source_name": "Mandiant Suspected Turla Campaign February 2023", + "description": "Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.", + "url": "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "KOPILUWAK" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Yoshihiro Kori, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--91c57ed3-7c32-4c68-b388-7db00cb8dac6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-27 19:32:52.140000+00:00", + "modified": "2023-09-27 19:33:24.323000+00:00", + "name": "NightClub", + "description": "[NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1090", + "external_id": "S1090" + }, + { + "source_name": "MoustachedBouncer ESET August 2023", + "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", + "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "NightClub" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "tool", + "id": "tool--1b3b8f96-43b1-4460-8e02-1f53d7802fb9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-28 13:21:49.652000+00:00", + "modified": "2023-10-19 12:18:43.123000+00:00", + "name": "Pacu", + "description": "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1091", + "external_id": "S1091" + }, + { + "source_name": "GitHub Pacu", + "description": "Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.", + "url": "https://github.com/RhinoSecurityLabs/pacu" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Pacu" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Thanabodi Phrakhun, @naikordian" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--93289ecf-4d15-4d6b-a9c3-4ab27e145ef4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-05-19 20:18:52.141000+00:00", + "modified": "2023-07-25 20:19:09.713000+00:00", + "name": "QUIETCANARY", + "description": "[QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign February 2023)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1076", + "external_id": "S1076" + }, + { + "source_name": "Tunnus", + "description": "(Citation: Mandiant Suspected Turla Campaign February 2023)" + }, + { + "source_name": "Mandiant Suspected Turla Campaign February 2023", + "description": "Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.", + "url": "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "QUIETCANARY", + "Tunnus" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Yoshihiro Kori, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--4816d361-f82b-4a18-aa05-b215e7cf9200", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-08-17 17:06:19.976000+00:00", + "modified": "2023-10-02 21:29:35.492000+00:00", + "name": "QUIETEXIT", + "description": "[QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1084", + "external_id": "S1084" + }, + { + "source_name": "Mandiant APT29 Eye Spy Email Nov 22", + "description": "Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.", + "url": "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "QUIETEXIT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Joe Gumke, U.S. Bank" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--08e844a8-371f-4fe3-9d1f-e056e64a7fde", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-06-14 17:04:01.673000+00:00", + "modified": "2023-10-12 21:19:45.801000+00:00", + "name": "RotaJakiro", + "description": "[RotaJakiro](https://attack.mitre.org/software/S1078) is a 64-bit Linux backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://attack.mitre.org/software/S1078) can determine it's permission level and execute according to access type (`root` or `user`).(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: netlab360 rotajakiro vs oceanlotus)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1078", + "external_id": "S1078" + }, + { + "source_name": "RotaJakiro 2021 netlab360 analysis", + "description": " Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.", + "url": "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" + }, + { + "source_name": "netlab360 rotajakiro vs oceanlotus", + "description": "Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.", + "url": "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RotaJakiro" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--0c52f5bc-557d-4083-bd27-66d7cdb794bb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-05 15:56:46.250000+00:00", + "modified": "2023-10-04 15:36:06.160000+00:00", + "name": "Sardonic", + "description": "[Sardonic](https://attack.mitre.org/software/S1085) is a backdoor written in C and C++ that is known to be used by [FIN8](https://attack.mitre.org/groups/G0061), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://attack.mitre.org/software/S1085) has a plugin system that can load specially made DLLs and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1085", + "external_id": "S1085" + }, + { + "source_name": "Bitdefender Sardonic Aug 2021", + "description": "Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" + }, + { + "source_name": "Symantec FIN8 Jul 2023", + "description": "Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Sardonic" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Serhii Melnyk, Trustwave SpiderLabs" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--1fefb062-feda-484a-8f10-0cebf65e20e3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-26 20:19:15.106000+00:00", + "modified": "2023-09-26 20:19:38.859000+00:00", + "name": "SharpDisco", + "description": "[SharpDisco](https://attack.mitre.org/software/S1089) is a dropper developed in C# that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 to load malicious plugins.(Citation: MoustachedBouncer ESET August 2023)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1089", + "external_id": "S1089" + }, + { + "source_name": "MoustachedBouncer ESET August 2023", + "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", + "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SharpDisco" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--4327aff5-f194-440c-b499-4d9730cc1eab", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-13 18:52:15.552000+00:00", + "modified": "2023-10-10 17:18:52.857000+00:00", + "name": "Snip3", + "description": "[Snip3](https://attack.mitre.org/software/S1086) is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including [AsyncRAT](https://attack.mitre.org/software/S1087), [Revenge RAT](https://attack.mitre.org/software/S0379), [Agent Tesla](https://attack.mitre.org/software/S0331), and [NETWIRE](https://attack.mitre.org/software/S0198).(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1086", + "external_id": "S1086" + }, + { + "source_name": "Telefonica Snip3 December 2021", + "description": "Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.", + "url": "https://telefonicatech.com/blog/snip3-investigacion-malware" + }, + { + "source_name": "Morphisec Snip3 May 2021", + "description": "Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.", + "url": "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Snip3" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Aaron Jornet" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0" + }, + { + "type": "tool", + "id": "tool--2f7f03bb-f367-4a5a-ad9b-310a12a48906", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-14 18:56:34.771000+00:00", + "modified": "2023-09-25 18:54:49.773000+00:00", + "name": "ngrok", + "description": "[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0508", + "external_id": "S0508" + }, + { + "source_name": "Zdnet Ngrok September 2018", + "description": "Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.", + "url": "https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/" + }, + { + "source_name": "Cyware Ngrok May 2019", + "description": "Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims\u2019 systems. Retrieved September 15, 2020.", + "url": "https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44" + }, + { + "source_name": "MalwareBytes LazyScripter Feb 2021", + "description": "Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.", + "url": "https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" + }, + { + "source_name": "FireEye Maze May 2020", + "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ngrok" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Janantha Marasinghe" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2" + } + ], + "major_version_changes": [ + { + "type": "malware", + "id": "malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-30 19:18:19.667000+00:00", + "modified": "2023-10-12 20:21:08.235000+00:00", + "name": "OSX_OCEANLOTUS.D", + "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0352", + "external_id": "S0352" + }, + { + "source_name": "Backdoor.MacOS.OCEANLOTUS.F", + "description": "(Citation: Trend Micro MacOS Backdoor November 2020)" + }, + { + "source_name": "OSX_OCEANLOTUS.D", + "description": "(Citation: TrendMicro MacOS April 2018)" + }, + { + "source_name": "Unit42 OceanLotus 2017", + "description": "Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.", + "url": "https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/" + }, + { + "source_name": "TrendMicro MacOS April 2018", + "description": "Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" + }, + { + "source_name": "Trend Micro MacOS Backdoor November 2020", + "description": "Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.", + "url": "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "OSX_OCEANLOTUS.D", + "Backdoor.MacOS.OCEANLOTUS.F" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "3.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-12 20:21:08.235000+00:00\", \"old_value\": \"2022-01-14 21:53:00.543000+00:00\"}, \"root['description']\": {\"new_value\": \"[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)\", \"old_value\": \"[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor with several variants that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Unit42 OceanLotus 2017\", \"description\": \"Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.\", \"url\": \"https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/\"}}}", + "previous_version": "2.2", + "version_change": "2.2 \u2192 3.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) t1[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) 
    >is a MacOS backdoor with several variants that has been used>is a macOS backdoor used by [APT32](https://attack.mitre.org
    > by [APT32](https://attack.mitre.org/groups/G0050).(Citation>/groups/G0050). First discovered in 2015, [APT32](https://at
    >: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS B>tack.mitre.org/groups/G0050) has continued to make improveme
    >ackdoor November 2020)>nts using a plugin architecture to extend capabilities, spec
     >ifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://at
     >tack.mitre.org/software/S0352) can also determine it's permi
     >ssion level and execute according to access type (`root` or 
     >`user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMi
     >cro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor N
     >ovember 2020)
    " + }, + { + "type": "malware", + "id": "malware--80a014ba-3fef-4768-990b-37d8bd10d7f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:19.029000+00:00", + "modified": "2023-10-02 17:26:25.052000+00:00", + "name": "Uroburos", + "description": "[Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0022", + "external_id": "S0022" + }, + { + "source_name": "Snake", + "description": "(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)" + }, + { + "source_name": "Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023", + "description": "FBI et al. (2023, May 9). Hunting Russian Intelligence \u201cSnake\u201d Malware. Retrieved June 8, 2023.", + "url": "https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" + }, + { + "source_name": "Kaspersky Turla", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.", + "url": "https://securelist.com/the-epic-turla-operation/65545/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Uroburos", + "Snake" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_aliases']\": [\"Uroburos\", \"Snake\"], \"root['x_mitre_deprecated']\": false, \"root['x_mitre_platforms']\": [\"Linux\", \"Windows\", \"macOS\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 17:26:25.052000+00:00\", \"old_value\": \"2018-10-17 00:14:20.652000+00:00\"}, \"root['description']\": {\"new_value\": \"[Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)\", \"old_value\": \"[Uroburos](https://attack.mitre.org/software/S0022) is a rootkit used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"Snake\", \"old_value\": \"Uroburos\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)\", \"old_value\": \"(Citation: Kaspersky Turla)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023\", \"description\": \"FBI et al. (2023, May 9). Hunting Russian Intelligence \\u201cSnake\\u201d Malware. Retrieved June 8, 2023.\", \"url\": \"https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 2.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1[Uroburos](https://attack.mitre.org/software/S0022) is a root1[Uroburos](https://attack.mitre.org/software/S0022) is a sop
    >tkit used by [Turla](https://attack.mitre.org/groups/G0010).>histicated cyber espionage tool written in C that has been u
    > (Citation: Kaspersky Turla)>sed by units within Russia's Federal Security Service (FSB) 
     >associated with the [Turla](https://attack.mitre.org/groups/
     >G0010) toolset to collect intelligence on sensitive targets 
     >worldwide. [Uroburos](https://attack.mitre.org/software/S002
     >2) has several variants and has undergone nearly constant up
     >grade since its initial development in 2003 to keep it viabl
     >e after public disclosures. [Uroburos](https://attack.mitre.
     >org/software/S0022) is typically deployed to external-facing
     > nodes on a targeted network and has the ability to leverage
     > additional tools and TTPs to further exploit an internal ne
     >twork. [Uroburos](https://attack.mitre.org/software/S0022) h
     >as interoperable implants for Windows, Linux, and macOS, emp
     >loys a high level of stealth in communications and architect
     >ure, and can easily incorporate new or replacement component
     >s.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Ma
     >lware May 2023)(Citation: Kaspersky Turla)
    " + } + ], + "minor_version_changes": [ + { + "type": "tool", + "id": "tool--f59508a6-3615-47c3-b493-6676e1a39a87", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-28 18:35:50.244000+00:00", + "modified": "2023-08-09 16:50:06.756000+00:00", + "name": "AdFind", + "description": "[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0552", + "external_id": "S0552" + }, + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "AdFind" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-09 16:50:06.756000+00:00\", \"old_value\": \"2023-03-02 20:44:17.690000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3" + }, + { + "type": "malware", + "id": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-29 18:44:04.748000+00:00", + "modified": "2023-09-11 20:13:18.738000+00:00", + "name": "Agent Tesla", + "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0331", + "external_id": "S0331" + }, + { + "source_name": "Agent Tesla", + "description": "(Citation: Fortinet Agent Tesla April 2018)(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)" + }, + { + "source_name": "Bitdefender Agent Tesla April 2020", + "description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.", + "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/" + }, + { + "source_name": "Talos Agent Tesla Oct 2018", + "description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.", + "url": "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html" + }, + { + "source_name": "Malwarebytes Agent Tesla April 2020", + "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.", + "url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/" + }, + { + "source_name": "DigiTrust Agent Tesla Jan 2017", + "description": "The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.", + "url": "https://www.digitrustgroup.com/agent-tesla-keylogger/" + }, + { + "source_name": "Fortinet Agent Tesla April 2018", + "description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.", + "url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Agent Tesla" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-11 20:13:18.738000+00:00\", \"old_value\": \"2021-04-21 02:04:30.060000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3" + }, + { + "type": "tool", + "id": "tool--30489451-5886-4c46-90c9-0dff9adc5252", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:02.428000+00:00", + "modified": "2023-07-25 19:24:08.305000+00:00", + "name": "Arp", + "description": "[Arp](https://attack.mitre.org/software/S0099) displays and modifies information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0099", + "external_id": "S0099" + }, + { + "source_name": "TechNet Arp", + "description": "Microsoft. (n.d.). Arp. Retrieved April 17, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490864.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Arp", + "arp.exe" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-25 19:24:08.305000+00:00\", \"old_value\": \"2021-12-07 18:27:04.603000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + }, + { + "type": "tool", + "id": "tool--64764dc6-a032-495f-8250-1e4c06bdc163", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-08-03 18:31:04.851000+00:00", + "name": "BITSAdmin", + "description": "[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0190", + "external_id": "S0190" + }, + { + "source_name": "Microsoft BITSAdmin", + "description": "Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.", + "url": "https://msdn.microsoft.com/library/aa362813.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BITSAdmin" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Edward Millington" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-03 18:31:04.851000+00:00\", \"old_value\": \"2022-10-13 18:56:28.568000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4" + }, + { + "type": "malware", + "id": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:57.807000+00:00", + "modified": "2023-10-06 14:08:40.134000+00:00", + "name": "BlackEnergy", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0089", + "external_id": "S0089" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BlackEnergy", + "Black Energy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-06 14:08:40.134000+00:00\", \"old_value\": \"2022-10-12 17:33:00.482000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4" + }, + { + "type": "tool", + "id": "tool--066b057c-944e-4cfc-b654-e3dfba04b926", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-28 12:51:29.358000+00:00", + "modified": "2023-08-09 18:00:13.178000+00:00", + "name": "BloodHound", + "description": "[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0521", + "external_id": "S0521" + }, + { + "source_name": "FoxIT Wocao December 2019", + "description": "Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.", + "url": "https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" + }, + { + "source_name": "CrowdStrike BloodHound April 2018", + "description": "Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.", + "url": "https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/" + }, + { + "source_name": "GitHub Bloodhound", + "description": "Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.", + "url": "https://github.com/BloodHoundAD/BloodHound" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BloodHound" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-09 18:00:13.178000+00:00\", \"old_value\": \"2023-02-16 18:51:10.090000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5" + }, + { + "type": "malware", + "id": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2023-08-09 16:47:36.538000+00:00", + "name": "Cobalt Strike", + "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0154", + "external_id": "S0154" + }, + { + "source_name": "cobaltstrike manual", + "description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.", + "url": "https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Cobalt Strike" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Martin Sohn Christensen, Improsec", + "Josh Abraham" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_version": "1.11", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-09 16:47:36.538000+00:00\", \"old_value\": \"2023-03-07 13:05:11.028000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.11\", \"old_value\": \"1.10\"}}}", + "previous_version": "1.10", + "version_change": "1.10 \u2192 1.11" + }, + { + "type": "malware", + "id": "malware--4dea7d8e-af94-4bfb-afe4-7ff54f59308b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-02-17 18:51:57.710000+00:00", + "modified": "2023-08-09 18:13:14.416000+00:00", + "name": "Conti", + "description": "[Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://attack.mitre.org/software/S0575) has been deployed via [TrickBot](https://attack.mitre.org/software/S0266) and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://attack.mitre.org/software/S0575) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0575", + "external_id": "S0575" + }, + { + "source_name": "Conti", + "description": "(Citation: CarbonBlack Conti July 2020)(Citation: Cybereason Conti Jan 2021)" + }, + { + "source_name": "CarbonBlack Conti July 2020", + "description": "Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.", + "url": "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" + }, + { + "source_name": "Cybleinc Conti January 2020", + "description": "Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021.", + "url": "https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/" + }, + { + "source_name": "Cybereason Conti Jan 2021", + "description": "Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.", + "url": "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Conti" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-09 18:13:14.416000+00:00\", \"old_value\": \"2022-09-29 16:45:13.038000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2" + }, + { + "type": "malware", + "id": "malware--a5e91d50-24fa-44ec-9894-39a88f658cea", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2023-09-28 21:03:22.526000+00:00", + "name": "CrossRAT", + "description": "[CrossRAT](https://attack.mitre.org/software/S0235) is a cross platform RAT.", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0235", + "external_id": "S0235" + }, + { + "source_name": "CrossRAT", + "description": "(Citation: Lookout Dark Caracal Jan 2018)" + }, + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CrossRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-28 21:03:22.526000+00:00\", \"old_value\": \"2020-03-30 15:26:42.369000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + }, + { + "type": "malware", + "id": "malware--f01e2711-4b48-4192-a2e8-5f56c945ca19", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-05-30 19:47:37.192000+00:00", + "modified": "2023-08-03 21:55:20.998000+00:00", + "name": "Dridex", + "description": "[Dridex](https://attack.mitre.org/software/S0384) is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated [Dridex](https://attack.mitre.org/software/S0384) had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. [Dridex](https://attack.mitre.org/software/S0384) was created from the source code of the Bugat banking Trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)(Citation: Treasury EvilCorp Dec 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0384", + "external_id": "S0384" + }, + { + "source_name": "Bugat v5", + "description": "(Citation: Dell Dridex Oct 2015)" + }, + { + "source_name": "Dridex", + "description": "(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)(Citation: Checkpoint Dridex Jan 2021)" + }, + { + "source_name": "Checkpoint Dridex Jan 2021", + "description": "Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.", + "url": "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/" + }, + { + "source_name": "Dell Dridex Oct 2015", + "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.", + "url": "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation" + }, + { + "source_name": "Kaspersky Dridex May 2017", + "description": "Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.", + "url": "https://securelist.com/dridex-a-history-of-evolution/78531/" + }, + { + "source_name": "Treasury EvilCorp Dec 2019", + "description": "U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.", + "url": "https://home.treasury.gov/news/press-releases/sm845" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Dridex", + "Bugat v5" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security", + "Jennifer Kim Roman, CrowdStrike" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-03 21:55:20.998000+00:00\", \"old_value\": \"2021-10-01 20:30:30.043000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][1]\": \"Jennifer Kim Roman, CrowdStrike\"}}", + "previous_version": "2.0", + "version_change": "2.0 \u2192 2.1" + }, + { + "type": "malware", + "id": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-03-25 18:35:14.353000+00:00", + "modified": "2023-09-29 19:44:43.868000+00:00", + "name": "Emotet", + "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0367", + "external_id": "S0367" + }, + { + "source_name": "Emotet", + "description": "(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Kaspersky Emotet Jan 2019)(Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: ESET Emotet Nov 2018)(Citation: Secureworks Emotet Nov 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: CIS Emotet Dec 2018)(Citation: Picus Emotet Dec 2018)(Citation: Red Canary Emotet Feb 2019) " + }, + { + "source_name": "Geodo", + "description": "(Citation: Trend Micro Emotet Jan 2019)" + }, + { + "source_name": "Talos Emotet Jan 2019", + "description": "Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.", + "url": "https://blog.talosintelligence.com/2019/01/return-of-emotet.html" + }, + { + "source_name": "CIS Emotet Apr 2017", + "description": "CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.", + "url": "https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/" + }, + { + "source_name": "CIS Emotet Dec 2018", + "description": "CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.", + "url": "https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/" + }, + { + "source_name": "Red Canary Emotet Feb 2019", + "description": "Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.", + "url": "https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/" + }, + { + "source_name": "ESET Emotet Nov 2018", + "description": "ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019.", + "url": "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/" + }, + { + "source_name": "Secureworks Emotet Nov 2018", + "description": "Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.", + "url": "https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader" + }, + { + "source_name": "Picus Emotet Dec 2018", + "description": "\u00d6zarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.", + "url": "https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" + }, + { + "source_name": "Trend Micro Banking Malware Jan 2019", + "description": "Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" + }, + { + "source_name": "Kaspersky Emotet Jan 2019", + "description": "Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.", + "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" + }, + { + "source_name": "Malwarebytes Emotet Dec 2017", + "description": "Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.", + "url": "https://support.malwarebytes.com/docs/DOC-2295" + }, + { + "source_name": "Symantec Emotet Jul 2018", + "description": "Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.", + "url": "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor" + }, + { + "source_name": "Trend Micro Emotet Jan 2019", + "description": "Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.", + "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" + }, + { + "source_name": "US-CERT Emotet Jul 2018", + "description": "US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-201A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Emotet", + "Geodo" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Omkar Gudhate" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 19:44:43.868000+00:00\", \"old_value\": \"2023-01-17 22:19:58.856000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5" + }, + { + "type": "tool", + "id": "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-03-11 14:13:40.648000+00:00", + "modified": "2023-07-27 15:44:31.364000+00:00", + "name": "Empire", + "description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0363", + "external_id": "S0363" + }, + { + "source_name": "EmPyre", + "description": "(Citation: Github PowerShell Empire)" + }, + { + "source_name": "PowerShell Empire", + "description": "(Citation: Github PowerShell Empire)" + }, + { + "source_name": "Github PowerShell Empire", + "description": "Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.", + "url": "https://github.com/PowerShellEmpire/Empire" + }, + { + "source_name": "GitHub ATTACK Empire", + "description": "Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019.", + "url": "https://github.com/dstepanic/attck_empire" + }, + { + "source_name": "NCSC Joint Report Public Tools", + "description": "The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.", + "url": "https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Empire", + "EmPyre", + "PowerShell Empire" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.7", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-27 15:44:31.364000+00:00\", \"old_value\": \"2023-03-22 03:43:09.336000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.7\", \"old_value\": \"1.6\"}}}", + "previous_version": "1.6", + "version_change": "1.6 \u2192 1.7" + }, + { + "type": "malware", + "id": "malware--50d6688b-0985-4f3d-8cbe-0c796b30703b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-12 17:40:38.303000+00:00", + "modified": "2023-10-01 16:58:20.224000+00:00", + "name": "Fysbis", + "description": "[Fysbis](https://attack.mitre.org/software/S0410) is a Linux-based backdoor used by [APT28](https://attack.mitre.org/groups/G0007) that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0410", + "external_id": "S0410" + }, + { + "source_name": "Fysbis Palo Alto Analysis", + "description": "Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy\u2019s Linux Backdoor. Retrieved September 10, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Fysbis" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 16:58:20.224000+00:00\", \"old_value\": \"2020-11-06 15:24:20.400000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3" + }, + { + "type": "malware", + "id": "malware--5c747acd-47f0-4c5a-b9e5-213541fc01e0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-12 16:10:45.416000+00:00", + "modified": "2023-08-30 16:31:52.140000+00:00", + "name": "GoldMax", + "description": "[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0588", + "external_id": "S0588" + }, + { + "source_name": "SUNSHUTTLE", + "description": "(Citation: FireEye SUNSHUTTLE Mar 2021)" + }, + { + "source_name": "GoldMax", + "description": "(Citation: MSTIC NOBELIUM Mar 2021)" + }, + { + "source_name": "CrowdStrike StellarParticle January 2022", + "description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.", + "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" + }, + { + "source_name": "MSTIC NOBELIUM Mar 2021", + "description": "Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + }, + { + "source_name": "FireEye SUNSHUTTLE Mar 2021", + "description": "Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "GoldMax", + "SUNSHUTTLE" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_version": "2.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-30 16:31:52.140000+00:00\", \"old_value\": \"2023-03-27 19:46:46.532000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2" + }, + { + "type": "tool", + "id": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-05 18:45:36.358000+00:00", + "modified": "2023-10-03 19:35:03.646000+00:00", + "name": "Imminent Monitor", + "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0434", + "external_id": "S0434" + }, + { + "source_name": "Imminent Unit42 Dec2019", + "description": "Unit 42. (2019, December 2). Imminent Monitor \u2013 a RAT Down Under. Retrieved May 5, 2020.", + "url": "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Imminent Monitor" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jose Luis S\u00e1nchez Martinez" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 19:35:03.646000+00:00\", \"old_value\": \"2020-07-10 13:39:26.417000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1" + }, + { + "type": "tool", + "id": "tool--26c87906-d750-42c5-946c-d4162c73fc7b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-31 01:39:56.283000+00:00", + "modified": "2023-07-27 15:31:10.648000+00:00", + "name": "Impacket", + "description": "[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0357", + "external_id": "S0357" + }, + { + "source_name": "Impacket Tools", + "description": "SecureAuth. (n.d.). Retrieved January 15, 2019.", + "url": "https://www.secureauth.com/labs/open-source-tools/impacket" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Impacket" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Jacob Wilkin, Trustwave, SpiderLabs" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-27 15:31:10.648000+00:00\", \"old_value\": \"2023-01-23 20:52:37.112000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5" + }, + { + "type": "malware", + "id": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-01-20 18:05:07.059000+00:00", + "modified": "2023-10-06 14:09:52.833000+00:00", + "name": "KillDisk", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0607", + "external_id": "S0607" + }, + { + "source_name": "KillDisk Ransomware", + "description": "Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/" + }, + { + "source_name": "ESEST Black Energy Jan 2016", + "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.", + "url": "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + }, + { + "source_name": "Trend Micro KillDisk 1", + "description": "Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html" + }, + { + "source_name": "Trend Micro KillDisk 2", + "description": "Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "KillDisk", + "Win32/KillDisk.NBI", + "Win32/KillDisk.NBH", + "Win32/KillDisk.NBD", + "Win32/KillDisk.NBC", + "Win32/KillDisk.NBB" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-06 14:09:52.833000+00:00\", \"old_value\": \"2023-03-08 22:13:42.357000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + }, + { + "type": "tool", + "id": "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-30 16:44:59.887000+00:00", + "modified": "2023-08-03 18:35:09.021000+00:00", + "name": "LaZagne", + "description": "[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://attack.mitre.org/software/S0349) is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0349", + "external_id": "S0349" + }, + { + "source_name": "LaZagne", + "description": "(Citation: GitHub LaZange Dec 2018)" + }, + { + "source_name": "GitHub LaZagne Dec 2018", + "description": "Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.", + "url": "https://github.com/AlessandroZ/LaZagne" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "LaZagne" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-03 18:35:09.021000+00:00\", \"old_value\": \"2023-03-02 20:48:02.590000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5" + }, + { + "type": "tool", + "id": "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:11.544000+00:00", + "modified": "2023-07-27 15:33:07.594000+00:00", + "name": "Mimikatz", + "description": "[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0002", + "external_id": "S0002" + }, + { + "source_name": "Deply Mimikatz", + "description": "Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.", + "url": "https://github.com/gentilkiwi/mimikatz" + }, + { + "source_name": "Adsecurity Mimikatz Guide", + "description": "Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.", + "url": "https://adsecurity.org/?page_id=1821" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Mimikatz" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Vincent Le Toux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.8", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-27 15:33:07.594000+00:00\", \"old_value\": \"2023-03-07 13:04:10.731000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.8\", \"old_value\": \"1.7\"}}}", + "previous_version": "1.7", + "version_change": "1.7 \u2192 1.8" + }, + { + "type": "malware", + "id": "malware--2a70812b-f1ef-44db-8578-a496a227aef2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-09-20 20:04:20.149000+00:00", + "name": "NETWIRE", + "description": "[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0198", + "external_id": "S0198" + }, + { + "source_name": "NETWIRE", + "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: McAfee Netwire Mar 2015)" + }, + { + "source_name": "FireEye APT33 Webinar Sept 2017", + "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", + "url": "https://www.brighttalk.com/webcast/10703/275683" + }, + { + "source_name": "McAfee Netwire Mar 2015", + "description": "McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.", + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/" + }, + { + "source_name": "FireEye APT33 Sept 2017", + "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "NETWIRE" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Tony Lambert, Red Canary" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_version": "1.6", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 20:04:20.149000+00:00\", \"old_value\": \"2023-03-26 19:24:00.073000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.6\", \"old_value\": \"1.5\"}}}", + "previous_version": "1.5", + "version_change": "1.5 \u2192 1.6" + }, + { + "type": "tool", + "id": "tool--03342581-f790-4f03-ba41-e82e67392e23", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:31.601000+00:00", + "modified": "2023-07-25 19:25:59.767000+00:00", + "name": "Net", + "description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0039", + "external_id": "S0039" + }, + { + "source_name": "Microsoft Net Utility", + "description": "Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.", + "url": "https://msdn.microsoft.com/en-us/library/aa939914" + }, + { + "source_name": "Savill 1999", + "description": "Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.", + "url": "http://windowsitpro.com/windows/netexe-reference" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Net", + "net.exe" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "David Ferguson, CyberSponse" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-25 19:25:59.767000+00:00\", \"old_value\": \"2023-03-03 16:49:41.059000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.5\", \"old_value\": \"2.4\"}}}", + "previous_version": "2.4", + "version_change": "2.4 \u2192 2.5" + }, + { + "type": "tool", + "id": "tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-02-14 17:08:55.176000+00:00", + "modified": "2023-08-09 18:03:17.167000+00:00", + "name": "Nltest", + "description": "[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0359", + "external_id": "S0359" + }, + { + "source_name": "Nltest Manual", + "description": "ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.", + "url": "https://ss64.com/nt/nltest.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Nltest" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-09 18:03:17.167000+00:00\", \"old_value\": \"2021-10-07 16:41:18.760000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + }, + { + "type": "malware", + "id": "malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-08-29 18:52:20.879000+00:00", + "modified": "2023-08-30 16:28:36.699000+00:00", + "name": "OSX/Shlayer", + "description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0402", + "external_id": "S0402" + }, + { + "source_name": "OSX/Shlayer", + "description": "(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)" + }, + { + "source_name": "Crossrider", + "description": "(Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)" + }, + { + "source_name": "Zshlayer", + "description": "(Citation: sentinelone shlayer to zshlayer)" + }, + { + "source_name": "Carbon Black Shlayer Feb 2019", + "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.", + "url": "https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html" + }, + { + "source_name": "Intego Shlayer Feb 2018", + "description": "Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.", + "url": "https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/" + }, + { + "source_name": "sentinelone shlayer to zshlayer", + "description": "Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.", + "url": "https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/" + }, + { + "source_name": "Malwarebytes Crossrider Apr 2018", + "description": "Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.", + "url": "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/" + }, + { + "source_name": "Intego Shlayer Apr 2018", + "description": "Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.", + "url": "https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "OSX/Shlayer", + "Zshlayer", + "Crossrider" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-30 16:28:36.699000+00:00\", \"old_value\": \"2022-10-19 16:35:18.493000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4" + }, + { + "type": "tool", + "id": "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:01.483000+00:00", + "modified": "2023-09-06 15:12:11.358000+00:00", + "name": "Ping", + "description": "[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0097", + "external_id": "S0097" + }, + { + "source_name": "TechNet Ping", + "description": "Microsoft. (n.d.). Ping. Retrieved April 8, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490968.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ping" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-06 15:12:11.358000+00:00\", \"old_value\": \"2023-01-04 21:59:04.229000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4" + }, + { + "type": "tool", + "id": "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:21.771000+00:00", + "modified": "2023-08-09 18:07:11.859000+00:00", + "name": "PsExec", + "description": "[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0029", + "external_id": "S0029" + }, + { + "source_name": "SANS PsExec", + "description": "Pilkington, M. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016.", + "url": "https://www.sans.org/blog/protecting-privileged-domain-accounts-psexec-deep-dive/" + }, + { + "source_name": "Russinovich Sysinternals", + "description": "Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.", + "url": "https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PsExec" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Janantha Marasinghe" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-09 18:07:11.859000+00:00\", \"old_value\": \"2023-03-02 20:43:41.287000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5" + }, + { + "type": "tool", + "id": "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-09-28 21:08:47.128000+00:00", + "name": "Pupy", + "description": "[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0192", + "external_id": "S0192" + }, + { + "source_name": "GitHub Pupy", + "description": "Nicolas Verdier. (n.d.). Retrieved January 29, 2018.", + "url": "https://github.com/n1nj4sec/pupy" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Pupy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-28 21:08:47.128000+00:00\", \"old_value\": \"2020-05-13 22:57:00.921000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3" + }, + { + "type": "malware", + "id": "malware--54895630-efd2-4608-9c24-319de972a9eb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-29 23:30:53.824000+00:00", + "modified": "2023-09-06 15:08:53.375000+00:00", + "name": "Ragnar Locker", + "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) is a ransomware that has been in use since at least December 2019.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0481", + "external_id": "S0481" + }, + { + "source_name": "Cynet Ragnar Apr 2020", + "description": "Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020.", + "url": "https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/" + }, + { + "source_name": "Sophos Ragnar May 2020", + "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.", + "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ragnar Locker" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-06 15:08:53.375000+00:00\", \"old_value\": \"2021-04-13 23:52:18.803000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + }, + { + "type": "malware", + "id": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:17.959000+00:00", + "modified": "2023-10-01 02:47:21.211000+00:00", + "name": "Regin", + "description": "[Regin](https://attack.mitre.org/software/S0019) is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some [Regin](https://attack.mitre.org/software/S0019) timestamps date back to 2003. (Citation: Kaspersky Regin)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0019", + "external_id": "S0019" + }, + { + "source_name": "Kaspersky Regin", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Regin" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 02:47:21.211000+00:00\", \"old_value\": \"2020-06-29 01:54:53.301000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + }, + { + "type": "malware", + "id": "malware--bdb27a1d-1844-42f1-a0c0-826027ae0326", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-05-02 01:07:36.780000+00:00", + "modified": "2023-10-02 23:04:26.238000+00:00", + "name": "Revenge RAT", + "description": "[Revenge RAT](https://attack.mitre.org/software/S0379) is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0379", + "external_id": "S0379" + }, + { + "source_name": "Cofense RevengeRAT Feb 2019", + "description": "Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.", + "url": "https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/" + }, + { + "source_name": "Cylance Shaheen Nov 2018", + "description": "Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.", + "url": "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Revenge RAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 23:04:26.238000+00:00\", \"old_value\": \"2020-03-30 18:05:10.885000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + }, + { + "type": "tool", + "id": "tool--e33267fe-099f-4af2-8730-63d49f8813b2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-03-29 20:19:26.940000+00:00", + "modified": "2023-08-03 18:30:05.885000+00:00", + "name": "Rubeus", + "description": "[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1071", + "external_id": "S1071" + }, + { + "source_name": "GitHub Rubeus March 2023", + "description": "Harmj0y. (n.d.). Rubeus. Retrieved March 29, 2023.", + "url": "https://github.com/GhostPack/Rubeus" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Rubeus" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Mayuresh Dani, Qualys", + "Akshat Pradhan, Qualys" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-03 18:30:05.885000+00:00\", \"old_value\": \"2023-04-13 23:27:32.465000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1" + }, + { + "type": "malware", + "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-13 20:14:53.171000+00:00", + "modified": "2023-08-09 18:11:35.634000+00:00", + "name": "Ryuk", + "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0446", + "external_id": "S0446" + }, + { + "source_name": "Ryuk", + "description": "(Citation: CrowdStrike Ryuk January 2019) (Citation: Bleeping Computer - Ryuk WoL) " + }, + { + "source_name": "Bleeping Computer - Ryuk WoL", + "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ryuk" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "The DFIR Report, @TheDFIRReport", + "Matt Brenton, Zurich Insurance Group" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-09 18:11:35.634000+00:00\", \"old_value\": \"2022-05-24 21:10:44.381000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4" + }, + { + "type": "malware", + "id": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2023-08-09 16:44:56.511000+00:00", + "name": "TrickBot", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by [Wizard Spider](https://attack.mitre.org/groups/G0102) for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of \"big game hunting\" ransomware campaigns.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: CrowdStrike Wizard Spider October 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0266", + "external_id": "S0266" + }, + { + "source_name": "TrickBot", + "description": "(Citation: S2 Grupo TrickBot June 2017) (Citation: Trend Micro Totbrick Oct 2016) (Citation: TrendMicro Trickbot Feb 2019)" + }, + { + "source_name": "TSPY_TRICKLOAD", + "description": "(Citation: Trend Micro Totbrick Oct 2016)" + }, + { + "source_name": "Totbrick", + "description": "(Citation: Trend Micro Totbrick Oct 2016) (Citation: Microsoft Totbrick Oct 2017)" + }, + { + "source_name": "Trend Micro Totbrick Oct 2016", + "description": "Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n" + }, + { + "source_name": "IBM TrickBot Nov 2016", + "description": "Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot\u2019s Machinations. Retrieved August 2, 2018.", + "url": "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/" + }, + { + "source_name": "TrendMicro Trickbot Feb 2019", + "description": "Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/" + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" + }, + { + "source_name": "Microsoft Totbrick Oct 2017", + "description": "Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.", + "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick" + }, + { + "source_name": "Fidelis TrickBot Oct 2016", + "description": "Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.", + "url": "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre" + }, + { + "source_name": "S2 Grupo TrickBot June 2017", + "description": "Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.", + "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "TrickBot", + "Totbrick", + "TSPY_TRICKLOAD" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security", + "Cybereason Nocturnus, @nocturnus", + "Omkar Gudhate", + "FS-ISAC" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-09 16:44:56.511000+00:00\", \"old_value\": \"2023-02-23 19:45:50.419000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}}", + "previous_version": "2.0", + "version_change": "2.0 \u2192 2.1" + }, + { + "type": "malware", + "id": "malware--fde19a18-e502-467f-be14-58c71b4e7f4b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-12-27 17:21:18.652000+00:00", + "modified": "2023-10-03 19:33:26.976000+00:00", + "name": "WarzoneRAT", + "description": "[WarzoneRAT](https://attack.mitre.org/software/S0670) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0670", + "external_id": "S0670" + }, + { + "source_name": "Ave Maria", + "description": "(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)" + }, + { + "source_name": "Check Point Warzone Feb 2020", + "description": "Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.", + "url": "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" + }, + { + "source_name": "Uptycs Warzone UAC Bypass November 2020", + "description": "Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.", + "url": "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "WarzoneRAT", + "Warzone", + "Ave Maria" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Abhijit Mohanta, @abhijit_mohanta, Uptycs", + "Shilpesh Trivedi, Uptycs" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 19:33:26.976000+00:00\", \"old_value\": \"2022-04-15 14:24:50.745000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1" + }, + { + "type": "tool", + "id": "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2023-07-27 15:28:27.482000+00:00", + "name": "certutil", + "description": "[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0160", + "external_id": "S0160" + }, + { + "source_name": "TechNet Certutil", + "description": "Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.", + "url": "https://technet.microsoft.com/library/cc732443.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "certutil", + "certutil.exe" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-27 15:28:27.482000+00:00\", \"old_value\": \"2023-03-03 00:40:22.280000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4" + }, + { + "type": "tool", + "id": "tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-03 18:25:36.963000+00:00", + "modified": "2023-09-28 03:45:36.045000+00:00", + "name": "esentutl", + "description": "[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0404", + "external_id": "S0404" + }, + { + "source_name": "Microsoft Esentutl", + "description": "Microsoft. (2016, August 30). Esentutl. Retrieved September 3, 2019.", + "url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh875546(v=ws.11)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "esentutl", + "esentutl.exe" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Edward Millington", + "Matthew Demaske, Adaptforward" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-28 03:45:36.045000+00:00\", \"old_value\": \"2021-10-01 17:48:10.492000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3" + }, + { + "type": "malware", + "id": "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2023-10-03 19:38:43.114000+00:00", + "name": "jRAT", + "description": "[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://attack.mitre.org/software/S0283) have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0283", + "external_id": "S0283" + }, + { + "source_name": "jRAT", + "description": "(Citation: jRAT Symantec Aug 2018)" + }, + { + "source_name": "Trojan.Maljava", + "description": "(Citation: jRAT Symantec Aug 2018)" + }, + { + "source_name": "JSocket", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "AlienSpy", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "Frutas", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "Sockrat", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "Unrecom", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "jFrutas", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "Adwind", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "jBiFrost", + "description": "(Citation: NCSC Joint Report Public Tools)" + }, + { + "source_name": "Kaspersky Adwind Feb 2016", + "description": "Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" + }, + { + "source_name": "jRAT Symantec Aug 2018", + "description": "Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.", + "url": "https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" + }, + { + "source_name": "NCSC Joint Report Public Tools", + "description": "The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.", + "url": "https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "jRAT", + "JSocket", + "AlienSpy", + "Frutas", + "Sockrat", + "Unrecom", + "jFrutas", + "Adwind", + "jBiFrost", + "Trojan.Maljava" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android" + ], + "x_mitre_version": "2.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 19:38:43.114000+00:00\", \"old_value\": \"2021-01-25 15:43:45.842000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2" + }, + { + "type": "tool", + "id": "tool--4664b683-f578-434f-919b-1c1aad2a1111", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:04.545000+00:00", + "modified": "2023-07-25 19:25:05.678000+00:00", + "name": "netstat", + "description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0104", + "external_id": "S0104" + }, + { + "source_name": "TechNet Netstat", + "description": "Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490947.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "netstat" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-07-25 19:25:05.678000+00:00\", \"old_value\": \"2022-10-12 21:29:16.407000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + }, + { + "type": "malware", + "id": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-04 17:52:28.806000+00:00", + "modified": "2023-09-20 20:03:22.206000+00:00", + "name": "njRAT", + "description": "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0385", + "external_id": "S0385" + }, + { + "source_name": "LV", + "description": "(Citation: Fidelis njRAT June 2013)" + }, + { + "source_name": "Bladabindi", + "description": "(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)" + }, + { + "source_name": "FireEye Njw0rm Aug 2013", + "description": "Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html" + }, + { + "source_name": "Fidelis njRAT June 2013", + "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.", + "url": "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" + }, + { + "source_name": "Trend Micro njRAT 2018", + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" + }, + { + "source_name": "Njw0rm", + "description": "Some sources have discussed Njw0rm as a later variant of [njRAT](https://attack.mitre.org/software/S0385), where Njw0rm adds the ability to spread via removable devices such as USB drives.(Citation: FireEye Njw0rm Aug 2013) Other sources contain that functionality in their description of [njRAT](https://attack.mitre.org/software/S0385) itself.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "njRAT", + "Njw0rm", + "LV", + "Bladabindi" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 20:03:22.206000+00:00\", \"old_value\": \"2022-09-16 19:33:56.130000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5" + } + ], + "other_version_changes": [], + "patches": [ + { + "type": "malware", + "id": "malware--50c44c34-3abb-48ae-9433-a2337de5b0bc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-02-28 20:50:36.164000+00:00", + "modified": "2023-06-15 18:33:45.154000+00:00", + "name": "BlackCat", + "description": "[BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)(Citation: ACSC BlackCat Apr 2022)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1068", + "external_id": "S1068" + }, + { + "source_name": "Noberus", + "description": "(Citation: ACSC BlackCat Apr 2022)" + }, + { + "source_name": "ALPHV", + "description": "(Citation: Microsoft BlackCat Jun 2022)(Citation: ACSC BlackCat Apr 2022)" + }, + { + "source_name": "ACSC BlackCat Apr 2022", + "description": "Australian Cyber Security Centre. (2022, April 14). 2022-004: ACSC Ransomware Profile - ALPHV (aka BlackCat). Retrieved December 20, 2022.", + "url": "https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat" + }, + { + "source_name": "Sophos BlackCat Jul 2022", + "description": "Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022.", + "url": "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/" + }, + { + "source_name": "Microsoft BlackCat Jun 2022", + "description": "Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BlackCat", + "ALPHV", + "Noberus" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Hiroki Nagahama, NEC Corporation", + "Josh Arenas, Trustwave Spiderlabs", + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-06-15 18:33:45.154000+00:00\", \"old_value\": \"2023-04-17 21:40:50.124000+00:00\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat\", \"old_value\": \"https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--b8fdef82-d2cf-4948-8949-6466357b1be1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2023-09-21 19:42:40.612000+00:00", + "name": "Calisto", + "description": "[Calisto](https://attack.mitre.org/software/S0274) is a macOS Trojan that opens a backdoor on the compromised machine. [Calisto](https://attack.mitre.org/software/S0274) is believed to have first been developed in 2016. (Citation: Securelist Calisto July 2018) (Citation: Symantec Calisto July 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0274", + "external_id": "S0274" + }, + { + "source_name": "Calisto", + "description": "(Citation: Securelist Calisto July 2018) (Citation: Symantec Calisto July 2018)" + }, + { + "source_name": "Securelist Calisto July 2018", + "description": "Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.", + "url": "https://securelist.com/calisto-trojan-for-macos/86543/" + }, + { + "source_name": "Symantec Calisto July 2018", + "description": "Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.", + "url": "https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Calisto" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Cody Thomas, SpecterOps" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-21 19:42:40.612000+00:00\", \"old_value\": \"2020-03-30 01:58:55.849000+00:00\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days\", \"old_value\": \"https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:22.213000+00:00", + "modified": "2023-08-17 19:51:14.195000+00:00", + "name": "Carbanak", + "description": "[Carbanak](https://attack.mitre.org/software/S0030) is a full-featured, remote backdoor used by a group of the same name ([Carbanak](https://attack.mitre.org/groups/G0008)). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0030", + "external_id": "S0030" + }, + { + "source_name": "Carbanak", + "description": "(Citation: FireEye CARBANAK June 2017)" + }, + { + "source_name": "Anunak", + "description": "(Citation: Fox-It Anunak Feb 2015) (Citation: FireEye CARBANAK June 2017)" + }, + { + "source_name": "FireEye CARBANAK June 2017", + "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + }, + { + "source_name": "Kaspersky Carbanak", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" + }, + { + "source_name": "Fox-It Anunak Feb 2015", + "description": "Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.", + "url": "https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Carbanak", + "Anunak" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-17 19:51:14.195000+00:00\", \"old_value\": \"2021-04-01 16:03:31.574000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--4f1c389e-a80e-4a3e-9b0e-9be8c91df64f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-06 15:53:34.722000+00:00", + "modified": "2021-04-19 17:45:07.102000+00:00", + "name": "Doki", + "description": "[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0600", + "external_id": "S0600" + }, + { + "source_name": "Intezer Doki July 20", + "description": "Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.", + "url": "https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Doki" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Containers" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)\", \"old_value\": \"[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [Ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)\"}}}", + "previous_version": "1.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1[Doki](https://attack.mitre.org/software/S0600) is a backdoot1[Doki](https://attack.mitre.org/software/S0600) is a backdoo
    >r that uses a unique Dogecoin-based Domain Generation Algori>r that uses a unique Dogecoin-based Domain Generation Algori
    >thm and was first observed in July 2020. [Doki](https://atta>thm and was first observed in July 2020. [Doki](https://atta
    >ck.mitre.org/software/S0600) was used in conjunction with th>ck.mitre.org/software/S0600) was used in conjunction with th
    >e [Ngrok](https://attack.mitre.org/software/S0508) Mining Bo>e [ngrok](https://attack.mitre.org/software/S0508) Mining Bo
    >tnet in a campaign that targeted Docker servers in cloud pla>tnet in a campaign that targeted Docker servers in cloud pla
    >tforms. (Citation: Intezer Doki July 20)>tforms. (Citation: Intezer Doki July 20)
    " + }, + { + "type": "malware", + "id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-01-04 20:42:21.997000+00:00", + "modified": "2023-10-17 20:09:38.062000+00:00", + "name": "Industroyer", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0604", + "external_id": "S0604" + }, + { + "source_name": "CRASHOVERRIDE", + "description": "(Citation: Dragos Crashoverride 2017)" + }, + { + "source_name": "Win32/Industroyer", + "description": "(Citation: ESET Industroyer)" + }, + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2017", + "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Industroyer", + "CRASHOVERRIDE", + "Win32/Industroyer" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence", + "Joe Slowik - Dragos" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-17 20:09:38.062000+00:00\", \"old_value\": \"2022-10-20 20:37:50.556000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_contributors'][1]\": {\"new_value\": \"Joe Slowik - Dragos\", \"old_value\": \"Joe Slowik - Dragos\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-04-16 19:00:49.435000+00:00", + "modified": "2023-10-17 20:05:34.648000+00:00", + "name": "LockerGoga", + "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0372", + "external_id": "S0372" + }, + { + "source_name": "CarbonBlack LockerGoga 2019", + "description": "CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification \u2013 LockerGoga Ransomware. Retrieved April 16, 2019.", + "url": "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/" + }, + { + "source_name": "Unit42 LockerGoga 2019", + "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.", + "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "LockerGoga" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-17 20:05:34.648000+00:00\", \"old_value\": \"2023-03-08 22:03:50.370000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Joe Slowik - Dragos\", \"old_value\": \"Joe Slowik - Dragos\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-09-19 13:31:34.134000+00:00", + "name": "PUNCHBUGGY", + "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0196", + "external_id": "S0196" + }, + { + "source_name": "PUNCHBUGGY", + "description": "(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)" + }, + { + "source_name": "ShellTea", + "description": "(Citation: Morphisec ShellTea June 2019)" + }, + { + "source_name": "FireEye Know Your Enemy FIN8 Aug 2016", + "description": "Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.", + "url": "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" + }, + { + "source_name": "Morphisec ShellTea June 2019", + "description": "Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.", + "url": "http://blog.morphisec.com/security-alert-fin8-is-back" + }, + { + "source_name": "FireEye Fin8 May 2016", + "description": "Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PUNCHBUGGY", + "ShellTea" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 13:31:34.134000+00:00\", \"old_value\": \"2021-02-09 14:07:10.907000+00:00\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.\", \"old_value\": \"Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}}}", + "previous_version": "2.1" + }, + { + "type": "malware", + "id": "malware--c4de7d83-e875-4c88-8b5d-06c41e5b7e79", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-09-19 13:31:34.134000+00:00", + "name": "PUNCHTRACK", + "description": "[PUNCHTRACK](https://attack.mitre.org/software/S0197) is non-persistent point of sale (POS) system malware utilized by [FIN8](https://attack.mitre.org/groups/G0061) to scrape payment card data. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0197", + "external_id": "S0197" + }, + { + "source_name": "PUNCHTRACK", + "description": "(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)" + }, + { + "source_name": "PSVC", + "description": "(Citation: FireEye Know Your Enemy FIN8 Aug 2016)" + }, + { + "source_name": "FireEye Know Your Enemy FIN8 Aug 2016", + "description": "Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.", + "url": "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" + }, + { + "source_name": "FireEye Fin8 May 2016", + "description": "Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PUNCHTRACK", + "PSVC" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 13:31:34.134000+00:00\", \"old_value\": \"2020-03-17 14:48:43.852000+00:00\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.\", \"old_value\": \"Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-08-17 19:50:17.832000+00:00", + "name": "PowerSploit", + "description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0194", + "external_id": "S0194" + }, + { + "source_name": "PowerShellMagazine PowerSploit July 2014", + "description": "Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018.", + "url": "http://www.powershellmagazine.com/2014/07/08/powersploit/" + }, + { + "source_name": "GitHub PowerSploit May 2012", + "description": "PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.", + "url": "https://github.com/PowerShellMafia/PowerSploit" + }, + { + "source_name": "PowerSploit Documentation", + "description": "PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.", + "url": "http://powersploit.readthedocs.io" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PowerSploit" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.6", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-17 19:50:17.832000+00:00\", \"old_value\": \"2023-03-22 05:12:48.213000+00:00\"}}}", + "previous_version": "1.6" + } + ], + "revocations": [ + { + "type": "malware", + "id": "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-15 13:32:10.185000+00:00", + "modified": "2023-09-25 18:56:12.154000+00:00", + "name": "Ngrok", + "description": "", + "revoked": true, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S9000", + "external_id": "S9000" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ngrok" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Janantha Marasinghe" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-25 18:56:12.154000+00:00\", \"old_value\": \"2023-04-13 13:24:56.579000+00:00\"}, \"root['description']\": {\"new_value\": \"\", \"old_value\": \"[Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)\"}, \"root['revoked']\": {\"new_value\": true, \"old_value\": false}, \"root['external_references'][0]\": {\"new_value\": {\"source_name\": \"mitre-attack\", \"url\": \"https://attack.mitre.org/software/S9000\", \"external_id\": \"S9000\"}, \"old_value\": {\"source_name\": \"mitre-attack\", \"url\": \"https://attack.mitre.org/software/S0508\", \"external_id\": \"S0508\"}}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Zdnet Ngrok September 2018\", \"description\": \"Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.\", \"url\": \"https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/\"}, \"root['external_references'][2]\": {\"source_name\": \"Cyware Ngrok May 2019\", \"description\": \"Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims\\u2019 systems. Retrieved September 15, 2020.\", \"url\": \"https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44\"}, \"root['external_references'][3]\": {\"source_name\": \"MalwareBytes LazyScripter Feb 2021\", \"description\": \"Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.\", \"url\": \"https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf\"}, \"root['external_references'][4]\": {\"source_name\": \"FireEye Maze May 2020\", \"description\": \"Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.\", \"url\": \"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\"}}}", + "revoked_by": { + "type": "tool", + "id": "tool--2f7f03bb-f367-4a5a-ad9b-310a12a48906", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-14 18:56:34.771000+00:00", + "modified": "2023-09-25 18:54:49.773000+00:00", + "name": "ngrok", + "description": "[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0508", + "external_id": "S0508" + }, + { + "source_name": "Zdnet Ngrok September 2018", + "description": "Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.", + "url": "https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/" + }, + { + "source_name": "Cyware Ngrok May 2019", + "description": "Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims\u2019 systems. Retrieved September 15, 2020.", + "url": "https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44" + }, + { + "source_name": "MalwareBytes LazyScripter Feb 2021", + "description": "Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.", + "url": "https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" + }, + { + "source_name": "FireEye Maze May 2020", + "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ngrok" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Janantha Marasinghe" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2" + } + } + ], + "deprecations": [], + "deletions": [] + }, + "groups": { + "additions": [ + { + "type": "intrusion-set", + "id": "intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 00:14:20.562000+00:00", + "modified": "2023-08-23 18:47:11.704000+00:00", + "name": "Charming Kitten", + "description": "[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [[Charming Kitten](https://attack.mitre.org/groups/G0058) often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities.(Citation: ClearSky Charming Kitten Dec 2017)", + "aliases": [ + "Charming Kitten" + ], + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0058", + "external_id": "G0058" + }, + { + "source_name": "Charming Kitten", + "description": "(Citation: ClearSky Charming Kitten Dec 2017)" + }, + { + "source_name": "ClearSky Charming Kitten Dec 2017", + "description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.", + "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--fd66436e-4d33-450e-ac4c-f7810f1c85f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-27 15:24:02.162000+00:00", + "modified": "2023-09-29 19:08:47.861000+00:00", + "name": "FIN13", + "description": "[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)", + "aliases": [ + "FIN13", + "Elephant Beetle" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1016", + "external_id": "G1016" + }, + { + "source_name": "Elephant Beetle", + "description": "(Citation: Sygnia Elephant Beetle Jan 2022)" + }, + { + "source_name": "Sygnia Elephant Beetle Jan 2022", + "description": "Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.", + "url": "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" + }, + { + "source_name": "Mandiant FIN13 Aug 2022", + "description": "Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.", + "url": "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Oren Biderman, Sygnia", + "Noam Lifshitz, Sygnia" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-25 18:11:05.672000+00:00", + "modified": "2023-09-26 14:34:08.342000+00:00", + "name": "MoustachedBouncer", + "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)", + "aliases": [ + "MoustachedBouncer" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1019", + "external_id": "G1019" + }, + { + "source_name": "MoustachedBouncer ESET August 2023", + "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", + "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-05 17:54:54.789000+00:00", + "modified": "2023-09-22 18:36:55.117000+00:00", + "name": "Scattered Spider", + "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.(Citation: CrowdStrike Scattered Spider Profile)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)", + "aliases": [ + "Scattered Spider", + "Roasted 0ktapus" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1015", + "external_id": "G1015" + }, + { + "source_name": "Roasted 0ktapus", + "description": "(Citation: CrowdStrike Scattered Spider BYOVD January 2023)" + }, + { + "source_name": "CrowdStrike Scattered Spider BYOVD January 2023", + "description": "CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.", + "url": "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/" + }, + { + "source_name": "CrowdStrike Scattered Spider Profile", + "description": "CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.", + "url": "https://www.crowdstrike.com/adversaries/scattered-spider/" + }, + { + "source_name": "Crowdstrike TELCO BPO Campaign December 2022", + "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", + "url": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--467271fd-47c0-4e90-a3f9-d84f5cf790d0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-12 17:00:22.615000+00:00", + "modified": "2023-10-10 17:19:36.480000+00:00", + "name": "TA2541", + "description": "[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)", + "aliases": [ + "TA2541" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1018", + "external_id": "G1018" + }, + { + "source_name": "Proofpoint TA2541 February 2022", + "description": "Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" + }, + { + "source_name": "Cisco Operation Layover September 2021", + "description": "Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.", + "url": "https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Aaron Jornet" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--174279b4-399f-4ddb-966e-5efedd1dd5f2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-27 20:35:46.206000+00:00", + "modified": "2023-10-03 15:45:14.731000+00:00", + "name": "Volt Typhoon", + "description": "[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://attack.mitre.org/groups/G1017) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)", + "aliases": [ + "Volt Typhoon", + "BRONZE SILHOUETTE" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1017", + "external_id": "G1017" + }, + { + "source_name": "BRONZE SILHOUETTE", + "description": "(Citation: Secureworks BRONZE SILHOUETTE May 2023)" + }, + { + "source_name": "Secureworks BRONZE SILHOUETTE May 2023", + "description": "Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.", + "url": "https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" + }, + { + "source_name": "Microsoft Volt Typhoon May 2023", + "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" + }, + { + "source_name": "Joint Cybersecurity Advisory Volt Typhoon June 2023", + "description": "NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.", + "url": "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd", + "Ai Kimura, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ], + "major_version_changes": [ + { + "type": "intrusion-set", + "id": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:52.748000+00:00", + "modified": "2023-10-02 21:33:07.807000+00:00", + "name": "APT29", + "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)", + "aliases": [ + "APT29", + "IRON RITUAL", + "IRON HEMLOCK", + "NobleBaron", + "Dark Halo", + "StellarParticle", + "NOBELIUM", + "UNC2452", + "YTTRIUM", + "The Dukes", + "Cozy Bear", + "CozyDuke", + "SolarStorm", + "Blue Kitsune", + "UNC3524" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0016", + "external_id": "G0016" + }, + { + "source_name": "CozyDuke", + "description": "(Citation: Crowdstrike DNC June 2016)" + }, + { + "source_name": "Cozy Bear", + "description": "(Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: CrowdStrike StellarParticle January 2022)" + }, + { + "source_name": "StellarParticle", + "description": "(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: CrowdStrike StellarParticle January 2022)" + }, + { + "source_name": "The Dukes", + "description": "(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)" + }, + { + "source_name": "APT29", + "description": "(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)" + }, + { + "source_name": "UNC2452", + "description": "(Citation: FireEye SUNBURST Backdoor December 2020)" + }, + { + "source_name": "UNC3524", + "description": "(Citation: Mandiant APT29 Eye Spy Email Nov 22)" + }, + { + "source_name": "YTTRIUM", + "description": "(Citation: Microsoft Unidentified Dec 2018)" + }, + { + "source_name": "NOBELIUM", + "description": "(Citation: MSTIC NOBELIUM Mar 2021)(Citation: MSTIC NOBELIUM May 2021)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: MSRC Nobelium June 2021)" + }, + { + "source_name": "Blue Kitsune", + "description": "(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)" + }, + { + "source_name": "IRON HEMLOCK", + "description": "(Citation: Secureworks IRON HEMLOCK Profile)" + }, + { + "source_name": "IRON RITUAL", + "description": "(Citation: Secureworks IRON RITUAL Profile)" + }, + { + "source_name": "NobleBaron", + "description": "(Citation: SentinelOne NobleBaron June 2021)" + }, + { + "source_name": "SolarStorm", + "description": "(Citation: Unit 42 SolarStorm December 2020)" + }, + { + "source_name": "Dark Halo", + "description": "(Citation: Volexity SolarWinds)" + }, + { + "source_name": "Crowdstrike DNC June 2016", + "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", + "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + }, + { + "source_name": "Volexity SolarWinds", + "description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.", + "url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" + }, + { + "source_name": "CrowdStrike SUNSPOT Implant January 2021", + "description": "CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.", + "url": "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" + }, + { + "source_name": "CrowdStrike StellarParticle January 2022", + "description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.", + "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" + }, + { + "source_name": "GRIZZLY STEPPE JAR", + "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", + "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" + }, + { + "source_name": "FireEye APT29 Nov 2018", + "description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" + }, + { + "source_name": "F-Secure The Dukes", + "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + }, + { + "source_name": "ESET Dukes October 2019", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" + }, + { + "source_name": "FireEye SUNBURST Backdoor December 2020", + "description": "FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + }, + { + "source_name": "SentinelOne NobleBaron June 2021", + "description": "Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.", + "url": "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" + }, + { + "source_name": "Mandiant APT29 Eye Spy Email Nov 22", + "description": "Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.", + "url": "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" + }, + { + "source_name": "Microsoft Unidentified Dec 2018", + "description": "Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.", + "url": "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" + }, + { + "source_name": "MSTIC NOBELIUM May 2021", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + }, + { + "source_name": "MSRC Nobelium June 2021", + "description": "MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.", + "url": "https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/" + }, + { + "source_name": "MSTIC Nobelium Toolset May 2021", + "description": "MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + }, + { + "source_name": "MSTIC NOBELIUM Mar 2021", + "description": "Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + }, + { + "source_name": "NCSC APT29 July 2020", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" + }, + { + "source_name": "Cybersecurity Advisory SVR TTP May 2021", + "description": "NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.", + "url": "https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" + }, + { + "source_name": "NSA Joint Advisory SVR SolarWinds April 2021", + "description": "NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.", + "url": "https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF" + }, + { + "source_name": "PWC WellMess C2 August 2020", + "description": "PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" + }, + { + "source_name": "PWC WellMess July 2020", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" + }, + { + "source_name": "Secureworks IRON HEMLOCK Profile", + "description": "Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.", + "url": "http://www.secureworks.com/research/threat-profiles/iron-hemlock" + }, + { + "source_name": "Secureworks IRON RITUAL Profile", + "description": "Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-ritual" + }, + { + "source_name": "UK Gov Malign RIS Activity April 2021", + "description": "UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.", + "url": "https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services" + }, + { + "source_name": "UK Gov UK Exposes Russia SolarWinds April 2021", + "description": "UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.", + "url": "https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise" + }, + { + "source_name": "UK NSCS Russia SolarWinds April 2021", + "description": "UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.", + "url": "https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise" + }, + { + "source_name": "Unit 42 SolarStorm December 2020", + "description": "Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.", + "url": "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/" + }, + { + "source_name": "White House Imposing Costs RU Gov April 2021", + "description": "White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.", + "url": "https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security", + "Matt Brenton, Zurich Insurance Group", + "Katie Nickels, Red Canary", + "Joe Gumke, U.S. Bank" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "5.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 21:33:07.807000+00:00\", \"old_value\": \"2023-04-16 22:25:01.191000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"5.0\", \"old_value\": \"4.0\"}}, \"iterable_item_added\": {\"root['aliases'][14]\": \"UNC3524\", \"root['external_references'][7]\": {\"source_name\": \"UNC3524\", \"description\": \"(Citation: Mandiant APT29 Eye Spy Email Nov 22)\"}, \"root['external_references'][26]\": {\"source_name\": \"Mandiant APT29 Eye Spy Email Nov 22\", \"description\": \"Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/unc3524-eye-spy-email\"}}}", + "previous_version": "4.0", + "version_change": "4.0 \u2192 5.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:09.460000+00:00", + "modified": "2023-10-04 18:10:49.054000+00:00", + "name": "FIN7", + "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)", + "aliases": [ + "FIN7", + "GOLD NIAGARA", + "ITG14", + "Carbon Spider" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0046", + "external_id": "G0046" + }, + { + "source_name": "Carbon Spider", + "description": "(Citation: CrowdStrike Carbon Spider August 2021)" + }, + { + "source_name": "FIN7", + "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" + }, + { + "source_name": "GOLD NIAGARA", + "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" + }, + { + "source_name": "Mandiant FIN7 Apr 2022", + "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", + "url": "https://www.mandiant.com/resources/evolution-of-fin7" + }, + { + "source_name": "FireEye CARBANAK June 2017", + "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + }, + { + "source_name": "FireEye FIN7 April 2017", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + }, + { + "source_name": "FireEye FIN7 Aug 2018", + "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + }, + { + "source_name": "Secureworks GOLD NIAGARA Threat Profile", + "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara" + }, + { + "source_name": "FireEye FIN7 Shim Databases", + "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" + }, + { + "source_name": "Morphisec FIN7 June 2017", + "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.", + "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry" + }, + { + "source_name": "ITG14", + "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)" + }, + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" + }, + { + "source_name": "FireEye FIN7 March 2017", + "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.", + "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" + }, + { + "source_name": "IBM Ransomware Trends September 2020", + "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.", + "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Edward Millington" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-04 18:10:49.054000+00:00\", \"old_value\": \"2023-03-22 03:51:04.185000+00:00\"}, \"root['description']\": {\"new_value\": \"[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)\", \"old_value\": \"[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"Mandiant FIN7 Apr 2022\", \"description\": \"Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.\", \"url\": \"https://www.mandiant.com/resources/evolution-of-fin7\"}}}", + "previous_version": "2.2", + "version_change": "2.2 \u2192 3.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1[FIN7](https://attack.mitre.org/groups/G0046) is a financialt1[FIN7](https://attack.mitre.org/groups/G0046) is a financial
    >ly-motivated threat group that has been active since 2013 pr>ly-motivated threat group that has been active since 2013. [
    >imarily targeting the U.S. retail, restaurant, and hospitali>FIN7](https://attack.mitre.org/groups/G0046) has primarily t
    >ty sectors, often using point-of-sale malware. A portion of >argeted the retail, restaurant, hospitality, software, consu
    >[FIN7](https://attack.mitre.org/groups/G0046) was run out of>lting, financial services, medical equipment, cloud services
    > a front company called Combi Security. Since 2020 [FIN7](ht>, media, food and beverage, transportation, and utilities in
    >tps://attack.mitre.org/groups/G0046) shifted operations to a>dustries in the U.S. A portion of [FIN7](https://attack.mitr
    > big game hunting (BGH) approach including use of [REvil](ht>e.org/groups/G0046) was run out of a front company called Co
    >tps://attack.mitre.org/software/S0496) ransomware and their >mbi Security and often used point-of-sale malware for target
    >own Ransomware as a Service (RaaS), Darkside. [FIN7](https:/>ing efforts. Since 2020, [FIN7](https://attack.mitre.org/gro
    >/attack.mitre.org/groups/G0046) may be linked to the [Carban>ups/G0046) shifted operations to a big game hunting (BGH) ap
    >ak](https://attack.mitre.org/groups/G0008) Group, but there >proach including use of [REvil](https://attack.mitre.org/sof
    >appears to be several groups using [Carbanak](https://attack>tware/S0496) ransomware and their own Ransomware as a Servic
    >.mitre.org/software/S0030) malware and are therefore tracked>e (RaaS), Darkside. FIN7 may be linked to the [Carbanak](htt
    > separately.(Citation: FireEye FIN7 March 2017)(Citation: Fi>ps://attack.mitre.org/groups/G0008) Group, but there appears
    >reEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)> to be several groups using [Carbanak](https://attack.mitre.
    >(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carb>org/software/S0030) malware and are therefore tracked separa
    >on Spider August 2021)>tely.(Citation: FireEye FIN7 March 2017)(Citation: FireEye F
     >IN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citati
     >on: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spid
     >er August 2021)(Citation: Mandiant FIN7 Apr 2022)
    " + }, + { + "type": "intrusion-set", + "id": "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-09-19 14:08:59.296000+00:00", + "name": "FIN8", + "description": "[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)", + "aliases": [ + "FIN8", + "Syssphinx" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0061", + "external_id": "G0061" + }, + { + "source_name": "FIN8", + "description": "(Citation: FireEye Obfuscation June 2017)" + }, + { + "source_name": "Syssphinx", + "description": "(Citation: Symantec FIN8 Jul 2023)" + }, + { + "source_name": "FireEye Obfuscation June 2017", + "description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.", + "url": "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" + }, + { + "source_name": "Bitdefender Sardonic Aug 2021", + "description": "Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" + }, + { + "source_name": "FireEye Fin8 May 2016", + "description": "Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" + }, + { + "source_name": "Symantec FIN8 Jul 2023", + "description": "Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security", + "Serhii Melnyk, Trustwave SpiderLabs" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 14:08:59.296000+00:00\", \"old_value\": \"2023-03-22 03:52:13.089000+00:00\"}, \"root['description']\": {\"new_value\": \"[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)\", \"old_value\": \"[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016)\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.\", \"old_value\": \"Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['aliases'][1]\": \"Syssphinx\", \"root['external_references'][2]\": {\"source_name\": \"Syssphinx\", \"description\": \"(Citation: Symantec FIN8 Jul 2023)\"}, \"root['external_references'][4]\": {\"source_name\": \"Bitdefender Sardonic Aug 2021\", \"description\": \"Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.\", \"url\": \"https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf\"}, \"root['external_references'][6]\": {\"source_name\": \"Symantec FIN8 Jul 2023\", \"description\": \"Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.\", \"url\": \"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\"}, \"root['x_mitre_contributors'][1]\": \"Serhii Melnyk, Trustwave SpiderLabs\"}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 2.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1[FIN8](https://attack.mitre.org/groups/G0061) is a financialt1[FIN8](https://attack.mitre.org/groups/G0061) is a financial
    >ly motivated threat group known to launch tailored spearphis>ly motivated threat group that has been active since at leas
    >hing campaigns targeting the retail, restaurant, and hospita>t January 2016, and known for targeting organizations in the
    >lity industries. (Citation: FireEye Obfuscation June 2017) (> hospitality, retail, entertainment, insurance, technology, 
    >Citation: FireEye Fin8 May 2016)>chemical, and financial sectors. In June 2021, security rese
     >archers detected [FIN8](https://attack.mitre.org/groups/G006
     >1) switching from targeting point-of-sale (POS) devices to d
     >istributing a number of ransomware variants.(Citation: FireE
     >ye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(C
     >itation: Bitdefender Sardonic Aug 2021)(Citation: Symantec F
     >IN8 Jul 2023)
    " + }, + { + "type": "intrusion-set", + "id": "intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-01-06 17:46:35.134000+00:00", + "modified": "2023-08-03 21:39:36.666000+00:00", + "name": "Indrik Spider", + "description": "[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)", + "aliases": [ + "Indrik Spider", + "Evil Corp" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0119", + "external_id": "G0119" + }, + { + "source_name": "Evil Corp", + "description": "(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)" + }, + { + "source_name": "Crowdstrike Indrik November 2018", + "description": "Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" + }, + { + "source_name": "Crowdstrike EvilCorp March 2021", + "description": "Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.", + "url": "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/" + }, + { + "source_name": "Treasury EvilCorp Dec 2019", + "description": "U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.", + "url": "https://home.treasury.gov/news/press-releases/sm845" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Jennifer Kim Roman, CrowdStrike" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Jennifer Kim Roman, CrowdStrike\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-03 21:39:36.666000+00:00\", \"old_value\": \"2022-09-15 19:49:18.799000+00:00\"}, \"root['description']\": {\"new_value\": \"[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)\", \"old_value\": \"[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 3.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1[Indrik Spider](https://attack.mitre.org/groups/G0119) is a t1[Indrik Spider](https://attack.mitre.org/groups/G0119) is a 
    >Russia-based cybercriminal group that has been active since >Russia-based cybercriminal group that has been active since 
    >at least 2014. [Indrik Spider](https://attack.mitre.org/grou>at least 2014. [Indrik Spider](https://attack.mitre.org/grou
    >ps/G0119) initially started with the [Dridex](https://attack>ps/G0119) initially started with the [Dridex](https://attack
    >.mitre.org/software/S0384) banking Trojan, and then by 2017 >.mitre.org/software/S0384) banking Trojan, and then by 2017 
    >they began running ransomware operations using [BitPaymer](h>they began running ransomware operations using [BitPaymer](h
    >ttps://attack.mitre.org/software/S0570), [WastedLocker](http>ttps://attack.mitre.org/software/S0570), [WastedLocker](http
    >s://attack.mitre.org/software/S0612), and Hades ransomware.(>s://attack.mitre.org/software/S0612), and Hades ransomware
    >Citation: Crowdstrike Indrik November 2018)(Citation: Crowds>Following U.S. sanctions and an indictment in 2019, [Indrik 
    >trike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2>Spider](https://attack.mitre.org/groups/G0119) changed their
    >019)> tactics and diversified their toolset.(Citation: Crowdstrik
     >e Indrik November 2018)(Citation: Crowdstrike EvilCorp March
     > 2021)(Citation: Treasury EvilCorp Dec 2019)
    " + }, + { + "type": "intrusion-set", + "id": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:49.816000+00:00", + "modified": "2023-08-02 19:48:08.774000+00:00", + "name": "Turla", + "description": "[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://attack.mitre.org/software/S0022).(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", + "aliases": [ + "Turla", + "IRON HUNTER", + "Group 88", + "Belugasturgeon", + "Waterbug", + "WhiteBear", + "Snake", + "Krypton", + "Venomous Bear" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0010", + "external_id": "G0010" + }, + { + "source_name": "Belugasturgeon", + "description": "(Citation: Accenture HyperStack October 2020)" + }, + { + "source_name": "Krypton", + "description": "(Citation: CrowdStrike VENOMOUS BEAR)" + }, + { + "source_name": "Snake", + "description": "(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla PowerShell May 2019)(Citation: Talos TinyTurla September 2021)" + }, + { + "source_name": "Venomous Bear", + "description": "(Citation: CrowdStrike VENOMOUS BEAR)(Citation: Talos TinyTurla September 2021)" + }, + { + "source_name": "Turla", + "description": "(Citation: Kaspersky Turla)" + }, + { + "source_name": "Group 88", + "description": "(Citation: Leonardo Turla Penquin May 2020)" + }, + { + "source_name": "IRON HUNTER", + "description": "(Citation: Secureworks IRON HUNTER Profile)" + }, + { + "source_name": "Accenture HyperStack October 2020", + "description": "Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.", + "url": "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" + }, + { + "source_name": "Waterbug", + "description": "Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.(Citation: Symantec Waterbug)" + }, + { + "source_name": "Talos TinyTurla September 2021", + "description": "Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.", + "url": "https://blog.talosintelligence.com/2021/09/tinyturla.html" + }, + { + "source_name": "ESET Turla Mosquito Jan 2018", + "description": "ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + }, + { + "source_name": "ESET Gazer Aug 2017", + "description": "ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" + }, + { + "source_name": "ESET Turla PowerShell May 2019", + "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.", + "url": "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + }, + { + "source_name": "Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023", + "description": "FBI et al. (2023, May 9). Hunting Russian Intelligence \u201cSnake\u201d Malware. Retrieved June 8, 2023.", + "url": "https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" + }, + { + "source_name": "Securelist WhiteBear Aug 2017", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.", + "url": "https://securelist.com/introducing-whitebear/81638/" + }, + { + "source_name": "Kaspersky Turla", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.", + "url": "https://securelist.com/the-epic-turla-operation/65545/" + }, + { + "source_name": "Leonardo Turla Penquin May 2020", + "description": "Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA \u201cPenquin_x64\u201d. Retrieved March 11, 2021.", + "url": "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" + }, + { + "source_name": "CrowdStrike VENOMOUS BEAR", + "description": "Meyers, A. (2018, March 12). Meet CrowdStrike\u2019s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/" + }, + { + "source_name": "Secureworks IRON HUNTER Profile", + "description": "Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.", + "url": "http://www.secureworks.com/research/threat-profiles/iron-hunter" + }, + { + "source_name": "Symantec Waterbug", + "description": "Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.", + "url": "https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1" + }, + { + "source_name": "WhiteBear", + "description": "WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.(Citation: Securelist WhiteBear Aug 2017)(Citation: Talos TinyTurla September 2021)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Matthieu Faou, ESET", + "Edward Millington" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "4.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-02 19:48:08.774000+00:00\", \"old_value\": \"2023-03-22 05:41:28.428000+00:00\"}, \"root['description']\": {\"new_value\": \"[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://attack.mitre.org/software/S0022).(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)\", \"old_value\": \"[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)\\u2019s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)\"}, \"root['x_mitre_version']\": {\"new_value\": \"4.0\", \"old_value\": \"3.1\"}}, \"iterable_item_added\": {\"root['external_references'][14]\": {\"source_name\": \"Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023\", \"description\": \"FBI et al. (2023, May 9). Hunting Russian Intelligence \\u201cSnake\\u201d Malware. Retrieved June 8, 2023.\", \"url\": \"https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf\"}}}", + "previous_version": "3.1", + "version_change": "3.1 \u2192 4.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1[Turla](https://attack.mitre.org/groups/G0010) is a Russian-t1[Turla](https://attack.mitre.org/groups/G0010) is a cyber es
    >based threat group that has infected victims in over 45 coun>pionage threat group that has been attributed to Russia's Fe
    >tries, spanning a range of industries including government, >deral Security Service (FSB).  They have compromised victims
    >embassies, military, education, research and pharmaceutical > in over 50 countries since at least 2004, spanning a range 
    >companies since 2004. Heightened activity was seen in mid-20>of industries including government, embassies, military, edu
    >15. [Turla](https://attack.mitre.org/groups/G0010) is known >cation, research and pharmaceutical companies. [Turla](https
    >for conducting watering hole and spearphishing campaigns and>://attack.mitre.org/groups/G0010) is known for conducting wa
    > leveraging in-house tools and malware. [Turla](https://atta>tering hole and spearphishing campaigns, and leveraging in-h
    >ck.mitre.org/groups/G0010)\u2019s espionage platform is mainly us>ouse tools and malware, such as [Uroburos](https://attack.mi
    >ed against Windows machines, but has also been seen used aga>tre.org/software/S0022).(Citation: Kaspersky Turla)(Citation
    >inst macOS and Linux machines.(Citation: Kaspersky Turla)(Ci>: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(
    >tation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS >Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybe
    >BEAR)(Citation: ESET Turla Mosquito Jan 2018)>rsecurity Advisory AA23-129A Snake Malware May 2023)
    " + }, + { + "type": "intrusion-set", + "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-12 18:15:29.396000+00:00", + "modified": "2023-09-12 14:35:52.920000+00:00", + "name": "Wizard Spider", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "aliases": [ + "Wizard Spider", + "UNC1878", + "TEMP.MixMaster", + "Grim Spider", + "FIN12", + "GOLD BLACKBURN", + "ITG23", + "Periwinkle Tempest" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0102", + "external_id": "G0102" + }, + { + "source_name": "Grim Spider", + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" + }, + { + "source_name": "UNC1878", + "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" + }, + { + "source_name": "TEMP.MixMaster", + "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" + }, + { + "source_name": "ITG23", + "description": "(Citation: IBM X-Force ITG23 Oct 2021)" + }, + { + "source_name": "FIN12", + "description": "(Citation: Mandiant FIN12 Oct 2021)" + }, + { + "source_name": "GOLD BLACKBURN", + "description": "(Citation: Secureworks Gold Blackburn Mar 2022)" + }, + { + "source_name": "Periwinkle Tempest", + "description": "(Citation: Secureworks Gold Blackburn Mar 2022)" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "CrowdStrike Grim Spider May 2019", + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" + }, + { + "source_name": "Secureworks Gold Blackburn Mar 2022", + "description": "Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-blackburn" + }, + { + "source_name": "Mandiant FIN12 Oct 2021", + "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", + "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" + }, + { + "source_name": "IBM X-Force ITG23 Oct 2021", + "description": "Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.", + "url": "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Edward Millington", + "Oleksiy Gayda" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-12 14:35:52.920000+00:00\", \"old_value\": \"2023-03-22 05:44:27.289000+00:00\"}, \"root['description']\": {\"new_value\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)\", \"old_value\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['aliases'][4]\": \"FIN12\", \"root['aliases'][5]\": \"GOLD BLACKBURN\", \"root['aliases'][6]\": \"ITG23\", \"root['aliases'][7]\": \"Periwinkle Tempest\", \"root['external_references'][4]\": {\"source_name\": \"ITG23\", \"description\": \"(Citation: IBM X-Force ITG23 Oct 2021)\"}, \"root['external_references'][5]\": {\"source_name\": \"FIN12\", \"description\": \"(Citation: Mandiant FIN12 Oct 2021)\"}, \"root['external_references'][6]\": {\"source_name\": \"GOLD BLACKBURN\", \"description\": \"(Citation: Secureworks Gold Blackburn Mar 2022)\"}, \"root['external_references'][7]\": {\"source_name\": \"Periwinkle Tempest\", \"description\": \"(Citation: Secureworks Gold Blackburn Mar 2022)\"}, \"root['external_references'][14]\": {\"source_name\": \"Secureworks Gold Blackburn Mar 2022\", \"description\": \"Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.\", \"url\": \"https://www.secureworks.com/research/threat-profiles/gold-blackburn\"}, \"root['external_references'][15]\": {\"source_name\": \"Mandiant FIN12 Oct 2021\", \"description\": \"Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.\", \"url\": \"https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf\"}, \"root['external_references'][16]\": {\"source_name\": \"IBM X-Force ITG23 Oct 2021\", \"description\": \"Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.\", \"url\": \"https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 3.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1[Wizard Spider](https://attack.mitre.org/groups/G0102) is a t1[Wizard Spider](https://attack.mitre.org/groups/G0102) is a 
    >Russia-based financially motivated threat group originally k>Russia-based financially motivated threat group originally k
    >nown for the creation and deployment of [TrickBot](https://a>nown for the creation and deployment of [TrickBot](https://a
    >ttack.mitre.org/software/S0266) since at least 2016. [Wizard>ttack.mitre.org/software/S0266) since at least 2016. [Wizard
    > Spider](https://attack.mitre.org/groups/G0102) possesses a > Spider](https://attack.mitre.org/groups/G0102) possesses a 
    >diverse arsenal of tools and has conducted ransomware campai>diverse aresenal of tools and has conducted ransomware campa
    >gns against a variety of organizations, ranging from major c>igns against a variety of organizations, ranging from major 
    >orporations to hospitals.(Citation: CrowdStrike Ryuk January>corporations to hospitals.(Citation: CrowdStrike Ryuk Januar
    > 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare Oc>y 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare O
    >tober 2020)(Citation: CrowdStrike Wizard Spider October 2020>ctober 2020)(Citation: CrowdStrike Wizard Spider October 202
    >)>0)
    " + } + ], + "minor_version_changes": [ + { + "type": "intrusion-set", + "id": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2023-10-12 21:15:24.393000+00:00", + "name": "APT32", + "description": "[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)", + "aliases": [ + "APT32", + "SeaLotus", + "OceanLotus", + "APT-C-00" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0050", + "external_id": "G0050" + }, + { + "source_name": "SeaLotus", + "description": "(Citation: Cybereason Oceanlotus May 2017)" + }, + { + "source_name": "APT-C-00", + "description": "(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)" + }, + { + "source_name": "APT32", + "description": "(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)" + }, + { + "source_name": "OceanLotus", + "description": "(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)" + }, + { + "source_name": "Amnesty Intl. Ocean Lotus February 2021", + "description": "Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.", + "url": "https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf" + }, + { + "source_name": "FireEye APT32 May 2017", + "description": "Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + }, + { + "source_name": "Cybereason Oceanlotus May 2017", + "description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.", + "url": "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" + }, + { + "source_name": "ESET OceanLotus Mar 2019", + "description": "Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.", + "url": "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" + }, + { + "source_name": "ESET OceanLotus", + "description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.", + "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" + }, + { + "source_name": "Volexity OceanLotus Nov 2017", + "description": "Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.", + "url": "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Romain Dumont, ESET" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.7", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-12 21:15:24.393000+00:00\", \"old_value\": \"2023-03-21 21:04:18.158000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.7\", \"old_value\": \"2.6\"}}}", + "previous_version": "2.6", + "version_change": "2.6 \u2192 2.7" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-12-26 23:11:39.442000+00:00", + "modified": "2023-09-22 20:43:16.504000+00:00", + "name": "Confucius", + "description": "[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)", + "aliases": [ + "Confucius", + "Confucius APT" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0142", + "external_id": "G0142" + }, + { + "source_name": "TrendMicro Confucius APT Feb 2018", + "description": "Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html" + }, + { + "source_name": "TrendMicro Confucius APT Aug 2021", + "description": "Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.", + "url": "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" + }, + { + "source_name": "Uptycs Confucius APT Jan 2021", + "description": "Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.", + "url": "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-22 20:43:16.504000+00:00\", \"old_value\": \"2022-06-30 20:15:32.697000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_domains'][1]\": \"mobile-attack\"}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:05.217000+00:00", + "modified": "2023-10-01 02:45:48.973000+00:00", + "name": "Dragonfly", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", + "aliases": [ + "Dragonfly", + "TEMP.Isotope", + "DYMALLOY", + "Berserk Bear", + "TG-4192", + "Crouching Yeti", + "IRON LIBERTY", + "Energetic Bear" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0035", + "external_id": "G0035" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TEMP.Isotope", + "description": "(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)" + }, + { + "source_name": "Crouching Yeti", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TG-4192", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Dragonfly", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Energetic Bear", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "CISA AA20-296A Berserk Bear December 2020", + "description": "CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" + }, + { + "source_name": "DOJ Russia Targeting Critical Infrastructure March 2022", + "description": "Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.", + "url": "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" + }, + { + "source_name": "Dragos DYMALLOY ", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", + "url": "https://www.dragos.com/threat/dymalloy/" + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" + }, + { + "source_name": "Mandiant Ukraine Cyber Threats January 2022", + "description": "Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.", + "url": "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats" + }, + { + "source_name": "Secureworks MCMD July 2019", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis" + }, + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" + }, + { + "source_name": "Secureworks Karagany July 2019", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" + }, + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + }, + { + "source_name": "Symantec Dragonfly 2.0 October 2017", + "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + }, + { + "source_name": "UK GOV FSB Factsheet April 2022", + "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", + "url": "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 02:45:48.973000+00:00\", \"old_value\": \"2023-03-08 22:03:28.170000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.2\", \"old_value\": \"3.1\"}}}", + "previous_version": "3.1", + "version_change": "3.1 \u2192 3.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-06-09 19:14:31.327000+00:00", + "modified": "2023-10-20 17:06:10.335000+00:00", + "name": "LAPSUS$", + "description": "[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)", + "aliases": [ + "LAPSUS$", + "DEV-0537" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1004", + "external_id": "G1004" + }, + { + "source_name": "DEV-0537", + "description": "(Citation: MSTIC DEV-0537 Mar 2022)" + }, + { + "source_name": "BBC LAPSUS Apr 2022", + "description": "BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.", + "url": "https://www.bbc.com/news/technology-60953527" + }, + { + "source_name": "MSTIC DEV-0537 Mar 2022", + "description": "MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.", + "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" + }, + { + "source_name": "UNIT 42 LAPSUS Mar 2022", + "description": "UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.", + "url": "https://unit42.paloaltonetworks.com/lapsus-group/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "David Hughes, BT Security", + "Matt Brenton, Zurich Insurance Group", + "Flavio Costa, Cisco", + "Caio Silva" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-20 17:06:10.335000+00:00\", \"old_value\": \"2023-04-11 00:01:29.232000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][3]\": \"Caio Silva\"}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2023-09-11 20:43:14.739000+00:00", + "name": "Magic Hound", + "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)", + "aliases": [ + "Magic Hound", + "TA453", + "COBALT ILLUSION", + "Charming Kitten", + "ITG18", + "Phosphorus", + "Newscaster", + "APT35" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0059", + "external_id": "G0059" + }, + { + "source_name": "Charming Kitten", + "description": "(Citation: ClearSky Charming Kitten Dec 2017)(Citation: Eweek Newscaster and Charming Kitten May 2014)(Citation: ClearSky Kittens Back 2 Oct 2019)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022)" + }, + { + "source_name": "APT35", + "description": "(Citation: FireEye APT35 2018)(Citation: Certfa Charming Kitten January 2021)(Citation: Check Point APT35 CharmPower January 2022)" + }, + { + "source_name": "ITG18", + "description": "(Citation: IBM ITG18 2020)" + }, + { + "source_name": "Phosphorus", + "description": "(Citation: Microsoft Phosphorus Mar 2019)(Citation: Microsoft Phosphorus Oct 2020)(Citation: US District Court of DC Phosphorus Complaint 2019)(Citation: Certfa Charming Kitten January 2021)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022)" + }, + { + "source_name": "TA453", + "description": "(Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Check Point APT35 CharmPower January 2022)" + }, + { + "source_name": "COBALT ILLUSION", + "description": "(Citation: Secureworks COBALT ILLUSION Threat Profile)" + }, + { + "source_name": "Magic Hound", + "description": "(Citation: Unit 42 Magic Hound Feb 2017)" + }, + { + "source_name": "Microsoft Phosphorus Mar 2019", + "description": "Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.", + "url": "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/" + }, + { + "source_name": "Microsoft Phosphorus Oct 2020", + "description": "Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021.", + "url": "https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/" + }, + { + "source_name": "Certfa Charming Kitten January 2021", + "description": "Certfa Labs. (2021, January 8). Charming Kitten\u2019s Christmas Gift. Retrieved May 3, 2021.", + "url": "https://blog.certfa.com/posts/charming-kitten-christmas-gift/" + }, + { + "source_name": "Check Point APT35 CharmPower January 2022", + "description": "Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.", + "url": "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" + }, + { + "source_name": "ClearSky Charming Kitten Dec 2017", + "description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.", + "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" + }, + { + "source_name": "ClearSky Kittens Back 2 Oct 2019", + "description": "ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021.", + "url": "https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf" + }, + { + "source_name": "ClearSky Kittens Back 3 August 2020", + "description": "ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.", + "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" + }, + { + "source_name": "Eweek Newscaster and Charming Kitten May 2014", + "description": "Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021.", + "url": "https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering" + }, + { + "source_name": "Unit 42 Magic Hound Feb 2017", + "description": "Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" + }, + { + "source_name": "Newscaster", + "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)" + }, + { + "source_name": "FireEye APT35 2018", + "description": "Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.", + "url": "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" + }, + { + "source_name": "Proofpoint TA453 July2021", + "description": "Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453" + }, + { + "source_name": "Proofpoint TA453 March 2021", + "description": "Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" + }, + { + "source_name": "Secureworks COBALT ILLUSION Threat Profile", + "description": "Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/cobalt-illusion" + }, + { + "source_name": "US District Court of DC Phosphorus Complaint 2019", + "description": "US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021.", + "url": "https://noticeofpleadings.com/phosphorus/files/Complaint.pdf" + }, + { + "source_name": "IBM ITG18 2020", + "description": "Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.", + "url": "https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Anastasios Pingios", + "Bryan Lee", + "Daniyal Naeem, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "5.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-11 20:43:14.739000+00:00\", \"old_value\": \"2023-01-13 21:18:18.077000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"5.2\", \"old_value\": \"5.1\"}}}", + "previous_version": "5.1", + "version_change": "5.1 \u2192 5.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:04.588000+00:00", + "modified": "2023-10-06 14:13:06.011000+00:00", + "name": "Sandworm Team", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", + "aliases": [ + "Sandworm Team", + "ELECTRUM", + "Telebots", + "IRON VIKING", + "BlackEnergy (Group)", + "Quedagh", + "Voodoo Bear", + "IRIDIUM" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0034", + "external_id": "G0034" + }, + { + "source_name": "Voodoo Bear", + "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "ELECTRUM", + "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Sandworm Team", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Quedagh", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRIDIUM", + "description": "(Citation: Microsoft Prestige ransomware October 2022)" + }, + { + "source_name": "BlackEnergy (Group)", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Telebots", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRON VIKING", + "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", + "url": "https://www.justice.gov/opa/page/file/1098481/download" + }, + { + "source_name": "Dragos ELECTRUM", + "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.dragos.com/resource/electrum/" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "iSIGHT Sandworm 2014", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" + }, + { + "source_name": "CrowdStrike VOODOO BEAR", + "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" + }, + { + "source_name": "Microsoft Prestige ransomware October 2022", + "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + }, + { + "source_name": "InfoSecurity Sandworm Oct 2014", + "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.", + "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" + }, + { + "source_name": "NCSC Sandworm Feb 2020", + "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", + "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" + }, + { + "source_name": "USDOJ Sandworm Feb 2020", + "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.", + "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + }, + { + "source_name": "Secureworks IRON VIKING ", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-06 14:13:06.011000+00:00\", \"old_value\": \"2023-03-08 22:12:31.238000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.1\", \"old_value\": \"3.0\"}}}", + "previous_version": "3.0", + "version_change": "3.0 \u2192 3.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-29 21:36:59.793000+00:00", + "modified": "2023-09-27 20:22:05.127000+00:00", + "name": "SilverTerrier", + "description": "[SilverTerrier](https://attack.mitre.org/groups/G0083) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://attack.mitre.org/groups/G0083) mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)", + "aliases": [ + "SilverTerrier" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0083", + "external_id": "G0083" + }, + { + "source_name": "SilverTerrier", + "description": "(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)" + }, + { + "source_name": "Unit42 SilverTerrier 2016", + "description": "Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018.", + "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf" + }, + { + "source_name": "Unit42 SilverTerrier 2018", + "description": "Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.", + "url": "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-27 20:22:05.127000+00:00\", \"old_value\": \"2020-05-19 23:26:11.780000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + } + ], + "other_version_changes": [], + "patches": [ + { + "type": "intrusion-set", + "id": "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2023-06-26 18:59:30.461000+00:00", + "name": "APT37", + "description": "[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "aliases": [ + "APT37", + "InkySquid", + "ScarCruft", + "Reaper", + "Group123", + "TEMP.Reaper", + "Ricochet Chollima" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0067", + "external_id": "G0067" + }, + { + "source_name": "Ricochet Chollima", + "description": "(Citation: CrowdStrike Richochet Chollima September 2021)" + }, + { + "source_name": "APT37", + "description": "(Citation: FireEye APT37 Feb 2018)" + }, + { + "source_name": "Reaper", + "description": "(Citation: FireEye APT37 Feb 2018)" + }, + { + "source_name": "Group123", + "description": "(Citation: FireEye APT37 Feb 2018)" + }, + { + "source_name": "TEMP.Reaper", + "description": "(Citation: FireEye APT37 Feb 2018)" + }, + { + "source_name": "ScarCruft", + "description": "(Citation: Securelist ScarCruft Jun 2016)(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)" + }, + { + "source_name": "InkySquid", + "description": "(Citation: Volexity InkySquid BLUELIGHT August 2021)" + }, + { + "source_name": "Volexity InkySquid BLUELIGHT August 2021", + "description": "Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.", + "url": "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" + }, + { + "source_name": "CrowdStrike Richochet Chollima September 2021", + "description": "CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021.", + "url": "https://www.crowdstrike.com/adversaries/ricochet-chollima/" + }, + { + "source_name": "FireEye APT37 Feb 2018", + "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" + }, + { + "source_name": "Securelist ScarCruft May 2019", + "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.", + "url": "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" + }, + { + "source_name": "Talos Group123", + "description": "Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.", + "url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + }, + { + "source_name": "Securelist ScarCruft Jun 2016", + "description": "Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.", + "url": "https://securelist.com/operation-daybreak/75100/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Valerii Marchuk, Cybersecurity Help s.r.o." + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-06-26 18:59:30.461000+00:00\", \"old_value\": \"2021-10-15 16:54:01.193000+00:00\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Ricochet Chollima\", \"old_value\": \"Richochet Chollima\"}, \"root['external_references'][11]['description']\": {\"new_value\": \"CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021.\", \"old_value\": \"CrowdStrike. (2021, September 30). Adversary Profile - Richochet Chollima. Retrieved September 30, 2021.\"}, \"root['external_references'][11]['url']\": {\"new_value\": \"https://www.crowdstrike.com/adversaries/ricochet-chollima/\", \"old_value\": \"https://adversary.crowdstrike.com/en-US/adversary/ricochet-chollima/\"}}, \"iterable_item_added\": {\"root['aliases'][6]\": \"Ricochet Chollima\"}, \"iterable_item_removed\": {\"root['aliases'][1]\": \"Richochet Chollima\"}}", + "previous_version": "2.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-14 13:17:43.941000+00:00", + "modified": "2023-10-09 16:46:55.719000+00:00", + "name": "Ajax Security Team", + "description": "[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013)", + "aliases": [ + "Ajax Security Team", + "Operation Woolen-Goldfish", + "AjaxTM", + "Rocket Kitten", + "Flying Kitten", + "Operation Saffron Rose" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0130", + "external_id": "G0130" + }, + { + "source_name": "Flying Kitten", + "description": "(Citation: CrowdStrike Flying Kitten )" + }, + { + "source_name": "AjaxTM", + "description": "(Citation: FireEye Operation Saffron Rose 2013)" + }, + { + "source_name": "Operation Saffron Rose", + "description": "(Citation: FireEye Operation Saffron Rose 2013)" + }, + { + "source_name": "Rocket Kitten", + "description": "Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://attack.mitre.org/groups/G0130) and Rocket Kitten.(Citation: Check Point Rocket Kitten)(Citation: IranThreats Kittens Dec 2017)" + }, + { + "source_name": "Operation Woolen-Goldfish", + "description": "Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://attack.mitre.org/groups/G0130) and the campaign Operation Woolen-Goldfish.(Citation: Check Point Rocket Kitten)(Citation: TrendMicro Operation Woolen Goldfish March 2015)" + }, + { + "source_name": "TrendMicro Operation Woolen Goldfish March 2015", + "description": "Cedric Pernet, Kenney Lu. (2015, March 19). Operation Woolen-Goldfish - When Kittens Go phishing. Retrieved April 21, 2021.", + "url": "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf" + }, + { + "source_name": "Check Point Rocket Kitten", + "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.", + "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + }, + { + "source_name": "CrowdStrike Flying Kitten ", + "description": "Dahl, M.. (2014, May 13). Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN. Retrieved May 27, 2020.", + "url": "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" + }, + { + "source_name": "IranThreats Kittens Dec 2017", + "description": "Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.", + "url": "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/" + }, + { + "source_name": "FireEye Operation Saffron Rose 2013", + "description": "Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-09 16:46:55.719000+00:00\", \"old_value\": \"2021-12-17 19:27:27.246000+00:00\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"https://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf\", \"old_value\": \"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:50.624000+00:00", + "modified": "2023-10-17 20:21:44.687000+00:00", + "name": "Darkhotel", + "description": "[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. [Darkhotel](https://attack.mitre.org/groups/G0012) has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)", + "aliases": [ + "Darkhotel", + "DUBNIUM" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0012", + "external_id": "G0012" + }, + { + "source_name": "Darkhotel", + "description": "(Citation: Kaspersky Darkhotel)" + }, + { + "source_name": "DUBNIUM", + "description": "(Citation: Microsoft Digital Defense FY20 Sept 2020)(Citation: Microsoft DUBNIUM June 2016)(Citation: Microsoft DUBNIUM Flash June 2016)(Citation: Microsoft DUBNIUM July 2016)" + }, + { + "source_name": "Securelist Darkhotel Aug 2015", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.", + "url": "https://securelist.com/darkhotels-attacks-in-2015/71713/" + }, + { + "source_name": "Kaspersky Darkhotel", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf" + }, + { + "source_name": "Microsoft Digital Defense FY20 Sept 2020", + "description": "Microsoft . (2020, September 29). Microsoft Digital Defense Report FY20. Retrieved April 21, 2021.", + "url": "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWxPuf" + }, + { + "source_name": "Microsoft DUBNIUM July 2016", + "description": "Microsoft. (2016, July 14). Reverse engineering DUBNIUM \u2013 Stage 2 payload analysis . Retrieved March 31, 2021.", + "url": "https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" + }, + { + "source_name": "Microsoft DUBNIUM Flash June 2016", + "description": "Microsoft. (2016, June 20). Reverse-engineering DUBNIUM\u2019s Flash-targeting exploit. Retrieved March 31, 2021.", + "url": "https://www.microsoft.com/security/blog/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/" + }, + { + "source_name": "Microsoft DUBNIUM June 2016", + "description": "Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.", + "url": "https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Harry Kim, CODEMIZE" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-17 20:21:44.687000+00:00\", \"old_value\": \"2022-10-19 22:07:30.243000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Harry Kim, CODEMIZE\", \"old_value\": \"Harry, CODEMIZE\"}}}", + "previous_version": "2.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-08-26 15:03:02.577000+00:00", + "modified": "2023-09-27 20:08:25.814000+00:00", + "name": "Kimsuky", + "description": "[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)\n\n[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "aliases": [ + "Kimsuky", + "STOLEN PENCIL", + "Thallium", + "Black Banshee", + "Velvet Chollima" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0094", + "external_id": "G0094" + }, + { + "source_name": "Thallium", + "description": "(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)" + }, + { + "source_name": "Black Banshee", + "description": "(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)" + }, + { + "source_name": "STOLEN PENCIL", + "description": "(Citation: Netscout Stolen Pencil Dec 2018)" + }, + { + "source_name": "Kimsuky", + "description": "(Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021)" + }, + { + "source_name": "Velvet Chollima", + "description": "(Citation: Zdnet Kimsuky Dec 2018)(Citation: ThreatConnect Kimsuky September 2020)(Citation: Malwarebytes Kimsuky June 2021)" + }, + { + "source_name": "AhnLab Kimsuky Kabar Cobra Feb 2019", + "description": "AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.", + "url": "https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf" + }, + { + "source_name": "EST Kimsuky April 2019", + "description": "Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.", + "url": "https://blog.alyac.co.kr/2234" + }, + { + "source_name": "Netscout Stolen Pencil Dec 2018", + "description": "ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.", + "url": "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + }, + { + "source_name": "BRI Kimsuky April 2019", + "description": "BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.", + "url": "https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/" + }, + { + "source_name": "Zdnet Kimsuky Dec 2018", + "description": "Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.", + "url": "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" + }, + { + "source_name": "CISA AA20-301A Kimsuky", + "description": "CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-301a" + }, + { + "source_name": "Cybereason Kimsuky November 2020", + "description": "Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.", + "url": "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" + }, + { + "source_name": "EST Kimsuky SmokeScreen April 2019", + "description": "ESTSecurity. (2019, April 17). Analysis of the APT Campaign \u2018Smoke Screen\u2019 targeting to Korea and US \ucd9c\ucc98: https://blog.alyac.co.kr/2243 [\uc774\uc2a4\ud2b8\uc2dc\ud050\ub9ac\ud2f0 \uc54c\uc57d \ube14\ub85c\uadf8]. Retrieved September 29, 2021.", + "url": "https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf" + }, + { + "source_name": "Malwarebytes Kimsuky June 2021", + "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.", + "url": "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" + }, + { + "source_name": "Securelist Kimsuky Sept 2013", + "description": "Tarakanov , D.. (2013, September 11). The \u201cKimsuky\u201d Operation: A North Korean APT?. Retrieved August 13, 2019.", + "url": "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" + }, + { + "source_name": "ThreatConnect Kimsuky September 2020", + "description": "ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.", + "url": "https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Taewoo Lee, KISA", + "Dongwook Kim, KISA" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-27 20:08:25.814000+00:00\", \"old_value\": \"2022-11-30 22:53:00.875000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}}}", + "previous_version": "3.1" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "campaigns": { + "additions": [ + { + "type": "campaign", + "id": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-27 13:11:52.340000+00:00", + "modified": "2023-10-06 14:05:01.054000+00:00", + "name": "2015 Ukraine Electric Power Attack", + "description": "[2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.", + "aliases": [ + "2015 Ukraine Electric Power Attack" + ], + "first_seen": "2015-12-01 05:00:00+00:00", + "last_seen": "2016-01-01 05:00:00+00:00", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0028", + "external_id": "C0028" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_first_seen_citation": "(Citation: Booz Allen Hamilton)", + "x_mitre_last_seen_citation": "(Citation: Booz Allen Hamilton)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "campaign", + "id": "campaign--c89fa3ff-4773-4daf-8aec-d8f43f10116e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-05-15 19:17:48.880000+00:00", + "modified": "2023-09-29 18:06:43.110000+00:00", + "name": "C0026", + "description": "[C0026](https://attack.mitre.org/campaigns/C0026) was a campaign identified in September 2022 that included the selective distribution of [KOPILUWAK](https://attack.mitre.org/software/S1075) and [QUIETCANARY](https://attack.mitre.org/software/S1076) malware to previous [ANDROMEDA](https://attack.mitre.org/software/S1074) malware victims in Ukraine through re-registered [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains. Several tools and tactics used during [C0026](https://attack.mitre.org/campaigns/C0026) were consistent with historic [Turla](https://attack.mitre.org/groups/G0010) operations.(Citation: Mandiant Suspected Turla Campaign February 2023)", + "aliases": [ + "C0026" + ], + "first_seen": "2022-08-01 05:00:00+00:00", + "last_seen": "2022-09-01 04:00:00+00:00", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0026", + "external_id": "C0026" + }, + { + "source_name": "Mandiant Suspected Turla Campaign February 2023", + "description": "Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.", + "url": "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Yoshihiro Kori, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_first_seen_citation": "(Citation: Mandiant Suspected Turla Campaign February 2023)", + "x_mitre_last_seen_citation": "(Citation: Mandiant Suspected Turla Campaign February 2023)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "campaign", + "id": "campaign--df74f7ad-b10d-431c-9f1d-a2bc18dadefa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-06-30 19:28:30.616000+00:00", + "modified": "2023-07-05 17:59:41.843000+00:00", + "name": "C0027", + "description": "[C0027](https://attack.mitre.org/campaigns/C0027) was a financially-motivated campaign linked to [Scattered Spider](https://attack.mitre.org/groups/G1015) that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During [C0027](https://attack.mitre.org/campaigns/C0027) [Scattered Spider](https://attack.mitre.org/groups/G1015) used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.(Citation: Crowdstrike TELCO BPO Campaign December 2022)\n", + "aliases": [ + "C0027" + ], + "first_seen": "2022-06-01 04:00:00+00:00", + "last_seen": "2022-12-01 05:00:00+00:00", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0027", + "external_id": "C0027" + }, + { + "source_name": "Crowdstrike TELCO BPO Campaign December 2022", + "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", + "url": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_first_seen_citation": "(Citation: Crowdstrike TELCO BPO Campaign December 2022)", + "x_mitre_last_seen_citation": "(Citation: Crowdstrike TELCO BPO Campaign December 2022)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ], + "major_version_changes": [], + "minor_version_changes": [ + { + "type": "campaign", + "id": "campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-03-17 13:37:42.596000+00:00", + "modified": "2023-09-27 20:12:54.984000+00:00", + "name": "Operation Dream Job", + "description": "[Operation Dream Job](https://attack.mitre.org/campaigns/C0022) was a cyber espionage operation likely conducted by [Lazarus Group](https://attack.mitre.org/groups/G0032) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://attack.mitre.org/campaigns/C0022) as an umbrella term covering both Operation Interception and Operation North Star.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)", + "aliases": [ + "Operation Dream Job", + "Operation North Star", + "Operation Interception" + ], + "first_seen": "2019-09-01 04:00:00+00:00", + "last_seen": "2020-08-01 04:00:00+00:00", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0022", + "external_id": "C0022" + }, + { + "source_name": "Operation Interception", + "description": "(Citation: ESET Lazarus Jun 2020)" + }, + { + "source_name": "Operation North Star", + "description": "(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)" + }, + { + "source_name": "McAfee Lazarus Nov 2020", + "description": "Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" + }, + { + "source_name": "ESET Lazarus Jun 2020", + "description": "Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" + }, + { + "source_name": "McAfee Lazarus Jul 2020", + "description": "Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" + }, + { + "source_name": "ClearSky Lazarus Aug 2020", + "description": "ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.", + "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" + }, + { + "source_name": "The Hacker News Lazarus Aug 2022", + "description": "Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.", + "url": "https://thehackernews.com/2022/08/north-korea-hackers-spotted-targeting.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_first_seen_citation": "(Citation: ESET Lazarus Jun 2020)", + "x_mitre_last_seen_citation": "(Citation: ClearSky Lazarus Aug 2020)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-27 20:12:54.984000+00:00\", \"old_value\": \"2023-04-10 19:18:19.033000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1" + } + ], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "assets": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "mitigations": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [ + { + "type": "course-of-action", + "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:53.732000+00:00", + "modified": "2023-09-27 20:18:19.004000+00:00", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1013", + "external_id": "M1013" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-27 20:18:19.004000+00:00\", \"old_value\": \"2018-10-17 00:14:20.652000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1" + } + ], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datasources": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datacomponents": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + } + }, + "mobile-attack": { + "techniques": { + "additions": [ + { + "type": "attack-pattern", + "id": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-21 22:16:38.002000+00:00", + "modified": "2023-09-28 15:36:11.282000+00:00", + "name": "Application Versioning", + "description": "An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android_app_breaking_bad)\n\nThis technique could also be accomplished by compromising a developer\u2019s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1661", + "external_id": "T1661" + }, + { + "source_name": "android_app_breaking_bad", + "description": "Stefanko, L. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved August 28, 2023.", + "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", + "external_id": "SPC-20" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Edward Stevens, BT Security", + "Adam Lichters" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-22 19:09:15.698000+00:00", + "modified": "2023-09-27 21:09:27.288000+00:00", + "name": "Data Destruction", + "description": "Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. \n\nTo achieve data destruction, adversaries may use the `pm uninstall` command to uninstall packages or the `rm` command to remove specific files. For example, adversaries may first use `pm uninstall` to uninstall non-system apps, and then use `rm (-f) ` to delete specific files, further hiding malicious activity.(Citation: rootnik_rooting_tool)(Citation: abuse_native_linux_tools)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1662", + "external_id": "T1662" + }, + { + "source_name": "rootnik_rooting_tool", + "description": "Hu, W., et al. (2015, December 4). Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information. Retrieved September 26, 2023.", + "url": "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/" + }, + { + "source_name": "abuse_native_linux_tools", + "description": "Surana, N., et al. (2022, September 8). How Malicious Actors Abuse Native Linux Tools in Attacks. Retrieved September 26, 2023.", + "url": "https://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Liran Ravich, CardinalOps" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-08-23 22:13:27.313000+00:00", + "modified": "2023-09-28 17:02:58.893000+00:00", + "name": "Exploitation for Client Execution", + "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. \n\nAdversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution. \n\n### SMS/iMessage Delivery \n\nSMS and iMessage in iOS are common targets through [Drive-By Compromise](https://attack.mitre.org/techniques/T1456), [Phishing](https://attack.mitre.org/techniques/T1660), etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required. \n\n### AirDrop \n\nUnique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1658", + "external_id": "T1658" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Giorgi Gurgenidze, ISAC" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-12 20:29:48.758000+00:00", + "modified": "2023-09-08 18:14:46.081000+00:00", + "name": "Masquerading", + "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1655", + "external_id": "T1655" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", + "external_id": "APP-14" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "external_id": "APP-31" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "\n", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-12 20:45:14.704000+00:00", + "modified": "2023-09-08 18:15:15.902000+00:00", + "name": "Match Legitimate Name or Location", + "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). \n\nAdversaries may also use the same icon of the file or application they are trying to mimic.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1655/001", + "external_id": "T1655.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", + "external_id": "APP-14" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "external_id": "APP-31" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Ford Qin, Trend Micro", + "Liran Ravich, CardinalOps" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-21 19:35:15.552000+00:00", + "modified": "2023-09-29 19:45:39.608000+00:00", + "name": "Phishing", + "description": "Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as \u201cspearphishing\u201d. Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.\n\nMobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. \n\nMobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: \n\n- SMS messages: Adversaries may send SMS messages (known as \u201csmishing\u201d) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.\n- Quick Response (QR) Codes: Adversaries may use QR codes (known as \u201cquishing\u201d) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user\u2019s desktop computer to their mobile device.\n- Phone Calls: Adversaries may call victims (known as \u201cvishing\u201d) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1660", + "external_id": "T1660" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", + "external_id": "AUT-9" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Vijay Lalwani", + "Will Thomas, Equinix", + "Adam Mashinchi", + "Sam Seabrook, Duke Energy", + "Naveen Devaraja, bolttech", + "Brian Donohue" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-25 19:53:07.406000+00:00", + "modified": "2023-09-25 19:53:07.406000+00:00", + "name": "Remote Access Software", + "description": "Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices. \n\nRemote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1663", + "external_id": "T1663" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.0" + } + ], + "major_version_changes": [], + "minor_version_changes": [ + { + "type": "attack-pattern", + "id": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-20 13:42:20.824000+00:00", + "modified": "2023-08-10 21:57:52.009000+00:00", + "name": "Call Control", + "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1616", + "external_id": "T1616" + }, + { + "source_name": "Android Permissions", + "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", + "url": "https://developer.android.com/reference/android/Manifest.permission" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html", + "external_id": "APP-41" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html", + "external_id": "CEL-42" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html", + "external_id": "CEL-36" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html", + "external_id": "CEL-18" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Gaetan van Diemen, ThreatFabric" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-10 21:57:52.009000+00:00\", \"old_value\": \"2023-03-16 18:31:37.189000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1011: User Guidance" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0042: User Interface (System Settings)" + ], + "new": [ + "DS0042: User Interface (System Notifications)" + ], + "dropped": [ + "DS0041: Application Vetting (Permissions Requests)" + ] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-03-30 13:40:37.259000+00:00", + "modified": "2023-08-07 22:15:34.693000+00:00", + "name": "Command and Scripting Interpreter", + "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java\u2019s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1623", + "external_id": "T1623" + }, + { + "source_name": "Samsung Knox Mobile Threat Defense", + "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", + "url": "https://partner.samsungknox.com/mtd" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-07 22:15:34.693000+00:00\", \"old_value\": \"2023-03-20 15:16:19.547000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1002: Attestation", + "M1010: Deploy Compromised Device Detection Method" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0009: Process (Process Metadata)", + "DS0041: Application Vetting (API Calls)" + ], + "new": [ + "DS0017: Command (Command Execution)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-03-30 13:59:50.479000+00:00", + "modified": "2023-08-07 22:48:30.418000+00:00", + "name": "Unix Shell", + "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1623/001", + "external_id": "T1623.001" + }, + { + "source_name": "Samsung Knox Mobile Threat Defense", + "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", + "url": "https://partner.samsungknox.com/mtd" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-07 22:48:30.418000+00:00\", \"old_value\": \"2023-03-20 18:41:18.389000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1002: Attestation", + "M1010: Deploy Compromised Device Detection Method" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Metadata)", + "DS0017: Command (Command Execution)", + "DS0041: Application Vetting (API Calls)" + ], + "new": [ + "DS0009: Process (Process Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:14.460000+00:00", + "modified": "2023-08-08 16:23:41.271000+00:00", + "name": "Download New Code at Runtime", + "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1407", + "external_id": "T1407" + }, + { + "source_name": "FireEye-JSPatch", + "description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", + "external_id": "APP-20" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and applications may employ other techniques to hide their use of these techniques.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.5", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-08 16:23:41.271000+00:00\", \"old_value\": \"2023-03-20 18:21:59.494000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", + "previous_version": "1.4", + "version_change": "1.4 \u2192 1.5", + "changelog_mitigations": { + "shared": [ + "M1006: Use Recent OS Version" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0041: Application Vetting (API Calls)" + ], + "new": [ + "DS0041: Application Vetting (Network Communication)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:06.822000+00:00", + "modified": "2023-08-07 17:12:07.620000+00:00", + "name": "Drive-By Compromise", + "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1456", + "external_id": "T1456" + }, + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html", + "external_id": "CEL-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can often alert the user if their device is vulnerable to known exploits.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "2.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-07 17:12:07.620000+00:00\", \"old_value\": \"2023-03-20 18:24:56.530000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2", + "changelog_mitigations": { + "shared": [ + "M1001: Security Updates" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0013: Sensor Health (Host Status)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-05 19:57:15.734000+00:00", + "modified": "2023-08-14 16:19:34.225000+00:00", + "name": "Dynamic Resolution", + "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1637", + "external_id": "T1637" + }, + { + "source_name": "Data Driven Security DGA", + "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", + "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 16:19:34.225000+00:00\", \"old_value\": \"2022-04-05 19:57:15.734000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [ + "DS0041: Application Vetting (Network Communication)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-05 19:59:03.161000+00:00", + "modified": "2023-08-14 16:19:54.832000+00:00", + "name": "Domain Generation Algorithms", + "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1637/001", + "external_id": "T1637.001" + }, + { + "source_name": "Data Driven Security DGA", + "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", + "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" + }, + { + "source_name": "securelist rotexy 2018", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 16:19:54.832000+00:00\", \"old_value\": \"2022-04-05 19:59:22.888000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [ + "DS0041: Application Vetting (Network Communication)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-06 13:19:33.785000+00:00", + "modified": "2023-08-14 16:39:22.707000+00:00", + "name": "Exfiltration Over Alternative Protocol", + "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "exfiltration" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1639", + "external_id": "T1639" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", + "external_id": "APP-30" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 16:39:22.707000+00:00\", \"old_value\": \"2022-04-29 17:29:00.038000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_detection']\": {\"new_value\": \"[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.\", \"old_value\": \"Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-06 13:22:57.683000+00:00", + "modified": "2023-08-14 16:40:40.166000+00:00", + "name": "Exfiltration Over Unencrypted Non-C2 Protocol", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "exfiltration" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1639/001", + "external_id": "T1639.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", + "external_id": "APP-30" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 16:40:40.166000+00:00\", \"old_value\": \"2022-04-06 13:23:10.087000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_detection']\": {\"new_value\": \"[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.\", \"old_value\": \"Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-01 15:43:45.913000+00:00", + "modified": "2023-08-14 16:41:52+00:00", + "name": "Exfiltration Over C2 Channel", + "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "exfiltration" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1646", + "external_id": "T1646" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", + "external_id": "APP-29" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 16:41:52+00:00\", \"old_value\": \"2022-04-08 16:25:44.552000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_detection']\": {\"new_value\": \"[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.\", \"old_value\": \"Exfiltration over C2 channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-01 18:44:32.808000+00:00", + "modified": "2023-09-28 15:38:41.106000+00:00", + "name": "Prevent Application Removal", + "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\n\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \n\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1629/001", + "external_id": "T1629.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "external_id": "APP-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Shankar Raman, Gen Digital and Abhinand, Amrita University" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view a list of device administrators and applications that have registered accessibility services in device settings. Users can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Shankar Raman, Gen Digital and Abhinand, Amrita University\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-28 15:38:41.106000+00:00\", \"old_value\": \"2023-03-20 18:54:36.502000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\\n\\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\\n\\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \\n\\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event \", \"old_value\": \"Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\\n\\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,7 @@\\n Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\\n \\n-Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.\\n+Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\\n+\\n+* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \\n+\\n+* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may abuse the Android device administration API t1Adversaries may abuse the Android device administration API 
    >to prevent the user from uninstalling a target application. >to prevent the user from uninstalling a target application. 
    >In earlier versions of Android, device administrator applica>In earlier versions of Android, device administrator applica
    >tions needed their administration capabilities explicitly de>tions needed their administration capabilities explicitly de
    >activated by the user before the application could be uninst>activated by the user before the application could be uninst
    >alled. This was later updated so the user could deactivate a>alled. This was later updated so the user could deactivate a
    >nd uninstall the administrator application in one step.  Adv>nd uninstall the administrator application in one step.  Adv
    >ersaries may also abuse the device accessibility APIs to pre>ersaries may also abuse the device accessibility APIs to pre
    >vent removal. This set of APIs allows the application to per>vent removal. This set of APIs allows the application to per
    >form certain actions on behalf of the user and programmatica>form certain actions on behalf of the user and programmatica
    >lly determine what is being shown on the screen. The malicio>lly determine what is being shown on the screen. The malicio
    >us application could monitor the device screen for certain m>us application could monitor the device screen for certain m
    >odals (e.g., the confirmation modal to uninstall an applicat>odals (e.g., the confirmation modal to uninstall an applicat
    >ion) and inject screen input or a back button tap to close t>ion) and inject screen input or a back button tap to close t
    >he modal.>he modal. For example, Android's `performGlobalAction(int)` 
     >API could be utilized to prevent the user from removing the 
     >malicious application from the device after installation. If
     > the user wants to uninstall the malicious application, two 
     >cases may occur, both preventing the user from removing the 
     >application.  * Case 1: If the integer argument passed to th
     >e API call is `2` or `GLOBAL_ACTION_HOME`, the malicious app
     >lication may direct the user to the home screen from setting
     >s screen   * Case 2: If the integer argument passed to the A
     >PI call is `1` or `GLOBAL_ACTION_BACK`, the malicious applic
     >ation may emulate the back press event 
    ", + "changelog_mitigations": { + "shared": [ + "M1006: Use Recent OS Version", + "M1011: User Guidance", + "M1012: Enterprise Policy" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0042: User Interface (System Settings)" + ], + "new": [ + "DS0041: Application Vetting (API Calls)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-21 15:27:30.182000+00:00", + "modified": "2023-08-14 16:21:05.728000+00:00", + "name": "Ingress Tool Transfer", + "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1544", + "external_id": "T1544" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "2.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 16:21:05.728000+00:00\", \"old_value\": \"2023-03-20 18:43:44.687000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 2.2", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0041: Application Vetting (Network Communication)", + "DS0041: Application Vetting (Permissions Requests)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-15 15:26:22.356000+00:00", + "modified": "2023-08-08 22:50:32.775000+00:00", + "name": "Input Injection", + "description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1516", + "external_id": "T1516" + }, + { + "source_name": "bitwarden autofill logins", + "description": "Bitwarden. (n.d.). Auto-fill logins on Android . Retrieved September 15, 2019.", + "url": "https://help.bitwarden.com/article/auto-fill-android/" + }, + { + "source_name": "android-trojan-steals-paypal-2fa", + "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", + "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" + }, + { + "source_name": "Talos Gustuff Apr 2019", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Luk\u00e1\u0161 \u0160tefanko, ESET" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view applications that have registered accessibility services in the accessibility menu within the device settings.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-08 22:50:32.775000+00:00\", \"old_value\": \"2022-10-24 15:09:07.609000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M1011: User Guidance", + "M1012: Enterprise Policy" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [ + "DS0042: User Interface (System Settings)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:24.488000+00:00", + "modified": "2023-10-16 16:23:05.146000+00:00", + "name": "Lockscreen Bypass", + "description": "An adversary with physical access to a mobile device may seek to bypass the device\u2019s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\u201cshoulder surfing\u201d) the device owner\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1461", + "external_id": "T1461" + }, + { + "source_name": "Wired-AndroidBypass", + "description": "Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.", + "url": "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/" + }, + { + "source_name": "Kaspersky-iOSBypass", + "description": "Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.", + "url": "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/" + }, + { + "source_name": "TheSun-FaceID", + "description": "Sean Keach. (2018, February 15). Brit mates BREAK Apple\u2019s face unlock and vow to never buy iPhone again. Retrieved September 18, 2018.", + "url": "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/" + }, + { + "source_name": "SRLabs-Fingerprint", + "description": "SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.", + "url": "https://srlabs.de/bites/spoofing-fingerprints/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can see if someone is watching them type in their device passcode.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 16:23:05.146000+00:00\", \"old_value\": \"2022-04-19 15:36:12.312000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary with physical access to a mobile device may seek to bypass the device\\u2019s lockscreen. Several methods exist to accomplish this, including:\\n\\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\\u201cshoulder surfing\\u201d) the device owner\\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\\n\", \"old_value\": \"An adversary with physical access to a mobile device may seek to bypass the device\\u2019s lockscreen. Several methods exist to accomplish this, including:\\n\\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\\n* Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\\u201cshoulder surfing\\u201d) the device owner\\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\\n\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n An adversary with physical access to a mobile device may seek to bypass the device\\u2019s lockscreen. Several methods exist to accomplish this, including:\\n \\n * Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\\n-* Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\\u201cshoulder surfing\\u201d) the device owner\\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\\n+* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\\u201cshoulder surfing\\u201d) the device owner\\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\\n * Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1An adversary with physical access to a mobile device may seet1An adversary with physical access to a mobile device may see
    >k to bypass the device\u2019s lockscreen. Several methods exist t>k to bypass the device\u2019s lockscreen. Several methods exist t
    >o accomplish this, including:  * Biometric spoofing: If biom>o accomplish this, including:  * Biometric spoofing: If biom
    >etric authentication is used, an adversary could attempt to >etric authentication is used, an adversary could attempt to 
    >spoof a mobile device\u2019s biometric authentication mechanism. >spoof a mobile device\u2019s biometric authentication mechanism. 
    >Both iOS and Android partly mitigate this attack by requirin>Both iOS and Android partly mitigate this attack by requirin
    >g the device\u2019s passcode rather than biometrics to unlock the>g the device\u2019s passcode rather than biometrics to unlock the
    > device after every device restart, and after a set or rando> device after every device restart, and after a set or rando
    >m amount of time.(Citation: SRLabs-Fingerprint)(Citation: Th>m amount of time.(Citation: SRLabs-Fingerprint)(Citation: Th
    >eSun-FaceID) * Unlock code bypass: An adversaries could atte>eSun-FaceID) * Unlock code bypass: An adversary could attemp
    >mpt to brute-force or otherwise guess the lockscreen passcod>t to brute-force or otherwise guess the lockscreen passcode 
    >e (typically a PIN or password), including physically observ>(typically a PIN or password), including physically observin
    >ing (\u201cshoulder surfing\u201d) the device owner\u2019s use of the locks>g (\u201cshoulder surfing\u201d) the device owner\u2019s use of the lockscr
    >creen passcode. Mobile OS vendors partly mitigate this by im>een passcode. Mobile OS vendors partly mitigate this by impl
    >plementing incremental backoff timers after a set number of >ementing incremental backoff timers after a set number of fa
    >failed unlock attempts, as well as a configurable full devic>iled unlock attempts, as well as a configurable full device 
    >e wipe after several failed unlock attempts. * Vulnerability>wipe after several failed unlock attempts. * Vulnerability e
    > exploit: Techniques have been periodically demonstrated tha>xploit: Techniques have been periodically demonstrated that 
    >t exploit mobile devices to bypass the lockscreen. The vulne>exploit mobile devices to bypass the lockscreen. The vulnera
    >rabilities are generally patched by the device or OS vendor >bilities are generally patched by the device or OS vendor on
    >once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kas>ce disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspe
    >persky-iOSBypass) >rsky-iOSBypass) 
    ", + "changelog_mitigations": { + "shared": [ + "M1001: Security Updates", + "M1012: Enterprise Policy" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [ + "DS0013: Sensor Health (Host Status)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:32.328000+00:00", + "modified": "2023-08-09 14:38:34.859000+00:00", + "name": "Obfuscated Files or Information", + "description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1406", + "external_id": "T1406" + }, + { + "source_name": "Microsoft MalLockerB", + "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", + "external_id": "APP-21" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "3.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-09 14:38:34.859000+00:00\", \"old_value\": \"2022-04-06 12:36:31.652000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.1\", \"old_value\": \"3.0\"}}}", + "previous_version": "3.0", + "version_change": "3.0 \u2192 3.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [ + "DS0041: Application Vetting (API Calls)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:23.233000+00:00", + "modified": "2023-08-07 17:13:04.396000+00:00", + "name": "Replication Through Removable Media", + "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1458", + "external_id": "T1458" + }, + { + "source_name": "Krebs-JuiceJacking", + "description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.", + "url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/" + }, + { + "source_name": "GoogleProjectZero-OATmeal", + "description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.", + "url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html" + }, + { + "source_name": "Lau-Mactans", + "description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.", + "url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf" + }, + { + "source_name": "Computerworld-iPhoneCracking", + "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved September 21, 2018.", + "url": "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html" + }, + { + "source_name": "IBM-NexusUSB", + "description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.", + "url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html", + "external_id": "PHY-1" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", + "external_id": "PHY-2" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html", + "external_id": "STA-6" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-07 17:13:04.396000+00:00\", \"old_value\": \"2022-04-08 15:53:11.864000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}}", + "previous_version": "2.0", + "version_change": "2.0 \u2192 2.1", + "changelog_mitigations": { + "shared": [ + "M1001: Security Updates", + "M1003: Lock Bootloader", + "M1006: Use Recent OS Version", + "M1011: User Guidance", + "M1012: Enterprise Policy" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [ + "DS0013: Sensor Health (Host Status)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-02-01 17:29:43.503000+00:00", + "modified": "2023-08-14 16:31:37.317000+00:00", + "name": "Web Service", + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1481", + "external_id": "T1481" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 16:31:37.317000+00:00\", \"old_value\": \"2023-03-20 18:37:13.730000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0041: Application Vetting (Network Communication)" + ], + "new": [ + "DS0029: Network Traffic (Network Connection Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-06 15:47:06.071000+00:00", + "modified": "2023-08-14 16:34:55.968000+00:00", + "name": "Bidirectional Communication", + "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1481/002", + "external_id": "T1481.002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 16:34:55.968000+00:00\", \"old_value\": \"2023-03-16 13:32:55.266000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0041: Application Vetting (Network Communication)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-06 15:41:03.914000+00:00", + "modified": "2023-08-14 16:33:56.861000+00:00", + "name": "Dead Drop Resolver", + "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1481/001", + "external_id": "T1481.001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 16:33:56.861000+00:00\", \"old_value\": \"2023-03-20 15:56:04.790000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0041: Application Vetting (Network Communication)" + ], + "new": [ + "DS0029: Network Traffic (Network Connection Creation)" + ], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-06 15:52:07.711000+00:00", + "modified": "2023-08-14 16:35:55.739000+00:00", + "name": "One-Way Communication", + "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1481/003", + "external_id": "T1481.003" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-14 16:35:55.739000+00:00\", \"old_value\": \"2023-03-20 18:53:34.118000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0041: Application Vetting (Network Communication)" + ], + "new": [ + "DS0029: Network Traffic (Network Connection Creation)" + ], + "dropped": [] + } + } + ], + "other_version_changes": [], + "patches": [ + { + "type": "attack-pattern", + "id": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-01 14:55:10.494000+00:00", + "modified": "2023-09-08 19:19:37.927000+00:00", + "name": "Credentials from Password Store", + "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1634", + "external_id": "T1634" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", + "external_id": "AUT-11" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 19:19:37.927000+00:00\", \"old_value\": \"2023-03-20 15:45:44.103000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.\", \"old_value\": \"Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.\"}}}", + "previous_version": "1.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may search common password storage locations to t1Adversaries may search common password storage locations to 
    >obtain user credentials. Passwords can be stored in several >obtain user credentials. Passwords can be stored in several 
    >places on a device, depending on the operating system or app>places on a device, depending on the operating system or app
    >lication holding the credentials. There are also specific ap>lication holding the credentials. There are also specific ap
    >plications that store passwords to make it easier for users >plications that store passwords to make it easier for users 
    >manage and maintain. Once credentials are obtained, they can>to manage and maintain. Once credentials are obtained, they 
    > be used to perform lateral movement and access restricted i>can be used to perform lateral movement and access restricte
    >nformation.>d information.
    ", + "changelog_mitigations": { + "shared": [ + "M1001: Security Updates", + "M1002: Attestation", + "M1010: Deploy Compromised Device Detection Method" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0013: Sensor Health (Host Status)", + "DS0041: Application Vetting (API Calls)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:29.405000+00:00", + "modified": "2023-09-08 19:20:13.836000+00:00", + "name": "Exploitation for Privilege Escalation", + "description": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1404", + "external_id": "T1404" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", + "external_id": "APP-26" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 19:20:13.836000+00:00\", \"old_value\": \"2023-03-20 18:49:53.301000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \\n\\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. \", \"old_value\": \"Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \\n\\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. \", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \\n+Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \\n \\n When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. \"}}}", + "previous_version": "2.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may exploit software vulnerabilities in order tot1Adversaries may exploit software vulnerabilities in order to
    > to elevate privileges. Exploitation of a software vulnerabi> elevate privileges. Exploitation of a software vulnerabilit
    >lity occurs when an adversary takes advantage of a programmi>y occurs when an adversary takes advantage of a programming 
    >ng error in an application, service, within the operating sy>error in an application, service, within the operating syste
    >stem software, or kernel itself to execute adversary-control>m software, or kernel itself to execute adversary-controlled
    >led code. Security constructions, such as permission levels,> code. Security constructions, such as permission levels, wi
    > will often hinder access to information and use of certain >ll often hinder access to information and use of certain tec
    >techniques. Adversaries will likely need to perform privileg>hniques. Adversaries will likely need to perform privilege e
    >e escalation to include use of software exploitation to circ>scalation to include use of software exploitation to circumv
    >umvent those restrictions.   When initially gaining access t>ent those restrictions.   When initially gaining access to a
    >o a device, an adversary may be operating within a lower pri> device, an adversary may be operating within a lower privil
    >vileged process which will prevent them from accessing certa>eged process which will prevent them from accessing certain 
    >in resources on the system. Vulnerabilities may exist, usual>resources on the system. Vulnerabilities may exist, usually 
    >ly in operating system components and applications running a>in operating system components and applications running at h
    >t higher permissions, that can be exploited to gain higher l>igher permissions, that can be exploited to gain higher leve
    >evels of access on the system. This could enable someone to >ls of access on the system. This could enable someone to mov
    >move from unprivileged or user- level permission to root per>e from unprivileged or user- level permission to root permis
    >missions depending on the component that is vulnerable. >sions depending on the component that is vulnerable. 
    ", + "changelog_mitigations": { + "shared": [ + "M1001: Security Updates", + "M1002: Attestation", + "M1010: Deploy Compromised Device Detection Method" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0013: Sensor Health (Host Status)", + "DS0041: Application Vetting (API Calls)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-03-30 15:07:51.646000+00:00", + "modified": "2023-09-08 19:20:51.220000+00:00", + "name": "System Runtime API Hijacking", + "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1625/001", + "external_id": "T1625.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "external_id": "APP-27" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 19:20:51.220000+00:00\", \"old_value\": \"2023-03-20 18:46:08.412000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \\n\\n\\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.\", \"old_value\": \"Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \\n\\n\\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.\", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \\n+Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \\n \\n \\n On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.\"}}}", + "previous_version": "1.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may execute their own malicious payloads by hijat1Adversaries may execute their own malicious payloads by hija
    >cking the way an operating system run applications. Hijackin>cking the way an operating system runs applications. Hijacki
    >g execution flow can be for the purposes of persistence sinc>ng execution flow can be for the purposes of persistence sin
    >e this hijacked execution may reoccur at later points in tim>ce this hijacked execution may reoccur at later points in ti
    >e.    On Android, adversaries may overwrite the standard OS >me.    On Android, adversaries may overwrite the standard OS
    >API library with a malicious alternative to hook into core f> API library with a malicious alternative to hook into core 
    >unctions to achieve persistence. By doing this, the adversar>functions to achieve persistence. By doing this, the adversa
    >y\u2019s code will be executed every time the overwritten API fun>ry\u2019s code will be executed every time the overwritten API fu
    >ction is called by an app on the infected device.>nction is called by an app on the infected device.
    ", + "changelog_mitigations": { + "shared": [ + "M1002: Attestation", + "M1004: System Partition Integrity" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0013: Sensor Health (Host Status)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-04-05 19:49:58.938000+00:00", + "modified": "2023-08-15 15:06:03.427000+00:00", + "name": "Impersonate SS7 Nodes", + "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1430/002", + "external_id": "T1430.002" + }, + { + "source_name": "3GPP-Security", + "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.", + "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf" + }, + { + "source_name": "CSRIC5-WG10-FinalReport", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", + "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + }, + { + "source_name": "CSRIC-WG1-FinalReport", + "description": "CSRIC-WG1-FinalReport" + }, + { + "source_name": "Positive-SS7", + "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.", + "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf" + }, + { + "source_name": "Engel-SS7-2008", + "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.", + "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI" + }, + { + "source_name": "Engel-SS7", + "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.", + "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", + "external_id": "CEL-38" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-15 15:06:03.427000+00:00\", \"old_value\": \"2023-03-20 18:41:45.256000+00:00\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf\", \"old_value\": \"https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1014: Interconnection Filtering" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-08-01 13:44:09.368000+00:00", + "modified": "2023-09-08 19:21:40.736000+00:00", + "name": "Non-Standard Port", + "description": "Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1509", + "external_id": "T1509" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 19:21:40.736000+00:00\", \"old_value\": \"2023-03-20 18:51:58.228000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\", \"old_value\": \"Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\"}}}", + "previous_version": "2.1", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1Adversaries may generate network traffic using a protocol ant1Adversaries may generate network traffic using a protocol an
    >d port paring that are typically not associated. For example>d port pairing that are typically not associated. For exampl
    >, HTTPS over port 8088 or port 587 as opposed to the traditi>e, HTTPS over port 8088 or port 587 as opposed to the tradit
    >onal port 443. Adversaries may make changes to the standard >ional port 443. Adversaries may make changes to the standard
    >port used by a protocol to bypass filtering or muddle analys> port used by a protocol to bypass filtering or muddle analy
    >is/parsing of network data.>sis/parsing of network data.
    ", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0041: Application Vetting (Network Communication)" + ], + "new": [], + "dropped": [] + } + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "software": { + "additions": [ + { + "type": "malware", + "id": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-21 19:31:54.632000+00:00", + "modified": "2023-10-20 21:40:21.121000+00:00", + "name": "BOULDSPY", + "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1079", + "external_id": "S1079" + }, + { + "source_name": "lookout_bouldspy_0423", + "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", + "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BOULDSPY" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Gunji Satoshi, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India", + "Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-08-16 16:30:44.598000+00:00", + "modified": "2023-09-26 13:30:33.039000+00:00", + "name": "Chameleon", + "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1083", + "external_id": "S1083" + }, + { + "source_name": "cyble_chameleon_0423", + "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", + "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Chameleon" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Yasuhito Kawanishi, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-28 17:04:46.516000+00:00", + "modified": "2023-10-11 14:36:10.445000+00:00", + "name": "Escobar", + "description": "[Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1092", + "external_id": "S1092" + }, + { + "source_name": "Bleeipng Computer Escobar", + "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", + "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Escobar" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Hiroki Nagahama, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--429e1526-6293-495b-8808-af7f9a66c4be", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-21 19:49:44.577000+00:00", + "modified": "2023-10-11 14:36:39.396000+00:00", + "name": "Fakecalls", + "description": "[Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1080", + "external_id": "S1080" + }, + { + "source_name": "kaspersky_fakecalls_0422", + "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", + "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Fakecalls" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Hiroki Nagahama, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--8338393c-cb2e-4ee6-b944-34672499c785", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-28 17:36:00.965000+00:00", + "modified": "2023-10-16 16:57:33.534000+00:00", + "name": "FlyTrap", + "description": "[FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1093", + "external_id": "S1093" + }, + { + "source_name": "Trend Micro FlyTrap", + "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", + "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "FlyTrap" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Hiroki Nagahama, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-06-09 19:07:18.101000+00:00", + "modified": "2023-10-07 21:29:43.845000+00:00", + "name": "Hornbill", + "description": "[Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1077", + "external_id": "S1077" + }, + { + "source_name": "lookout_hornbill_sunbird_0221", + "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Hornbill" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0" + }, + { + "type": "malware", + "id": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-08-04 18:27:24.614000+00:00", + "modified": "2023-10-07 21:33:03.773000+00:00", + "name": "Sunbird", + "description": "[Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1082", + "external_id": "S1082" + }, + { + "source_name": "lookout_hornbill_sunbird_0221", + "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Sunbird" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0" + } + ], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "groups": { + "additions": [ + { + "type": "intrusion-set", + "id": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-12-26 23:11:39.442000+00:00", + "modified": "2023-09-22 20:43:16.504000+00:00", + "name": "Confucius", + "description": "[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)", + "aliases": [ + "Confucius", + "Confucius APT" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0142", + "external_id": "G0142" + }, + { + "source_name": "TrendMicro Confucius APT Feb 2018", + "description": "Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html" + }, + { + "source_name": "TrendMicro Confucius APT Aug 2021", + "description": "Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.", + "url": "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" + }, + { + "source_name": "Uptycs Confucius APT Jan 2021", + "description": "Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.", + "url": "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-25 18:11:05.672000+00:00", + "modified": "2023-09-26 14:34:08.342000+00:00", + "name": "MoustachedBouncer", + "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)", + "aliases": [ + "MoustachedBouncer" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1019", + "external_id": "G1019" + }, + { + "source_name": "MoustachedBouncer ESET August 2023", + "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", + "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ], + "major_version_changes": [], + "minor_version_changes": [ + { + "type": "intrusion-set", + "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:04.588000+00:00", + "modified": "2023-10-06 14:13:06.011000+00:00", + "name": "Sandworm Team", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", + "aliases": [ + "Sandworm Team", + "ELECTRUM", + "Telebots", + "IRON VIKING", + "BlackEnergy (Group)", + "Quedagh", + "Voodoo Bear", + "IRIDIUM" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0034", + "external_id": "G0034" + }, + { + "source_name": "Voodoo Bear", + "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "ELECTRUM", + "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Sandworm Team", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Quedagh", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRIDIUM", + "description": "(Citation: Microsoft Prestige ransomware October 2022)" + }, + { + "source_name": "BlackEnergy (Group)", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Telebots", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRON VIKING", + "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", + "url": "https://www.justice.gov/opa/page/file/1098481/download" + }, + { + "source_name": "Dragos ELECTRUM", + "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.dragos.com/resource/electrum/" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "iSIGHT Sandworm 2014", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" + }, + { + "source_name": "CrowdStrike VOODOO BEAR", + "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" + }, + { + "source_name": "Microsoft Prestige ransomware October 2022", + "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + }, + { + "source_name": "InfoSecurity Sandworm Oct 2014", + "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.", + "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" + }, + { + "source_name": "NCSC Sandworm Feb 2020", + "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", + "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" + }, + { + "source_name": "USDOJ Sandworm Feb 2020", + "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.", + "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + }, + { + "source_name": "Secureworks IRON VIKING ", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-06 14:13:06.011000+00:00\", \"old_value\": \"2023-03-08 22:12:31.238000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.1\", \"old_value\": \"3.0\"}}}", + "previous_version": "3.0", + "version_change": "3.0 \u2192 3.1" + } + ], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "campaigns": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "assets": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "mitigations": { + "additions": [ + { + "type": "course-of-action", + "id": "course-of-action--78671282-26aa-486c-a7a5-5921e1616b58", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-21 19:36:08.280000+00:00", + "modified": "2023-09-21 19:36:08.280000+00:00", + "name": "Antivirus/Antimalware", + "description": "Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1058", + "external_id": "M1058" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ], + "major_version_changes": [], + "minor_version_changes": [ + { + "type": "course-of-action", + "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:53.732000+00:00", + "modified": "2023-09-27 20:18:19.004000+00:00", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1013", + "external_id": "M1013" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-27 20:18:19.004000+00:00\", \"old_value\": \"2018-10-17 00:14:20.652000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1" + } + ], + "other_version_changes": [], + "patches": [ + { + "type": "course-of-action", + "id": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:50.181000+00:00", + "modified": "2023-08-15 15:06:03.428000+00:00", + "name": "Interconnection Filtering", + "description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1014", + "external_id": "M1014" + }, + { + "source_name": "CSRIC5-WG10-FinalReport", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", + "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-15 15:06:03.428000+00:00\", \"old_value\": \"2018-10-17 00:14:20.652000+00:00\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf\", \"old_value\": \"https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf\"}}}", + "previous_version": "1.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datasources": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datacomponents": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + } + }, + "ics-attack": { + "techniques": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [ + { + "type": "attack-pattern", + "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:56:58.380000+00:00", + "name": "Block Command Message", + "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0803", + "external_id": "T0803" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: Process Termination", + "Operational Databases: Process History/Live Data", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process/Event Alarm" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false, \"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:56:58.380000+00:00\", \"old_value\": \"2022-10-24 15:09:07.609000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Device Configuration/Parameters\"}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [ + "M0807: Network Allowlists", + "M0810: Out-of-Band Communications Channel", + "M0814: Static Network Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Termination)", + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0040: Operational Databases (Process History/Live Data)", + "DS0040: Operational Databases (Process/Event Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13 11:15:26.506000+00:00", + "modified": "2023-10-13 17:56:58.991000+00:00", + "name": "Modify Controller Tasking", + "description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0821", + "external_id": "T0821" + }, + { + "source_name": "IEC February 2013", + "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", + "url": "https://webstore.iec.ch/publication/4552" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Asset: Software" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:56:58.991000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M0945: Code Signing", + "M0947: Audit" + ], + "new": [ + "M0800: Authorization Enforcement", + "M0804: Human User Authentication" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0039: Asset (Software)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:56:58.786000+00:00", + "name": "Modify Parameter", + "description": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. \n\nAn adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0836", + "external_id": "T0836" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Asset: Asset Inventory", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:56:58.786000+00:00\", \"old_value\": \"2023-04-05 14:15:29.756000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][2]\": \"Safety Instrumented System/Protection Relay\", \"root['x_mitre_platforms'][3]\": \"Human-Machine Interface\"}}", + "previous_version": "1.2", + "version_change": "1.2 \u2192 1.3", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0818: Validate Program Inputs", + "M0947: Audit" + ], + "new": [ + "M0804: Human User Authentication" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0039: Asset (Asset Inventory)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13 11:15:26.506000+00:00", + "modified": "2023-10-20 17:01:10.138000+00:00", + "name": "Modify Program", + "description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0889", + "external_id": "T0889" + }, + { + "source_name": "IEC February 2013", + "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", + "url": "https://webstore.iec.ch/publication/4552" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Operational Databases: Device Alarm", + "Asset: Software", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-20 17:01:10.138000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2", + "changelog_mitigations": { + "shared": [ + "M0945: Code Signing", + "M0947: Audit" + ], + "new": [ + "M0800: Authorization Enforcement", + "M0804: Human User Authentication" + ], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0039: Asset (Software)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:56:58.586000+00:00", + "name": "Service Stop", + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0881", + "external_id": "T0881" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ", + "url": "https://attack.mitre.org/techniques/T1489/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification", + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Termination", + "Service: Service Metadata", + "Windows Registry: Windows Registry Key Modification", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false, \"root['x_mitre_detection']\": \"\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:56:58.586000+00:00\", \"old_value\": \"2022-10-24 15:09:07.609000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"Enterprise ATT&CK\", \"description\": \"Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 \", \"url\": \"https://attack.mitre.org/techniques/T1489/\"}, \"root['x_mitre_platforms'][1]\": \"Control Server\", \"root['x_mitre_platforms'][2]\": \"Data Historian\", \"root['x_mitre_platforms'][3]\": \"Engineering Workstation\"}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1", + "changelog_mitigations": { + "shared": [ + "M0918: User Account Management", + "M0922: Restrict File and Directory Permissions", + "M0924: Restrict Registry Permissions", + "M0930: Network Segmentation" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0009: Process (Process Termination)", + "DS0017: Command (Command Execution)", + "DS0019: Service (Service Metadata)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + } + ], + "other_version_changes": [], + "patches": [ + { + "type": "attack-pattern", + "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:56:59.593000+00:00", + "name": "Activate Firmware Update Mode", + "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0800", + "external_id": "T0800" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Operational Databases: Device Alarm", + "Application Log: Application Log Content" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:56:59.593000+00:00\", \"old_value\": \"2022-10-24 15:09:07.609000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:08.233000+00:00", + "name": "Adversary-in-the-Middle", + "description": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0830", + "external_id": "T0830" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Gabriel Sanchez October 2017", + "description": "Gabriel Sanchez 2017, October Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark Retrieved. 2020/01/05 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Conrad Layne - GE Digital" + ], + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Modification", + "Process: Process Creation", + "Network Traffic: Network Traffic Flow", + "Service: Service Creation", + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:08.233000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][2]\": \"Human-Machine Interface\"}}", + "previous_version": "2.0", + "changelog_mitigations": { + "shared": [ + "M0802: Communication Authenticity", + "M0810: Out-of-Band Communications Channel", + "M0813: Software Process and Device Authentication", + "M0814: Static Network Configuration", + "M0930: Network Segmentation", + "M0931: Network Intrusion Prevention", + "M0942: Disable or Remove Feature or Program", + "M0947: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0015: Application Log (Application Log Content)", + "DS0019: Service (Service Creation)", + "DS0024: Windows Registry (Windows Registry Key Modification)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:01.578000+00:00", + "name": "Alarm Suppression", + "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: \n\n* An alarm raised by a protocol message \n* An alarm signaled with I/O \n* An alarm bit set in a flag (and read) \n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0878", + "external_id": "T0878" + }, + { + "source_name": "Jos Wetzels, Marina Krotofil 2019", + "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", + "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Marina Krotofil", + "Jos Wetzels - Midnight Blue" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process History/Live Data", + "Operational Databases: Device Alarm", + "Operational Databases: Process/Event Alarm" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:01.578000+00:00\", \"old_value\": \"2023-03-30 20:13:55.599000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\", \"root['x_mitre_platforms'][2]\": \"Device Configuration/Parameters\"}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M0807: Network Allowlists", + "M0810: Out-of-Band Communications Channel", + "M0814: Static Network Configuration", + "M0930: Network Segmentation" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0040: Operational Databases (Device Alarm)", + "DS0040: Operational Databases (Process History/Live Data)", + "DS0040: Operational Databases (Process/Event Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:04.179000+00:00", + "name": "Automated Collection", + "description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0802", + "external_id": "T0802" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Script: Script Execution", + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:04.179000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\", \"root['x_mitre_platforms'][2]\": \"Control Server\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0807: Network Allowlists", + "M0930: Network Segmentation" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0012: Script (Script Execution)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:04.376000+00:00", + "name": "Block Reporting Message", + "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0804", + "external_id": "T0804" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Operational Databases: Process/Event Alarm", + "Process: Process Termination", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process History/Live Data" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:04.376000+00:00\", \"old_value\": \"2022-09-19 13:57:23.538000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Input/Output Server\", \"root['x_mitre_platforms'][2]\": \"Device Configuration/Parameters\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0807: Network Allowlists", + "M0810: Out-of-Band Communications Channel", + "M0814: Static Network Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Termination)", + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0040: Operational Databases (Process History/Live Data)", + "DS0040: Operational Databases (Process/Event Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:00.184000+00:00", + "name": "Block Serial COM", + "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0805", + "external_id": "T0805" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Operational Databases: Process/Event Alarm", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process History/Live Data", + "Application Log: Application Log Content", + "Process: Process Termination" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:00.184000+00:00\", \"old_value\": \"2022-10-20 21:02:54.674000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Input/Output Server\", \"root['x_mitre_platforms'][2]\": \"Device Configuration/Parameters\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0807: Network Allowlists", + "M0810: Out-of-Band Communications Channel", + "M0930: Network Segmentation" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Termination)", + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0040: Operational Databases (Process History/Live Data)", + "DS0040: Operational Databases (Process/Event Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:08.037000+00:00", + "name": "Brute Force I/O", + "description": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. \n\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0806", + "external_id": "T0806" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Operational Databases: Process History/Live Data", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:08.037000+00:00\", \"old_value\": \"2023-03-29 16:17:27.903000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Field Controller/RTU/PLC/IED\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0040: Operational Databases (Process History/Live Data)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-03-30 14:04:17.023000+00:00", + "modified": "2023-10-13 17:57:14.123000+00:00", + "name": "Change Credential", + "description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device\u2019s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0892", + "external_id": "T0892" + }, + { + "source_name": "German BAS Lockout Dec 2021", + "description": "Kelly Jackson Higgins. (2021, December 20). Lights Out: Cyberattacks Shut Down Building Automation Systems. Retrieved March 30, 2023.", + "url": "https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Felix Eberstaller" + ], + "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:14.123000+00:00\", \"old_value\": \"2023-04-07 13:40:53.842000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0811: Redundancy of Service", + "M0927: Password Policies", + "M0953: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:01.367000+00:00", + "name": "Change Operating Mode", + "description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0858", + "external_id": "T0858" + }, + { + "source_name": "Machine Information Systems 2007", + "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ", + "url": "http://www.machine-information-systems.com/How_PLCs_Work.html" + }, + { + "source_name": "N.A. October 2017", + "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ", + "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489" + }, + { + "source_name": "Omron", + "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ", + "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified." + }, + { + "source_name": "PLCgurus 2021", + "description": "PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ", + "url": "https://www.plcgurus.net/plc-basics/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:01.367000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Safety Instrumented System/Protection Relay\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Field Controller/RTU/PLC/IED\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:00.378000+00:00", + "name": "Command-Line Interface", + "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0807", + "external_id": "T0807" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Command-Line Interface Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1059" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Application Log: Application Log Content", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:00.378000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Data Historian\", \"root['x_mitre_platforms'][2]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][3]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][4]\": \"Input/Output Server\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0938: Execution Prevention", + "M0942: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0015: Application Log (Application Log Content)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:12.723000+00:00", + "name": "Commonly Used Port", + "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0885", + "external_id": "T0885" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Matan Dobrushin - Otorio" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:12.723000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Safety Instrumented System/Protection Relay\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][2]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][3]\": \"Control Server\", \"root['x_mitre_platforms'][4]\": \"Engineering Workstation\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0804: Human User Authentication", + "M0930: Network Segmentation", + "M0931: Network Intrusion Prevention", + "M0942: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:11.730000+00:00", + "name": "Connection Proxy", + "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0884", + "external_id": "T0884" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Connection Proxy Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1090" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:11.730000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0807: Network Allowlists", + "M0920: SSL/TLS Inspection", + "M0931: Network Intrusion Prevention", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:06.993000+00:00", + "name": "Damage to Property", + "description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0879", + "external_id": "T0879" + }, + { + "source_name": "Bruce Schneier January 2008", + "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", + "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" + }, + { + "source_name": "BSI State of IT Security 2014", + "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ", + "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3" + }, + { + "source_name": "John Bill May 2017", + "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", + "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" + }, + { + "source_name": "Shelley Smith February 2008", + "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", + "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:06.993000+00:00\", \"old_value\": \"2023-03-30 20:14:42.829000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0805: Mechanical Protection Layers", + "M0807: Network Allowlists", + "M0812: Safety Instrumented Systems" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:04.784000+00:00", + "name": "Data Destruction", + "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0809", + "external_id": "T0809" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 File Deletion Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1107" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Matan Dobrushin - Otorio" + ], + "x_mitre_data_sources": [ + "File: File Modification", + "Process: Process Creation", + "File: File Deletion", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:04.784000+00:00\", \"old_value\": \"2022-09-19 14:12:22.878000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][2]\": \"Field Controller/RTU/PLC/IED\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0922: Restrict File and Directory Permissions", + "M0926: Privileged Account Management", + "M0953: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Deletion)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:03.187000+00:00", + "name": "Data from Information Repositories", + "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0811", + "external_id": "T0811" + }, + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Network Share: Network Share Access", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:03.187000+00:00\", \"old_value\": \"2023-03-30 19:09:43.744000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Data Historian\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M0917: User Training", + "M0918: User Account Management", + "M0922: Restrict File and Directory Permissions", + "M0926: Privileged Account Management", + "M0941: Encrypt Sensitive Information", + "M0947: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0033: Network Share (Network Share Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-03-30 18:56:02.424000+00:00", + "modified": "2023-10-13 17:57:13.921000+00:00", + "name": "Data from Local System", + "description": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0893", + "external_id": "T0893" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "File: File Access", + "Process: Process Creation", + "Script: Script Execution", + "Process: OS API Execution", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:13.921000+00:00\", \"old_value\": \"2023-04-05 14:14:48.109000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\", \"root['x_mitre_platforms'][2]\": \"Control Server\", \"root['x_mitre_platforms'][3]\": \"Input/Output Server\", \"root['x_mitre_platforms'][4]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][5]\": \"Engineering Workstation\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0803: Data Loss Prevention", + "M0917: User Training", + "M0922: Restrict File and Directory Permissions", + "M0941: Encrypt Sensitive Information" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0012: Script (Script Execution)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:07.653000+00:00", + "name": "Default Credentials", + "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0812", + "external_id": "T0812" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Logon Session: Logon Session Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:07.653000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][2]\": \"Safety Instrumented System/Protection Relay\", \"root['x_mitre_platforms'][3]\": \"Control Server\", \"root['x_mitre_platforms'][4]\": \"Engineering Workstation\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0801: Access Management", + "M0927: Password Policies" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:12.329000+00:00", + "name": "Denial of Control", + "description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0813", + "external_id": "T0813" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Mark Loveless April 2017", + "description": "Mark Loveless 2017, April 11 THE DALLAS COUNTY SIREN HACK Retrieved. 2020/11/06 ", + "url": "https://duo.com/decipher/the-dallas-county-siren-hack" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:12.329000+00:00\", \"old_value\": \"2023-03-30 20:15:14.260000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0810: Out-of-Band Communications Channel", + "M0811: Redundancy of Service", + "M0953: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:56:59.992000+00:00", + "name": "Denial of Service", + "description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0814", + "external_id": "T0814" + }, + { + "source_name": "Common Weakness Enumeration January 2019", + "description": "Common Weakness Enumeration 2019, January 03 CWE-400: Uncontrolled Resource Consumption Retrieved. 2019/03/14 ", + "url": "http://cwe.mitre.org/data/definitions/400.html" + }, + { + "source_name": "ICS-CERT April 2017", + "description": "ICS-CERT 2017, April 18 CS Alert (ICS-ALERT-17-102-01A) BrickerBot Permanent Denial-of-Service Attack Retrieved. 2019/10/24 ", + "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A" + }, + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 27 Advisory (ICSA-15-202-01) - Siemens SIPROTEC Denial-of-Service Vulnerability Retrieved. 2019/03/14 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01" + }, + { + "source_name": "MITRE March 2018", + "description": "MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14 ", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5374" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:56:59.992000+00:00\", \"old_value\": \"2023-03-30 20:16:01.922000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0815: Watchdog Timers" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0040: Operational Databases (Process History/Live Data)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:05.576000+00:00", + "name": "Denial of View", + "description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0815", + "external_id": "T0815" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:05.576000+00:00\", \"old_value\": \"2023-03-30 20:16:25.031000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0810: Out-of-Band Communications Channel", + "M0811: Redundancy of Service", + "M0953: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:01.778000+00:00", + "name": "Detect Operating Mode", + "description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0868", + "external_id": "T0868" + }, + { + "source_name": "Machine Information Systems 2007", + "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ", + "url": "http://www.machine-information-systems.com/How_PLCs_Work.html" + }, + { + "source_name": "N.A. October 2017", + "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ", + "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489" + }, + { + "source_name": "Omron", + "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ", + "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified." + }, + { + "source_name": "PLCgurus 2021", + "description": "PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ", + "url": "https://www.plcgurus.net/plc-basics/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:01.778000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:00.768000+00:00", + "name": "Device Restart/Shutdown", + "description": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.\n\nUnexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.\n\nA device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0816", + "external_id": "T0816" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:00.768000+00:00\", \"old_value\": \"2022-09-26 16:50:56.401000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic", + "M0942: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:06.780000+00:00", + "name": "Drive-by Compromise", + "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0817", + "external_id": "T0817" + }, + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", + "Process: Process Creation", + "File: File Creation", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:06.780000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0921: Restrict Web-Based Content", + "M0948: Application Isolation and Sandboxing", + "M0950: Exploit Protection", + "M0951: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0015: Application Log (Application Log Content)", + "DS0022: File (File Creation)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:05.776000+00:00", + "name": "Execution through API", + "description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0871", + "external_id": "T0871" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:05.776000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0804: Human User Authentication", + "M0938: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:02.990000+00:00", + "name": "Exploit Public-Facing Application", + "description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0819", + "external_id": "T0819" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:02.990000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0916: Vulnerability Scanning", + "M0926: Privileged Account Management", + "M0930: Network Segmentation", + "M0948: Application Isolation and Sandboxing", + "M0950: Exploit Protection", + "M0951: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:08.425000+00:00", + "name": "Exploitation for Evasion", + "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0820", + "external_id": "T0820" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:08.425000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Safety Instrumented System/Protection Relay\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Field Controller/RTU/PLC/IED\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0919: Threat Intelligence Program", + "M0948: Application Isolation and Sandboxing", + "M0950: Exploit Protection", + "M0951: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13 12:08:26.506000+00:00", + "modified": "2023-10-13 17:57:11.342000+00:00", + "name": "Exploitation for Privilege Escalation", + "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0890", + "external_id": "T0890" + }, + { + "source_name": "The MITRE Corporation", + "description": "The MITRE Corporation The MITRE Corporation ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ", + "url": "https://attack.mitre.org/techniques/T1068/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:11.342000+00:00\", \"old_value\": \"2022-09-27 16:38:58.028000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0919: Threat Intelligence Program", + "M0948: Application Isolation and Sandboxing", + "M0950: Exploit Protection", + "M0951: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:07.457000+00:00", + "name": "Exploitation of Remote Services", + "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0866", + "external_id": "T0866" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Exploitation of Remote Services Retrieved. 2019/10/27 ", + "url": "https://attack.mitre.org/techniques/T1210/" + }, + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:07.457000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Data Historian\", \"root['x_mitre_platforms'][2]\": \"Engineering Workstation\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0916: Vulnerability Scanning", + "M0919: Threat Intelligence Program", + "M0926: Privileged Account Management", + "M0930: Network Segmentation", + "M0942: Disable or Remove Feature or Program", + "M0948: Application Isolation and Sandboxing", + "M0950: Exploit Protection", + "M0951: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:07.840000+00:00", + "name": "External Remote Services", + "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0822", + "external_id": "T0822" + }, + { + "source_name": "Daniel Oakley, Travis Smith, Tripwire", + "description": "Daniel Oakley, Travis Smith, Tripwire Retrieved. 2018/05/30 ", + "url": "https://attack.mitre.org/wiki/Technique/T1133" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Logon Session: Logon Session Metadata", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:07.840000+00:00\", \"old_value\": \"2023-03-30 20:16:55.602000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Input/Output Server\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0918: User Account Management", + "M0927: Password Policies", + "M0930: Network Segmentation", + "M0932: Multi-factor Authentication", + "M0935: Limit Access to Resource Over Network", + "M0936: Account Use Policies", + "M0942: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0028: Logon Session (Logon Session Metadata)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:08.992000+00:00", + "name": "Graphical User Interface", + "description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.\n\nIf physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0823", + "external_id": "T0823" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution", + "Module: Module Load", + "Logon Session: Logon Session Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:08.992000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0816: Mitigation Limited or Not Effective" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0017: Command (Command Execution)", + "DS0028: Logon Session (Logon Session Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-09-29 13:35:38.589000+00:00", + "modified": "2023-10-13 17:57:10.962000+00:00", + "name": "Hardcoded Credentials", + "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0891", + "external_id": "T0891" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Aagam Shah, @neutrinoguy, ABB" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Logon Session: Logon Session Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:10.962000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\", \"root['x_mitre_platforms'][2]\": \"Control Server\", \"root['x_mitre_platforms'][3]\": \"Data Historian\", \"root['x_mitre_platforms'][4]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][5]\": \"Engineering Workstation\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0801: Access Management" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:08.803000+00:00", + "name": "Hooking", + "description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0874", + "external_id": "T0874" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Hooking Retrieved. 2019/10/27 ", + "url": "https://attack.mitre.org/techniques/T1179/" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Process: Process Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:08.803000+00:00\", \"old_value\": \"2023-03-13 13:32:08.619000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Engineering Workstation\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M0944: Restrict Library Loading", + "M0947: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:05.375000+00:00", + "name": "I/O Image", + "description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0877", + "external_id": "T0877" + }, + { + "source_name": "Nanjundaiah, Vaidyanath", + "description": "Nanjundaiah, Vaidyanath PLC Ladder Logic Basics Retrieved. 2021/10/11 ", + "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm" + }, + { + "source_name": "Spenneberg, Ralf 2016", + "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Asset: Software" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:05.375000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0816: Mitigation Limited or Not Effective" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0039: Asset (Software)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:05.190000+00:00", + "name": "Indicator Removal on Host", + "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0872", + "external_id": "T0872" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Windows Registry: Windows Registry Key Modification", + "File: File Metadata", + "Windows Registry: Windows Registry Key Deletion", + "File: File Deletion", + "File: File Modification", + "Process: Process Creation" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:05.190000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0922: Restrict File and Directory Permissions" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Deletion)", + "DS0022: File (File Metadata)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Deletion)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:13.719000+00:00", + "name": "Internet Accessible Device", + "description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0883", + "external_id": "T0883" + }, + { + "source_name": "Danny Yadron December 2015", + "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", + "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" + }, + { + "source_name": "Mark Thompson March 2016", + "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", + "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" + }, + { + "source_name": "NCCIC January 2014", + "description": "NCCIC 2014, January 1 Internet Accessible Control Systems At Risk Retrieved. 2019/11/07 ", + "url": "https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf" + }, + { + "source_name": "Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler", + "description": "Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats Retrieved. 2021/04/12 ", + "url": "https://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-act-running-a-realistic-factory-honeypot-to-capture-real-threats.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Metadata", + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:13.719000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Data Historian\", \"root['x_mitre_platforms'][2]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][3]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][4]\": \"Input/Output Server\", \"root['x_mitre_platforms'][5]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0930: Network Segmentation" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0028: Logon Session (Logon Session Metadata)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:13.327000+00:00", + "name": "Lateral Tool Transfer", + "description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0867", + "external_id": "T0867" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Enterprise ATT&CK Lateral Tool Transfer Retrieved. 2019/10/27 Lateral Tool Transfer Retrieved. 2019/10/27 ", + "url": "https://attack.mitre.org/techniques/T1570/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Network Share: Network Share Access", + "File: File Metadata", + "File: File Creation", + "Network Traffic: Network Traffic Content", + "Command: Command Execution", + "Process: Process Creation", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:13.327000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Control Server\", \"root['x_mitre_platforms'][2]\": \"Data Historian\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0931: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0022: File (File Metadata)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0033: Network Share (Network Share Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:09.581000+00:00", + "name": "Loss of Availability", + "description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0826", + "external_id": "T0826" + }, + { + "source_name": "Colonial Pipeline Company May 2021", + "description": "Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ", + "url": "https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:09.581000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0810: Out-of-Band Communications Channel", + "M0811: Redundancy of Service", + "M0953: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:08.613000+00:00", + "name": "Loss of Control", + "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0827", + "external_id": "T0827" + }, + { + "source_name": "BSI State of IT Security 2014", + "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ", + "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:08.613000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0810: Out-of-Band Communications Channel", + "M0811: Redundancy of Service", + "M0953: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:06.362000+00:00", + "name": "Loss of Productivity and Revenue", + "description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0828", + "external_id": "T0828" + }, + { + "source_name": "Colonial Pipeline Company May 2021", + "description": "Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ", + "url": "https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption" + }, + { + "source_name": "Lion Corporation June 2020", + "description": "Lion Corporation 2020, June 26 Lion Cyber incident update: 26 June 2020 Retrieved. 2021/10/08 ", + "url": "https://lionco.com/2020/06/26/lion-update-re-cyber-issue/" + }, + { + "source_name": "Paganini, Pierluigi June 2020", + "description": "Paganini, Pierluigi 2020, June 14 Ransomware attack disrupts operations at Australian beverage company Lion Retrieved. 2021/10/08 ", + "url": "https://securityaffairs.co/wordpress/104749/cyber-crime/ransomware-attack-hit-lion.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:06.362000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0953: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12 07:57:26.506000+00:00", + "modified": "2023-10-13 17:57:01.994000+00:00", + "name": "Loss of Protection", + "description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0837", + "external_id": "T0837" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:01.994000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:06.171000+00:00", + "name": "Loss of Safety", + "description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0880", + "external_id": "T0880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:06.171000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0805: Mechanical Protection Layers", + "M0812: Safety Instrumented Systems" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:56:59.396000+00:00", + "name": "Loss of View", + "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0829", + "external_id": "T0829" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:56:59.396000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Engineering Workstation\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0810: Out-of-Band Communications Channel", + "M0811: Redundancy of Service", + "M0953: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:03.589000+00:00", + "name": "Manipulate I/O Image", + "description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0835", + "external_id": "T0835" + }, + { + "source_name": "Dr. Kelvin T. Erickson December 2010", + "description": "Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 ", + "url": "https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/" + }, + { + "source_name": "Nanjundaiah, Vaidyanath", + "description": "Nanjundaiah, Vaidyanath Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 PLC Ladder Logic Basics Retrieved. 2021/10/11 ", + "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Asset: Software" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:03.589000+00:00\", \"old_value\": \"2022-10-20 20:46:11.459000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0816: Mitigation Limited or Not Effective" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0039: Asset (Software)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:56:59.793000+00:00", + "name": "Manipulation of Control", + "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0831", + "external_id": "T0831" + }, + { + "source_name": "Bruce Schneier January 2008", + "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", + "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" + }, + { + "source_name": "John Bill May 2017", + "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", + "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" + }, + { + "source_name": "Shelley Smith February 2008", + "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", + "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:56:59.793000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0802: Communication Authenticity", + "M0810: Out-of-Band Communications Channel", + "M0953: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:04.993000+00:00", + "name": "Manipulation of View", + "description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0832", + "external_id": "T0832" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:04.993000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Engineering Workstation\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][2]\": \"Field Controller/RTU/PLC/IED\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0802: Communication Authenticity", + "M0810: Out-of-Band Communications Channel", + "M0953: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:10.181000+00:00", + "name": "Masquerading", + "description": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \n\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0849", + "external_id": "T0849" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Service: Service Creation", + "File: File Modification", + "Process: Process Metadata", + "Command: Command Execution", + "Scheduled Job: Scheduled Job Modification", + "Service: Service Modification", + "File: File Metadata", + "Scheduled Job: Scheduled Job Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:10.181000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Control Server\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0922: Restrict File and Directory Permissions", + "M0938: Execution Prevention", + "M0945: Code Signing" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0003: Scheduled Job (Scheduled Job Creation)", + "DS0003: Scheduled Job (Scheduled Job Modification)", + "DS0009: Process (Process Metadata)", + "DS0017: Command (Command Execution)", + "DS0019: Service (Service Creation)", + "DS0019: Service (Service Modification)", + "DS0022: File (File Metadata)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:12.528000+00:00", + "name": "Modify Alarm Settings", + "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0838", + "external_id": "T0838" + }, + { + "source_name": "Jos Wetzels, Marina Krotofil 2019", + "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", + "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Asset: Asset Inventory", + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:12.528000+00:00\", \"old_value\": \"2023-03-30 20:17:43.803000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Control Server\", \"root['x_mitre_platforms'][2]\": \"Safety Instrumented System/Protection Relay\", \"root['x_mitre_platforms'][3]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][4]\": \"Device Configuration/Parameters\"}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0918: User Account Management", + "M0930: Network Segmentation" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0039: Asset (Asset Inventory)", + "DS0040: Operational Databases (Process History/Live Data)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:13.531000+00:00", + "name": "Module Firmware", + "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0839", + "external_id": "T0839" + }, + { + "source_name": "Daniel Peck, Dale Peterson January 2009", + "description": "Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ", + "url": "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Firmware: Firmware Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:13.531000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0808: Encrypt Network Traffic", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic", + "M0941: Encrypt Sensitive Information", + "M0945: Code Signing", + "M0946: Boot Integrity", + "M0947: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0001: Firmware (Firmware Modification)", + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:02.197000+00:00", + "name": "Monitor Process State", + "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0801", + "external_id": "T0801" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:02.197000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Control Server\", \"root['x_mitre_platforms'][2]\": \"Data Historian\", \"root['x_mitre_platforms'][3]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][4]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0816: Mitigation Limited or Not Effective" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13 12:36:26.506000+00:00", + "modified": "2023-10-13 17:57:09.388000+00:00", + "name": "Native API", + "description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0834", + "external_id": "T0834" + }, + { + "source_name": "The MITRE Corporation May 2017", + "description": "The MITRE Corporation 2017, May 31 ATT&CK T1106: Native API Retrieved. 2021/04/26 ", + "url": "https://attack.mitre.org/techniques/T1106/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:09.388000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Data Historian\", \"root['x_mitre_platforms'][2]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][3]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][4]\": \"Input/Output Server\", \"root['x_mitre_platforms'][5]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0938: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:13.131000+00:00", + "name": "Network Connection Enumeration", + "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0840", + "external_id": "T0840" + }, + { + "source_name": "MITRE", + "description": "MITRE System Network Connections Discovery Retrieved. 2018/05/31 ", + "url": "https://attack.mitre.org/wiki/Technique/T1049" + }, + { + "source_name": "Netstat", + "description": "Wikipedia. (n.d.). Netstat. Retrieved May 23, 2022.", + "url": "https://en.wikipedia.org/wiki/Netstat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Script: Script Execution", + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:13.131000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0816: Mitigation Limited or Not Effective" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0012: Script (Script Execution)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:03.783000+00:00", + "name": "Network Sniffing", + "description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0842", + "external_id": "T0842" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Network Sniffing Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1040" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:03.783000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0808: Encrypt Network Traffic", + "M0814: Static Network Configuration", + "M0926: Privileged Account Management", + "M0930: Network Segmentation", + "M0932: Multi-factor Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:00.575000+00:00", + "name": "Point & Tag Identification", + "description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0861", + "external_id": "T0861" + }, + { + "source_name": "Dennis L. Sloatman September 2016", + "description": "Dennis L. Sloatman 2016, September 16 Understanding PLC Programming Methods and the Tag Database System Retrieved. 2017/12/19 ", + "url": "https://www.radioworld.com/industry/understanding-plc-programming-methods-and-the-tag-database-system" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Jos Wetzels - Midnight Blue" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:00.575000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Data Historian\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Control Server\", \"root['x_mitre_platforms'][2]\": \"Human-Machine Interface\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:10.374000+00:00", + "name": "Program Download", + "description": "Adversaries may perform a program download to transfer a user program to a controller. \n\nVariations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.\n\nThe granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space. \n\n[Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0843", + "external_id": "T0843" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:10.374000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic", + "M0945: Code Signing", + "M0947: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0039: Asset (Asset Inventory)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:02.785000+00:00", + "name": "Program Upload", + "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0845", + "external_id": "T0845" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:02.785000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Safety Instrumented System/Protection Relay\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Field Controller/RTU/PLC/IED\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:12.926000+00:00", + "name": "Project File Infection", + "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0873", + "external_id": "T0873" + }, + { + "source_name": "Beckhoff", + "description": "Beckhoff TwinCAT 3 Source Control: Project Files Retrieved. 2019/11/21 ", + "url": "https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + }, + { + "source_name": "PLCdev", + "description": "PLCdev Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 Siemens SIMATIC Step 7 Programmer's Handbook Retrieved. 2019/11/21 ", + "url": "http://www.plcdev.com/book/export/html/373" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:12.926000+00:00\", \"old_value\": \"2023-05-08 18:58:24.092000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Engineering Workstation\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Human-Machine Interface\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0922: Restrict File and Directory Permissions", + "M0941: Encrypt Sensitive Information", + "M0945: Code Signing", + "M0947: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12 19:26:26.506000+00:00", + "modified": "2023-10-13 17:57:12.125000+00:00", + "name": "Remote Services", + "description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0886", + "external_id": "T0886" + }, + { + "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + }, + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + }, + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Daisuke Suzuki" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Module: Module Load", + "Logon Session: Logon Session Creation", + "Process: Process Creation", + "Command: Command Execution", + "Network Traffic: Network Connection Creation", + "Network Share: Network Share Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:12.125000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Engineering Workstation\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][2]\": \"Control Server\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0918: User Account Management", + "M0927: Password Policies", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0017: Command (Command Execution)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0033: Network Share (Network Share Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:11.536000+00:00", + "name": "Remote System Discovery", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0846", + "external_id": "T0846" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Remote System Discovery Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1018" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "File: File Access", + "Process: Process Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:11.536000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Data Historian\", \"root['x_mitre_platforms'][2]\": \"Safety Instrumented System/Protection Relay\", \"root['x_mitre_platforms'][3]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][4]\": \"Human-Machine Interface\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0814: Static Network Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0022: File (File Access)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13 12:45:26.506000+00:00", + "modified": "2023-10-13 17:57:02.595000+00:00", + "name": "Remote System Information Discovery", + "description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. \n\nRequests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0888", + "external_id": "T0888" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content", + "File: File Access", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:02.595000+00:00\", \"old_value\": \"2023-03-17 15:14:31.276000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0814: Static Network Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0022: File (File Access)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:10.581000+00:00", + "name": "Replication Through Removable Media", + "description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0847", + "external_id": "T0847" + }, + { + "source_name": "BBC April 2016", + "description": "BBC 2016, April 28 German nuclear plant hit by computer viruses Retrieved. 2019/10/14 ", + "url": "https://www.bbc.com/news/technology-36158606" + }, + { + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + }, + { + "source_name": "Christoph Steitz, Eric Auchard April 2016", + "description": "Christoph Steitz, Eric Auchard 2016, April 26 German nuclear plant infected with computer viruses, operator says Retrieved. 2019/10/14 ", + "url": "https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS" + }, + { + "source_name": "Dark Reading Staff April 2016", + "description": "Dark Reading Staff 2016, April 28 German Nuclear Power Plant Infected With Malware Retrieved. 2019/10/14 ", + "url": "https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298" + }, + { + "source_name": "ESET April 2016", + "description": "ESET 2016, April 28 Malware found at a German nuclear power plant Retrieved. 2019/10/14 ", + "url": "https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/" + }, + { + "source_name": "Kernkraftwerk Gundremmingen April 2016", + "description": "Kernkraftwerk Gundremmingen 2016, April 25 Detektion von Bro-Schadsoftware an mehreren Rechnern Retrieved. 2019/10/14 ", + "url": "https://www.kkw-gundremmingen.de/presse.php?id=571" + }, + { + "source_name": "Lee Mathews April 2016", + "description": "Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses Retrieved. 2019/10/14 ", + "url": "https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/" + }, + { + "source_name": "Peter Dockrill April 2016", + "description": "Peter Dockrill 2016, April 28 Multiple Computer Viruses Have Been Discovered in This German Nuclear Plant Retrieved. 2019/10/14 ", + "url": "https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant" + }, + { + "source_name": "Sean Gallagher April 2016", + "description": "Sean Gallagher 2016, April 27 German nuclear plants fuel rod system swarming with old malware Retrieved. 2019/10/14 ", + "url": "https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/" + }, + { + "source_name": "Trend Micro April 2016", + "description": "Trend Micro 2016, April 27 Malware Discovered in German Nuclear Power Plant Retrieved. 2019/10/14 ", + "url": "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "File: File Creation", + "Drive: Drive Creation", + "File: File Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:10.581000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Data Historian\", \"root['x_mitre_platforms'][2]\": \"Control Server\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0928: Operating System Configuration", + "M0934: Limit Hardware Installation", + "M0942: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0016: Drive (Drive Creation)", + "DS0022: File (File Access)", + "DS0022: File (File Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:09.193000+00:00", + "name": "Rogue Master", + "description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0848", + "external_id": "T0848" + }, + { + "source_name": "Bastille April 2017", + "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", + "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" + }, + { + "source_name": "Zack Whittaker April 2017", + "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", + "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Asset: Asset Inventory", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:09.193000+00:00\", \"old_value\": \"2023-03-30 20:18:41.277000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Control Server\", \"root['x_mitre_platforms'][2]\": \"Engineering Workstation\"}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M0802: Communication Authenticity", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0039: Asset (Asset Inventory)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:03.989000+00:00", + "name": "Rootkit", + "description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0851", + "external_id": "T0851" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Rootkit Retrieved. 2018/05/16 ", + "url": "https://attack.mitre.org/wiki/Technique/T1014" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Firmware: Firmware Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:03.989000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0945: Code Signing", + "M0947: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0001: Firmware (Firmware Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:10.768000+00:00", + "name": "Screen Capture", + "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0852", + "external_id": "T0852" + }, + { + "source_name": "ICS-CERT October 2017", + "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:10.768000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0816: Mitigation Limited or Not Effective" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:02.398000+00:00", + "name": "Scripting", + "description": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. \n\nIn addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0853", + "external_id": "T0853" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Process: Process Metadata", + "Module: Module Load", + "Script: Script Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:02.398000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Engineering Workstation\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0938: Execution Prevention", + "M0942: Disable or Remove Feature or Program", + "M0948: Application Isolation and Sandboxing" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0009: Process (Process Metadata)", + "DS0011: Module (Module Load)", + "DS0012: Script (Script Execution)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:06.577000+00:00", + "name": "Spearphishing Attachment", + "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0865", + "external_id": "T0865" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + }, + { + "source_name": "Enterprise ATT&CK October 2019", + "description": "Enterprise ATT&CK 2019, October 25 Spearphishing Attachment Retrieved. 2019/10/25 ", + "url": "https://attack.mitre.org/techniques/T1193/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "File: File Creation", + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:06.577000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Engineering Workstation\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][2]\": \"Control Server\", \"root['x_mitre_platforms'][3]\": \"Data Historian\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0917: User Training", + "M0921: Restrict Web-Based Content", + "M0931: Network Intrusion Prevention", + "M0949: Antivirus/Antimalware" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0015: Application Log (Application Log Content)", + "DS0022: File (File Creation)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:07.260000+00:00", + "name": "Spoof Reporting Message", + "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0856", + "external_id": "T0856" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Operational Databases: Device Alarm", + "Windows Registry: Windows Registry Key Modification", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:07.260000+00:00\", \"old_value\": \"2023-03-30 20:19:14.351000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M0802: Communication Authenticity", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0024: Windows Registry (Windows Registry Key Modification)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:11.924000+00:00", + "name": "Standard Application Layer Protocol", + "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0869", + "external_id": "T0869" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:11.924000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Human-Machine Interface\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Control Server\", \"root['x_mitre_platforms'][2]\": \"Data Historian\", \"root['x_mitre_platforms'][3]\": \"Engineering Workstation\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0807: Network Allowlists", + "M0930: Network Segmentation", + "M0931: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:05.975000+00:00", + "name": "Supply Chain Compromise", + "description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0862", + "external_id": "T0862" + }, + { + "source_name": "Control Global May 2019", + "description": "Control Global 2019, May 29 Yokogawa announcement warns of counterfeit transmitters Retrieved. 2021/04/09 ", + "url": "https://www.controlglobal.com/industrynews/2019/yokogawa-announcement-warns-of-counterfeit-transmitters/" + }, + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "File: File Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:05.975000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Data Historian\", \"root['x_mitre_platforms'][2]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][3]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][4]\": \"Input/Output Server\", \"root['x_mitre_platforms'][5]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0817: Supply Chain Management", + "M0916: Vulnerability Scanning", + "M0945: Code Signing", + "M0947: Audit", + "M0951: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:09.988000+00:00", + "name": "System Firmware", + "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0857", + "external_id": "T0857" + }, + { + "source_name": "Basnight, Zachry, et al.", + "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ", + "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", + "Application Log: Application Log Content", + "Firmware: Firmware Modification", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:09.988000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Safety Instrumented System/Protection Relay\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][2]\": \"Input/Output Server\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0808: Encrypt Network Traffic", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic", + "M0941: Encrypt Sensitive Information", + "M0945: Code Signing", + "M0946: Boot Integrity", + "M0947: Audit", + "M0951: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0001: Firmware (Firmware Modification)", + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:09.780000+00:00", + "name": "Theft of Operational Information", + "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0882", + "external_id": "T0882" + }, + { + "source_name": "Mark Thompson March 2016", + "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", + "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" + }, + { + "source_name": "Danny Yadron December 2015", + "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", + "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:09.780000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0803: Data Loss Prevention", + "M0809: Operational Information Confidentiality", + "M0922: Restrict File and Directory Permissions", + "M0941: Encrypt Sensitive Information" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14 15:25:32.143000+00:00", + "modified": "2023-10-13 17:57:03.395000+00:00", + "name": "Transient Cyber Asset", + "description": "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. \n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. \n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0864", + "external_id": "T0864" + }, + { + "source_name": "North American Electric Reliability Corporation June 2021", + "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", + "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:03.395000+00:00\", \"old_value\": \"2023-03-30 20:19:41.272000+00:00\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf\", \"old_value\": \"https://www.nerc.com/files/glossary_of_terms.pdf\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Engineering Workstation\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M0930: Network Segmentation", + "M0941: Encrypt Sensitive Information", + "M0947: Audit", + "M0949: Antivirus/Antimalware", + "M0951: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:04.582000+00:00", + "name": "Unauthorized Command Message", + "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0855", + "external_id": "T0855" + }, + { + "source_name": "Benjamin Freed March 2019", + "description": "Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06 ", + "url": "https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Zack Whittaker April 2017", + "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", + "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_data_sources": [ + "Operational Databases: Process History/Live Data", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process/Event Alarm", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:04.582000+00:00\", \"old_value\": \"2023-04-05 14:16:02.811000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Field Controller/RTU/PLC/IED\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M0802: Communication Authenticity", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0818: Validate Program Inputs", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)", + "DS0040: Operational Databases (Process History/Live Data)", + "DS0040: Operational Databases (Process/Event Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:00.969000+00:00", + "name": "User Execution", + "description": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. \n\nAdversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0863", + "external_id": "T0863" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Application Log: Application Log Content", + "Network Traffic: Network Connection Creation", + "File: File Access", + "Process: Process Creation", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:00.969000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Engineering Workstation\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Human-Machine Interface\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0917: User Training", + "M0921: Restrict Web-Based Content", + "M0931: Network Intrusion Prevention", + "M0938: Execution Prevention", + "M0945: Code Signing", + "M0949: Antivirus/Antimalware" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0015: Application Log (Application Log Content)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:11.152000+00:00", + "name": "Valid Accounts", + "description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0859", + "external_id": "T0859" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "User Account: User Account Authentication", + "Logon Session: Logon Session Creation", + "Logon Session: Logon Session Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:11.152000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Data Historian\", \"root['x_mitre_platforms'][2]\": \"Engineering Workstation\", \"root['x_mitre_platforms'][3]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][4]\": \"Human-Machine Interface\", \"root['x_mitre_platforms'][5]\": \"Input/Output Server\", \"root['x_mitre_platforms'][6]\": \"Safety Instrumented System/Protection Relay\"}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0801: Access Management", + "M0913: Application Developer Guidance", + "M0915: Active Directory Configuration", + "M0918: User Account Management", + "M0926: Privileged Account Management", + "M0927: Password Policies", + "M0932: Multi-factor Authentication", + "M0936: Account Use Policies", + "M0937: Filter Network Traffic", + "M0947: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0028: Logon Session (Logon Session Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:57:01.165000+00:00", + "name": "Wireless Compromise", + "description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0860", + "external_id": "T0860" + }, + { + "source_name": "Alexander Bolshev March 2014", + "description": "Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved. 2020/01/05 ", + "url": "https://www.slideshare.net/dgpeters/17-bolshev-1-13" + }, + { + "source_name": "Alexander Bolshev, Gleb Cherbov July 2014", + "description": "Alexander Bolshev, Gleb Cherbov 2014, July 08 ICSCorsair: How I will PWN your ERP through 4-20 mA current loop Retrieved. 2020/01/05 ", + "url": "https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf" + }, + { + "source_name": "Bruce Schneier January 2008", + "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", + "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" + }, + { + "source_name": "John Bill May 2017", + "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", + "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" + }, + { + "source_name": "Shelley Smith February 2008", + "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", + "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Scott Dougherty" + ], + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:57:01.165000+00:00\", \"old_value\": \"2023-03-30 20:20:38.285000+00:00\"}, \"root['x_mitre_platforms'][0]\": {\"new_value\": \"None\", \"old_value\": \"Control Server\"}}, \"iterable_item_removed\": {\"root['x_mitre_platforms'][1]\": \"Field Controller/RTU/PLC/IED\", \"root['x_mitre_platforms'][2]\": \"Input/Output Server\"}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M0802: Communication Authenticity", + "M0806: Minimize Wireless Signal Propagation", + "M0808: Encrypt Network Traffic", + "M0813: Software Process and Device Authentication" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0028: Logon Session (Logon Session Creation)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2023-10-13 17:56:59.193000+00:00", + "name": "Wireless Sniffing", + "description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0887", + "external_id": "T0887" + }, + { + "source_name": "Bastille April 2017", + "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", + "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" + }, + { + "source_name": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018", + "description": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. 2018, April Guide to Industrial Wireless Systems Deployments Retrieved. 2020/12/01 ", + "url": "https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-4.pdf" + }, + { + "source_name": "Gallagher, S. April 2017", + "description": "Gallagher, S. 2017, April 12 Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack Retrieved. 2020/12/01 ", + "url": "https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "ICSCoE Japan" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 17:56:59.193000+00:00\", \"old_value\": \"2023-03-09 18:38:51.471000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M0806: Minimize Wireless Signal Propagation", + "M0808: Encrypt Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "software": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [ + { + "type": "malware", + "id": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:57.807000+00:00", + "modified": "2023-10-06 14:08:40.134000+00:00", + "name": "BlackEnergy", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0089", + "external_id": "S0089" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BlackEnergy", + "Black Energy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-06 14:08:40.134000+00:00\", \"old_value\": \"2022-10-12 17:33:00.482000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4" + }, + { + "type": "malware", + "id": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-01-20 18:05:07.059000+00:00", + "modified": "2023-10-06 14:09:52.833000+00:00", + "name": "KillDisk", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0607", + "external_id": "S0607" + }, + { + "source_name": "KillDisk Ransomware", + "description": "Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/" + }, + { + "source_name": "ESEST Black Energy Jan 2016", + "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.", + "url": "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + }, + { + "source_name": "Trend Micro KillDisk 1", + "description": "Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html" + }, + { + "source_name": "Trend Micro KillDisk 2", + "description": "Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "KillDisk", + "Win32/KillDisk.NBI", + "Win32/KillDisk.NBH", + "Win32/KillDisk.NBD", + "Win32/KillDisk.NBC", + "Win32/KillDisk.NBB" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-06 14:09:52.833000+00:00\", \"old_value\": \"2023-03-08 22:13:42.357000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", + "previous_version": "1.1", + "version_change": "1.1 \u2192 1.2" + }, + { + "type": "malware", + "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-13 20:14:53.171000+00:00", + "modified": "2023-08-09 18:11:35.634000+00:00", + "name": "Ryuk", + "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0446", + "external_id": "S0446" + }, + { + "source_name": "Ryuk", + "description": "(Citation: CrowdStrike Ryuk January 2019) (Citation: Bleeping Computer - Ryuk WoL) " + }, + { + "source_name": "Bleeping Computer - Ryuk WoL", + "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ryuk" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "The DFIR Report, @TheDFIRReport", + "Matt Brenton, Zurich Insurance Group" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-09 18:11:35.634000+00:00\", \"old_value\": \"2022-05-24 21:10:44.381000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", + "previous_version": "1.3", + "version_change": "1.3 \u2192 1.4" + } + ], + "other_version_changes": [], + "patches": [ + { + "type": "malware", + "id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-01-04 20:42:21.997000+00:00", + "modified": "2023-10-17 20:09:38.062000+00:00", + "name": "Industroyer", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0604", + "external_id": "S0604" + }, + { + "source_name": "CRASHOVERRIDE", + "description": "(Citation: Dragos Crashoverride 2017)" + }, + { + "source_name": "Win32/Industroyer", + "description": "(Citation: ESET Industroyer)" + }, + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2017", + "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Industroyer", + "CRASHOVERRIDE", + "Win32/Industroyer" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence", + "Joe Slowik - Dragos" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-17 20:09:38.062000+00:00\", \"old_value\": \"2022-10-20 20:37:50.556000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_contributors'][1]\": {\"new_value\": \"Joe Slowik - Dragos\", \"old_value\": \"Joe Slowik - Dragos\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-04-16 19:00:49.435000+00:00", + "modified": "2023-10-17 20:05:34.648000+00:00", + "name": "LockerGoga", + "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0372", + "external_id": "S0372" + }, + { + "source_name": "CarbonBlack LockerGoga 2019", + "description": "CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification \u2013 LockerGoga Ransomware. Retrieved April 16, 2019.", + "url": "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/" + }, + { + "source_name": "Unit42 LockerGoga 2019", + "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.", + "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "LockerGoga" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-17 20:05:34.648000+00:00\", \"old_value\": \"2023-03-08 22:03:50.370000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Joe Slowik - Dragos\", \"old_value\": \"Joe Slowik - Dragos\"}}}", + "previous_version": "2.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "groups": { + "additions": [], + "major_version_changes": [ + { + "type": "intrusion-set", + "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:09.460000+00:00", + "modified": "2023-10-04 18:10:49.054000+00:00", + "name": "FIN7", + "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)", + "aliases": [ + "FIN7", + "GOLD NIAGARA", + "ITG14", + "Carbon Spider" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0046", + "external_id": "G0046" + }, + { + "source_name": "Carbon Spider", + "description": "(Citation: CrowdStrike Carbon Spider August 2021)" + }, + { + "source_name": "FIN7", + "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" + }, + { + "source_name": "GOLD NIAGARA", + "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" + }, + { + "source_name": "Mandiant FIN7 Apr 2022", + "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", + "url": "https://www.mandiant.com/resources/evolution-of-fin7" + }, + { + "source_name": "FireEye CARBANAK June 2017", + "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + }, + { + "source_name": "FireEye FIN7 April 2017", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + }, + { + "source_name": "FireEye FIN7 Aug 2018", + "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + }, + { + "source_name": "Secureworks GOLD NIAGARA Threat Profile", + "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara" + }, + { + "source_name": "FireEye FIN7 Shim Databases", + "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" + }, + { + "source_name": "Morphisec FIN7 June 2017", + "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.", + "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry" + }, + { + "source_name": "ITG14", + "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)" + }, + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" + }, + { + "source_name": "FireEye FIN7 March 2017", + "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.", + "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" + }, + { + "source_name": "IBM Ransomware Trends September 2020", + "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.", + "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Edward Millington" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-04 18:10:49.054000+00:00\", \"old_value\": \"2023-03-22 03:51:04.185000+00:00\"}, \"root['description']\": {\"new_value\": \"[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)\", \"old_value\": \"[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"Mandiant FIN7 Apr 2022\", \"description\": \"Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.\", \"url\": \"https://www.mandiant.com/resources/evolution-of-fin7\"}}}", + "previous_version": "2.2", + "version_change": "2.2 \u2192 3.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1[FIN7](https://attack.mitre.org/groups/G0046) is a financialt1[FIN7](https://attack.mitre.org/groups/G0046) is a financial
    >ly-motivated threat group that has been active since 2013 pr>ly-motivated threat group that has been active since 2013. [
    >imarily targeting the U.S. retail, restaurant, and hospitali>FIN7](https://attack.mitre.org/groups/G0046) has primarily t
    >ty sectors, often using point-of-sale malware. A portion of >argeted the retail, restaurant, hospitality, software, consu
    >[FIN7](https://attack.mitre.org/groups/G0046) was run out of>lting, financial services, medical equipment, cloud services
    > a front company called Combi Security. Since 2020 [FIN7](ht>, media, food and beverage, transportation, and utilities in
    >tps://attack.mitre.org/groups/G0046) shifted operations to a>dustries in the U.S. A portion of [FIN7](https://attack.mitr
    > big game hunting (BGH) approach including use of [REvil](ht>e.org/groups/G0046) was run out of a front company called Co
    >tps://attack.mitre.org/software/S0496) ransomware and their >mbi Security and often used point-of-sale malware for target
    >own Ransomware as a Service (RaaS), Darkside. [FIN7](https:/>ing efforts. Since 2020, [FIN7](https://attack.mitre.org/gro
    >/attack.mitre.org/groups/G0046) may be linked to the [Carban>ups/G0046) shifted operations to a big game hunting (BGH) ap
    >ak](https://attack.mitre.org/groups/G0008) Group, but there >proach including use of [REvil](https://attack.mitre.org/sof
    >appears to be several groups using [Carbanak](https://attack>tware/S0496) ransomware and their own Ransomware as a Servic
    >.mitre.org/software/S0030) malware and are therefore tracked>e (RaaS), Darkside. FIN7 may be linked to the [Carbanak](htt
    > separately.(Citation: FireEye FIN7 March 2017)(Citation: Fi>ps://attack.mitre.org/groups/G0008) Group, but there appears
    >reEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)> to be several groups using [Carbanak](https://attack.mitre.
    >(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carb>org/software/S0030) malware and are therefore tracked separa
    >on Spider August 2021)>tely.(Citation: FireEye FIN7 March 2017)(Citation: FireEye F
     >IN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citati
     >on: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spid
     >er August 2021)(Citation: Mandiant FIN7 Apr 2022)
    " + }, + { + "type": "intrusion-set", + "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-12 18:15:29.396000+00:00", + "modified": "2023-09-12 14:35:52.920000+00:00", + "name": "Wizard Spider", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "aliases": [ + "Wizard Spider", + "UNC1878", + "TEMP.MixMaster", + "Grim Spider", + "FIN12", + "GOLD BLACKBURN", + "ITG23", + "Periwinkle Tempest" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0102", + "external_id": "G0102" + }, + { + "source_name": "Grim Spider", + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" + }, + { + "source_name": "UNC1878", + "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" + }, + { + "source_name": "TEMP.MixMaster", + "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" + }, + { + "source_name": "ITG23", + "description": "(Citation: IBM X-Force ITG23 Oct 2021)" + }, + { + "source_name": "FIN12", + "description": "(Citation: Mandiant FIN12 Oct 2021)" + }, + { + "source_name": "GOLD BLACKBURN", + "description": "(Citation: Secureworks Gold Blackburn Mar 2022)" + }, + { + "source_name": "Periwinkle Tempest", + "description": "(Citation: Secureworks Gold Blackburn Mar 2022)" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "CrowdStrike Grim Spider May 2019", + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" + }, + { + "source_name": "Secureworks Gold Blackburn Mar 2022", + "description": "Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-blackburn" + }, + { + "source_name": "Mandiant FIN12 Oct 2021", + "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", + "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" + }, + { + "source_name": "IBM X-Force ITG23 Oct 2021", + "description": "Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.", + "url": "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Edward Millington", + "Oleksiy Gayda" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-12 14:35:52.920000+00:00\", \"old_value\": \"2023-03-22 05:44:27.289000+00:00\"}, \"root['description']\": {\"new_value\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)\", \"old_value\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['aliases'][4]\": \"FIN12\", \"root['aliases'][5]\": \"GOLD BLACKBURN\", \"root['aliases'][6]\": \"ITG23\", \"root['aliases'][7]\": \"Periwinkle Tempest\", \"root['external_references'][4]\": {\"source_name\": \"ITG23\", \"description\": \"(Citation: IBM X-Force ITG23 Oct 2021)\"}, \"root['external_references'][5]\": {\"source_name\": \"FIN12\", \"description\": \"(Citation: Mandiant FIN12 Oct 2021)\"}, \"root['external_references'][6]\": {\"source_name\": \"GOLD BLACKBURN\", \"description\": \"(Citation: Secureworks Gold Blackburn Mar 2022)\"}, \"root['external_references'][7]\": {\"source_name\": \"Periwinkle Tempest\", \"description\": \"(Citation: Secureworks Gold Blackburn Mar 2022)\"}, \"root['external_references'][14]\": {\"source_name\": \"Secureworks Gold Blackburn Mar 2022\", \"description\": \"Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.\", \"url\": \"https://www.secureworks.com/research/threat-profiles/gold-blackburn\"}, \"root['external_references'][15]\": {\"source_name\": \"Mandiant FIN12 Oct 2021\", \"description\": \"Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.\", \"url\": \"https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf\"}, \"root['external_references'][16]\": {\"source_name\": \"IBM X-Force ITG23 Oct 2021\", \"description\": \"Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.\", \"url\": \"https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\"}}}", + "previous_version": "2.1", + "version_change": "2.1 \u2192 3.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

    		Old Description
    		New Description
    t1[Wizard Spider](https://attack.mitre.org/groups/G0102) is a t1[Wizard Spider](https://attack.mitre.org/groups/G0102) is a 
    >Russia-based financially motivated threat group originally k>Russia-based financially motivated threat group originally k
    >nown for the creation and deployment of [TrickBot](https://a>nown for the creation and deployment of [TrickBot](https://a
    >ttack.mitre.org/software/S0266) since at least 2016. [Wizard>ttack.mitre.org/software/S0266) since at least 2016. [Wizard
    > Spider](https://attack.mitre.org/groups/G0102) possesses a > Spider](https://attack.mitre.org/groups/G0102) possesses a 
    >diverse arsenal of tools and has conducted ransomware campai>diverse aresenal of tools and has conducted ransomware campa
    >gns against a variety of organizations, ranging from major c>igns against a variety of organizations, ranging from major 
    >orporations to hospitals.(Citation: CrowdStrike Ryuk January>corporations to hospitals.(Citation: CrowdStrike Ryuk Januar
    > 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare Oc>y 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare O
    >tober 2020)(Citation: CrowdStrike Wizard Spider October 2020>ctober 2020)(Citation: CrowdStrike Wizard Spider October 202
    >)>0)
    " + } + ], + "minor_version_changes": [ + { + "type": "intrusion-set", + "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:05.217000+00:00", + "modified": "2023-10-01 02:45:48.973000+00:00", + "name": "Dragonfly", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", + "aliases": [ + "Dragonfly", + "TEMP.Isotope", + "DYMALLOY", + "Berserk Bear", + "TG-4192", + "Crouching Yeti", + "IRON LIBERTY", + "Energetic Bear" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0035", + "external_id": "G0035" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TEMP.Isotope", + "description": "(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)" + }, + { + "source_name": "Crouching Yeti", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TG-4192", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Dragonfly", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Energetic Bear", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "CISA AA20-296A Berserk Bear December 2020", + "description": "CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" + }, + { + "source_name": "DOJ Russia Targeting Critical Infrastructure March 2022", + "description": "Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.", + "url": "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" + }, + { + "source_name": "Dragos DYMALLOY ", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", + "url": "https://www.dragos.com/threat/dymalloy/" + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" + }, + { + "source_name": "Mandiant Ukraine Cyber Threats January 2022", + "description": "Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.", + "url": "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats" + }, + { + "source_name": "Secureworks MCMD July 2019", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis" + }, + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" + }, + { + "source_name": "Secureworks Karagany July 2019", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" + }, + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + }, + { + "source_name": "Symantec Dragonfly 2.0 October 2017", + "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + }, + { + "source_name": "UK GOV FSB Factsheet April 2022", + "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", + "url": "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 02:45:48.973000+00:00\", \"old_value\": \"2023-03-08 22:03:28.170000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.2\", \"old_value\": \"3.1\"}}}", + "previous_version": "3.1", + "version_change": "3.1 \u2192 3.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:04.588000+00:00", + "modified": "2023-10-06 14:13:06.011000+00:00", + "name": "Sandworm Team", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", + "aliases": [ + "Sandworm Team", + "ELECTRUM", + "Telebots", + "IRON VIKING", + "BlackEnergy (Group)", + "Quedagh", + "Voodoo Bear", + "IRIDIUM" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0034", + "external_id": "G0034" + }, + { + "source_name": "Voodoo Bear", + "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "ELECTRUM", + "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Sandworm Team", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Quedagh", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRIDIUM", + "description": "(Citation: Microsoft Prestige ransomware October 2022)" + }, + { + "source_name": "BlackEnergy (Group)", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Telebots", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRON VIKING", + "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", + "url": "https://www.justice.gov/opa/page/file/1098481/download" + }, + { + "source_name": "Dragos ELECTRUM", + "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.dragos.com/resource/electrum/" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "iSIGHT Sandworm 2014", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" + }, + { + "source_name": "CrowdStrike VOODOO BEAR", + "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" + }, + { + "source_name": "Microsoft Prestige ransomware October 2022", + "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + }, + { + "source_name": "InfoSecurity Sandworm Oct 2014", + "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.", + "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" + }, + { + "source_name": "NCSC Sandworm Feb 2020", + "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", + "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" + }, + { + "source_name": "USDOJ Sandworm Feb 2020", + "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.", + "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + }, + { + "source_name": "Secureworks IRON VIKING ", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "3.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-06 14:13:06.011000+00:00\", \"old_value\": \"2023-03-08 22:12:31.238000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.1\", \"old_value\": \"3.0\"}}}", + "previous_version": "3.0", + "version_change": "3.0 \u2192 3.1" + } + ], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "campaigns": { + "additions": [ + { + "type": "campaign", + "id": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-09-27 13:11:52.340000+00:00", + "modified": "2023-10-06 14:05:01.054000+00:00", + "name": "2015 Ukraine Electric Power Attack", + "description": "[2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.", + "aliases": [ + "2015 Ukraine Electric Power Attack" + ], + "first_seen": "2015-12-01 05:00:00+00:00", + "last_seen": "2016-01-01 05:00:00+00:00", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0028", + "external_id": "C0028" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_first_seen_citation": "(Citation: Booz Allen Hamilton)", + "x_mitre_last_seen_citation": "(Citation: Booz Allen Hamilton)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "assets": { + "additions": [ + { + "modified": "2023-10-04T17:46:20.340Z", + "name": "Application Server", + "description": "Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "created": "2023-09-28T14:58:00.982Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0008", + "external_id": "A0008" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:09:59.538Z", + "name": "Control Server", + "description": "Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Supervisory Control And Data Acquisition (SCADA) Server", + "related_asset_sectors": [ + "General", + "Electric", + "Water and Wastewater" + ], + "description": "A SCADA server is used to perform monitoring and control across a distributed environment. It typically has an associated HMI to provide information to a human operator and heavily depends on the human operator to initiate control actions." + }, + { + "name": "Master Terminal Unit (MTU)", + "related_asset_sectors": [ + "General" + ], + "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)" + }, + { + "name": "Supervisory controller", + "related_asset_sectors": [ + "General" + ], + "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)" + }, + { + "name": "Distribution/Energy Management System (DMS/EMS)", + "related_asset_sectors": [ + "Electric" + ], + "description": "A DMS and EMS are electric sector specific devices that are commonly used to manage distribution and transmission-level electrical grids. These platforms typically integrate a SCADA server and HMI with domain-specific data analysis applications, such as state-estimation and contingency analysis (EMS), or voltage-var control or fault restoration (DMS). " + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "created": "2023-09-28T14:55:39.339Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0007", + "external_id": "A0007" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:08:33.386Z", + "name": "Data Gateway", + "description": "Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including:\n\n * Protocol Translation: Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. \n * Media Converter: Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. \n * Data Aggregation: Collect and combine data from different devices into one consistent format and protocol interface. \n\nData gateways are often critical to the forwarding/transmission of critical control or monitoring data within the ICS. Further, these devices often have remote various network services that are used to communicate across different zones or networks. \n\nThese assets may focus on a single function listed below or combinations of these functions to best fit the industry use-case. \n", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Data Acquisition Server (DAS)", + "related_asset_sectors": [ + "General" + ], + "description": "A Data Acquisition Server (DAS) a system or software platform that is used to collect, aggregate, and store data/telemetry from field devices using various SCADA/Automation protocols. " + }, + { + "name": "Serial to Ethernet Gateway", + "related_asset_sectors": [ + "Electric", + "General" + ], + "description": "A Serial to Ethernet gateway is a device that is used to connect field devices that only support serial-based communication (e.g., RS-232) with more modern Ethernet-based networks. " + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "created": "2023-09-28T15:01:48.509Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0009", + "external_id": "A0009" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T17:57:56.558Z", + "name": "Data Historian", + "description": "Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "created": "2023-09-28T14:48:36.305Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0006", + "external_id": "A0006" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T19:26:49.788Z", + "name": "Field I/O", + "description": "Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes. ", + "x_mitre_related_assets": [ + { + "name": "Smart Sensors", + "related_asset_sectors": [ + "General" + ], + "description": "*A device that procures a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).* (Citation: Guidance - NIST SP800-82) Smart sensors take this functionality and add on on-device processing and network communication." + }, + { + "name": "Variable Frequency Drive (VFD)", + "related_asset_sectors": [ + "General" + ], + "description": "*A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.* (Citation: Guidance - NIST SP800-82) VFDs can be network connected." + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "created": "2023-09-28T17:57:22.946Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0013", + "external_id": "A0013" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T17:59:11.489Z", + "name": "Human-Machine Interface (HMI)", + "description": "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Operator Workstation (OWS)", + "related_asset_sectors": [ + "General" + ], + "description": "An Operator Workstation (OWS) or Console is a system or device used by an operator to interface with a control system, including to access/visualizes key information or parameters about the operational process and initiate control actions. This typically consists of specialized OWS software installed on a Workstation platform. (Citation: IEC February 2019)" + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "created": "2023-09-28T14:38:54.407Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0002", + "external_id": "A0002" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:01:02.506Z", + "name": "Intelligent Electronic Device (IED)", + "description": "An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.", + "x_mitre_sectors": [ + "Electric" + ], + "x_mitre_related_assets": [ + { + "name": "Protection Relay", + "related_asset_sectors": [ + "Electric" + ], + "description": "A protection relay is a type of IED used within the electric sector to monitor for faults or problematic operating conditions on power lines, busses, or transformers. While traditionally protection relays were electromechanical or electromagnetic devices, modern relays utilize microprocessors, embedded operating system, and SCADA communications." + }, + { + "name": "Field Device / Controller", + "related_asset_sectors": [], + "description": "IEDs may be referred to as Field Controllers or Field Devices as a general function name. " + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "created": "2023-09-28T14:46:42.566Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0005", + "external_id": "A0005" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:03:06.811Z", + "name": "Jump Host", + "description": "Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts. ", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Intermediate System", + "related_asset_sectors": [ + "Electric" + ], + "description": "A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.(Citation: North American Electric Reliability Corporation June 2021)" + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "created": "2023-09-28T17:52:53.206Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0012", + "external_id": "A0012" + }, + { + "source_name": "North American Electric Reliability Corporation June 2021", + "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", + "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:09:21.296Z", + "name": "Programmable Logic Controller (PLC)", + "description": "A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device\u2019s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Process Automation Controller (PAC)", + "related_asset_sectors": [ + "General" + ], + "description": "Process Automation Controllers (PAC) share much of the same functionality as a PLC. PACs may include advanced features for process control, motion control, drive control, and vision applications. PACs may include additional features such as options to program in traditional programming languages such as C and C++ in addition to 61131 programming languages in order to support these more advanced controls. " + }, + { + "name": "Field Device / Controller", + "related_asset_sectors": [], + "description": "Programmable Logic Controller (PLC) may be referred to as Field Controllers or Field Devices as a general function name. " + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "created": "2023-09-28T14:43:05.105Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0003", + "external_id": "A0003" + }, + { + "source_name": "IEC February 2013", + "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", + "url": "https://webstore.iec.ch/publication/4552" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:05:43.237Z", + "name": "Remote Terminal Unit (RTU)", + "description": "A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.", + "x_mitre_sectors": [ + "Electric", + "Water and Wastewater", + "General" + ], + "x_mitre_platforms": [ + "Embedded", + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "created": "2023-09-28T14:44:54.756Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0004", + "external_id": "A0004" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-16T18:49:26.400Z", + "name": "Routers", + "description": "A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.(Citation: IETF RFC4949 2007)", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "created": "2023-09-29T18:55:09.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0014", + "external_id": "A0014" + }, + { + "source_name": "IETF RFC4949 2007", + "description": "Internet Engineering Task Force. (2007, August). Internet Security Glossary, Version 2. Retrieved September 29, 2023.", + "url": "https://www.ietf.org/rfc/rfc4949.txt" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-16T18:49:08.504Z", + "name": "Safety Controller", + "description": "Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.", + "x_mitre_related_assets": [ + { + "name": "Safety Instrumented System (SIS) controller", + "related_asset_sectors": [], + "description": "SIS controllers are used to \u201ctake the process to a safe state when predetermined conditions are violated\u201d (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. " + }, + { + "name": "Emergency Shutdown Systems (ESD) controller", + "related_asset_sectors": [], + "description": "Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system \u201cto a safe static condition so that any remedial action can be taken\u201d. (Citation: SIGTTO ESD 2021)" + }, + { + "name": "Burner Management Systems (BMS) controller", + "related_asset_sectors": [], + "description": "Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences." + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "created": "2023-09-28T15:10:05.534Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0010", + "external_id": "A0010" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "SIGTTO ESD 2021", + "description": "Society of International Gas Tanker & Terminal Operators Ltd. (2021). ESD Systems: Recommendations for Emergency Shutdown and Related Safety Systems (Second Edition). Retrieved September 28, 2023.", + "url": "https://sigtto.org/media/3457/sigtto-2021-esd-systems.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:07:59.333Z", + "name": "Virtual Private Network (VPN) Server", + "description": "A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Virtual Private Network (VPN) terminator", + "related_asset_sectors": [ + "General" + ], + "description": "A VPN terminator is a device performs the role of either a VPN client or server to support the establishment of VPN connection. (Citation: IEC February 2019)" + }, + { + "name": "Field VPN", + "related_asset_sectors": [ + "General" + ], + "description": "Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments. " + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "created": "2023-09-28T15:13:07.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0011", + "external_id": "A0011" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-09-28T14:23:52.358Z", + "name": "Workstation", + "description": "Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Transient Cyber Asset (TCA)", + "related_asset_sectors": [ + "Electric" + ], + "description": "A Transient Cyber Asset (TCA)(Citation: North American Electric Reliability Corporation June 2021) is a mobile workstation that is used to support management functions across multiple different networks, rather than being dedicated to any specific device/network. The TCA is often used to directly manage ICS environments that do not have any dedicated support for external remote access. Therefore, the TCA provides a mechanism for connectivity and file transfer to many networks/devices, even if they are segmented or \u201cair gapped\u201d from other networks. " + }, + { + "name": "Engineering Workstation (EWS)", + "related_asset_sectors": [ + "General" + ], + "description": "An Engineering Workstation (EWS) is used to perform various maintenance, configuration, or diagnostics functions for a control system. The EWS will likely require dedicated application software to interface with various devices (e.g., RTUs, PLCs), and may be used to transfer data or files between the control system devices and other networks. " + } + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "created": "2023-09-28T14:22:49.837Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0001", + "external_id": "A0001" + }, + { + "source_name": "North American Electric Reliability Corporation June 2021", + "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", + "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "mitigations": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [ + { + "type": "course-of-action", + "id": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-11 16:32:21.854000+00:00", + "modified": "2023-10-20 17:01:38.562000+00:00", + "name": "Authorization Enforcement", + "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 5 - AC-3" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0800", + "external_id": "M0800" + }, + { + "source_name": "Institute of Electrical and Electronics Engineers January 2014", + "description": "Institute of Electrical and Electronics Engineers 2014, January 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities Retrieved. 2020/09/17 ", + "url": "https://standards.ieee.org/standard/1686-2013.html" + }, + { + "source_name": "International Electrotechnical Commission July 2020", + "description": "International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ", + "url": "https://webstore.iec.ch/publication/6912" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-20 17:01:38.562000+00:00\", \"old_value\": \"2023-03-30 20:55:13.851000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AC-3\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AC-3\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1" + }, + { + "type": "course-of-action", + "id": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-11 16:32:21.854000+00:00", + "modified": "2023-10-20 17:02:00.299000+00:00", + "name": "Human User Authentication", + "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 1.1", + "IEC 62443-4-2:2019 - CR 1.1", + "NIST SP 800-53 Rev. 5 - IA-2" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0804", + "external_id": "M0804" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-20 17:02:00.299000+00:00\", \"old_value\": \"2023-03-30 20:55:14.615000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - IA-2\", \"old_value\": \"NIST SP 800-53 Rev. 4 - IA-2\"}}}", + "previous_version": "1.0", + "version_change": "1.0 \u2192 1.1" + } + ], + "other_version_changes": [], + "patches": [ + { + "type": "course-of-action", + "id": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-11 16:32:21.854000+00:00", + "modified": "2023-09-19 21:30:56.250000+00:00", + "name": "Access Management", + "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 5 - AC-3" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0801", + "external_id": "M0801" + }, + { + "source_name": "Centre for the Protection of National Infrastructure November 2010", + "description": "Centre for the Protection of National Infrastructure 2010, November Configuring and Managing Remote Access for Industrial Control Systems Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf" + }, + { + "source_name": "McCarthy, J et al. July 2018", + "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", + "url": "https://doi.org/10.6028/NIST.SP.1800-2" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:30:56.250000+00:00\", \"old_value\": \"2023-03-30 20:55:14.081000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AC-3\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AC-3\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 16:32:21.854000+00:00", + "modified": "2023-09-19 21:31:48.809000+00:00", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 1.11", + "IEC 62443-4-2:2019 - CR 1.11", + "NIST SP 800-53 Rev. 5 - IA-5" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0936", + "external_id": "M0936" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:31:48.809000+00:00\", \"old_value\": \"2023-03-30 20:55:19.383000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - IA-5\", \"old_value\": \"NIST SP 800-53 Rev. 4 - IA-5\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 17:08:33.055000+00:00", + "modified": "2023-09-19 21:32:18.375000+00:00", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. (Citation: NCCIC August 2018)", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - CR 3.2", + "NIST SP 800-53 Rev. 4 - SI-3", + "NIST SP 800-53 Rev. 5 - SI-3" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0949", + "external_id": "M0949" + }, + { + "source_name": "NCCIC August 2018", + "description": "NCCIC 2018, August 2 Recommended Practice: Updating Antivirus in an Industrial Control System Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/Recommended%20Practice%20Updating%20Antivirus%20in%20an%20Industrial%20Control%20System_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:32:18.375000+00:00\", \"old_value\": \"2023-03-30 20:55:21.180000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}}, \"iterable_item_added\": {\"root['labels'][3]\": \"NIST SP 800-53 Rev. 5 - SI-3\"}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:53.732000+00:00", + "modified": "2023-09-19 21:32:48.390000+00:00", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "revoked": false, + "labels": [ + "NIST SP 800-53 Rev. 4 - AT-3", + "NIST SP 800-53 Rev. 4 - AT-3" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0913", + "external_id": "M0913" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:32:48.390000+00:00\", \"old_value\": \"2023-03-30 20:55:16.730000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 17:06:56.230000+00:00", + "modified": "2023-09-19 21:33:26.200000+00:00", + "name": "Application Isolation and Sandboxing", + "description": "Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 5.4", + "IEC 62443-4-2:2019 - CR 5.4", + "NIST SP 800-53 Rev. 5 - SI-3" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0948", + "external_id": "M0948" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:33:26.200000+00:00\", \"old_value\": \"2023-03-30 20:55:21.006000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SI-3\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SI-3\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 17:06:14.029000+00:00", + "modified": "2023-09-19 21:34:08.571000+00:00", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 3.4", + "IEC 62443-4-2:2019 - CR 3.4", + "NIST SP 800-53 Rev. 4 - SI-7", + "NIST SP 800-53 Rev. 5 - SI-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0947", + "external_id": "M0947" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:34:08.571000+00:00\", \"old_value\": \"2023-03-30 20:55:20.836000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}}, \"iterable_item_added\": {\"root['labels'][3]\": \"NIST SP 800-53 Rev. 5 - SI-7\"}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 17:02:36.984000+00:00", + "modified": "2023-09-19 21:38:22.681000+00:00", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "revoked": false, + "labels": [ + "IEC 62443-4-2:2019 - CR 3.14", + "NIST SP 800-53 Rev. 5 - SI-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0946", + "external_id": "M0946" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:38:22.681000+00:00\", \"old_value\": \"2023-03-30 20:55:20.632000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][1]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SI-7\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SI-7\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 17:01:25.405000+00:00", + "modified": "2023-09-19 21:39:41.056000+00:00", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 3.4", + "IEC 62443-4-2:2019 - CR 3.4", + "NIST SP 800-53 Rev. 5 - SI-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0945", + "external_id": "M0945" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:39:41.056000+00:00\", \"old_value\": \"2023-03-30 20:55:20.464000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SI-7\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SI-7\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-11 16:32:21.854000+00:00", + "modified": "2023-09-19 21:40:49.135000+00:00", + "name": "Communication Authenticity", + "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 3.1", + "IEC 62443-4-2:2019 - CR 3.1", + "NIST SP 800-53 Rev. 5 - SC-8; SC-23" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0802", + "external_id": "M0802" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:40:49.135000+00:00\", \"old_value\": \"2023-03-30 20:55:14.263000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SC-8; SC-23\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SC-8; SC-23\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-07-19 14:33:33.543000+00:00", + "modified": "2023-09-19 21:41:39.667000+00:00", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 7.3", + "IEC 62443-4-2:2019 - CR 7.3", + "NIST SP 800-53 Rev. 5 - CP-9" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0953", + "external_id": "M0953" + }, + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:41:39.667000+00:00\", \"old_value\": \"2023-03-30 20:55:21.679000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - CP-9\", \"old_value\": \"NIST SP 800-53 Rev. 4 - CP-9\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 16:45:19.740000+00:00", + "modified": "2023-09-19 21:42:11.231000+00:00", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 5 - CM-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0942", + "external_id": "M0942" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:42:11.231000+00:00\", \"old_value\": \"2023-03-30 20:55:20.110000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - CM-7\", \"old_value\": \"NIST SP 800-53 Rev. 4 - CM-7\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-11 16:32:21.854000+00:00", + "modified": "2023-09-19 21:42:52.198000+00:00", + "name": "Encrypt Network Traffic", + "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1", + "NIST SP 800-53 Rev. 5 - SC-8" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0808", + "external_id": "M0808" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:42:52.198000+00:00\", \"old_value\": \"2023-03-30 20:55:15.230000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SC-8\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SC-8\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 16:43:44.834000+00:00", + "modified": "2023-09-19 21:43:17.085000+00:00", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive data-at-rest with strong encryption.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1", + "NIST SP 800-53 Rev. 5 - SC-28" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0941", + "external_id": "M0941" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:43:17.085000+00:00\", \"old_value\": \"2023-03-30 20:55:19.946000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SC-28\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SC-28\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 16:35:25.488000+00:00", + "modified": "2023-09-19 21:43:44.551000+00:00", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - CR 3.2", + "NIST SP 800-53 Rev. 5 - SI-3" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0938", + "external_id": "M0938" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:43:44.551000+00:00\", \"old_value\": \"2023-03-30 20:55:19.774000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SI-3\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SI-3\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 17:10:57.070000+00:00", + "modified": "2023-09-19 21:44:04.416000+00:00", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - CR 3.2", + "NIST SP 800-53 Rev. 5 - SI-16" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0950", + "external_id": "M0950" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:44:04.416000+00:00\", \"old_value\": \"2023-03-30 20:55:21.352000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SI-16\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SI-16\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 16:33:55.337000+00:00", + "modified": "2023-09-19 21:44:59.425000+00:00", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 5.1", + "IEC 62443-4-2:2019 - CR 5.1", + "NIST SP 800-53 Rev. 5 - AC-3; SC-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0937", + "external_id": "M0937" + }, + { + "source_name": "Centre for the Protection of National Infrastructure February 2005", + "description": "Centre for the Protection of National Infrastructure 2005, February FIREWALL DEPLOYMENT FOR SCADA AND PROCESS CONTROL NETWORKS Retrieved. 2020/09/17 ", + "url": "https://www.energy.gov/sites/prod/files/Good%20Practices%20Guide%20for%20Firewall%20Deployment.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:44:59.425000+00:00\", \"old_value\": \"2023-03-30 20:55:19.604000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AC-3; SC-7\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AC-3; SC-7\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 16:30:16.672000+00:00", + "modified": "2023-09-19 21:48:00.950000+00:00", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 5.1", + "IEC 62443-4-2:2019 - CR 5.1", + "NIST SP 800-53 Rev. 5 - AC-3; SC-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0935", + "external_id": "M0935" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:48:00.950000+00:00\", \"old_value\": \"2023-03-30 20:55:19.179000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AC-3; SC-7\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AC-3; SC-7\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 16:28:41.809000+00:00", + "modified": "2023-09-19 21:48:22.980000+00:00", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - EDR 3.2", + "NIST SP 800-53 Rev. 5 - MP-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0934", + "external_id": "M0934" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:48:22.980000+00:00\", \"old_value\": \"2023-03-30 20:55:19.007000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - MP-7\", \"old_value\": \"NIST SP 800-53 Rev. 4 - MP-7\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-11 16:32:21.854000+00:00", + "modified": "2023-09-19 21:48:44.925000+00:00", + "name": "Minimize Wireless Signal Propagation", + "description": "Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network. (Citation: CISA March 2010) To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 1.6", + "IEC 62443-4-2:2019 - CR 1.6", + "NIST SP 800-53 Rev. 5 - SC-40" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0806", + "external_id": "M0806" + }, + { + "source_name": "CISA March 2010", + "description": "CISA 2010, March Securing Wireless Networks Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003" + }, + { + "source_name": "DHS National Urban Security Technology Laboratory April 2019", + "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", + "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:48:44.925000+00:00\", \"old_value\": \"2023-03-30 20:55:14.800000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SC-40\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SC-40\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-10 20:53:36.319000+00:00", + "modified": "2023-09-19 21:49:12.466000+00:00", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 1.7", + "IEC 62443-4-2:2019 - CR 1.7", + "NIST SP 800-53 Rev. 5 - IA-2" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0932", + "external_id": "M0932" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:49:12.466000+00:00\", \"old_value\": \"2023-03-30 20:55:18.842000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - IA-2\", \"old_value\": \"NIST SP 800-53 Rev. 4 - IA-2\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-10 20:53:36.319000+00:00", + "modified": "2023-09-19 21:49:34.958000+00:00", + "name": "Network Allowlists", + "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", + "revoked": false, + "labels": [ + "NIST SP 800-53 Rev. 5 - AC-3" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0807", + "external_id": "M0807" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:49:34.958000+00:00\", \"old_value\": \"2023-03-30 20:55:14.969000+00:00\"}, \"root['labels'][0]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AC-3\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AC-3\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-10 20:46:02.263000+00:00", + "modified": "2023-09-19 21:49:53.366000+00:00", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 6.2", + "IEC 62443-4-2:2019 - CR 6.2", + "NIST SP 800-53 Rev. 5 - SI-4" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0931", + "external_id": "M0931" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:49:53.366000+00:00\", \"old_value\": \"2023-03-30 20:55:18.665000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SI-4\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SI-4\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-10 20:41:03.271000+00:00", + "modified": "2023-09-19 21:50:12.354000+00:00", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 5.1", + "IEC 62443-4-2:2019 - CR 5.1", + "NIST SP 800-53 Rev. 5 - AC-3" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0930", + "external_id": "M0930" + }, + { + "source_name": "IEC August 2013", + "description": "IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/7033" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:50:12.354000+00:00\", \"old_value\": \"2023-03-30 20:55:18.480000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AC-3\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AC-3\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 21:16:18.709000+00:00", + "modified": "2023-09-19 21:50:30.709000+00:00", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 5 - CM-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0928", + "external_id": "M0928" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:50:30.709000+00:00\", \"old_value\": \"2023-03-30 20:55:18.276000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - CM-7\", \"old_value\": \"NIST SP 800-53 Rev. 4 - CM-7\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 21:16:18.709000+00:00", + "modified": "2023-09-19 21:50:55.129000+00:00", + "name": "Out-of-Band Communications Channel", + "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)", + "revoked": false, + "labels": [ + "NIST SP 800-53 Rev. 5 - SC-37" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0810", + "external_id": "M0810" + }, + { + "source_name": "Defense Advanced Research Projects Agency", + "description": "Defense Advanced Research Projects Agency National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 Rapid Attack Detection, Isolation and Characterization Systems (RADICS) Retrieved. 2020/09/17 ", + "url": "https://www.darpa.mil/program/rapid-attack-detection-isolation-and-characterization-systems" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:50:55.129000+00:00\", \"old_value\": \"2023-03-30 20:55:15.598000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][0]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SC-37\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SC-37\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 21:10:35.792000+00:00", + "modified": "2023-09-19 21:51:14.526000+00:00", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 1.5", + "IEC 62443-4-2:2019 - CR 1.5", + "NIST SP 800-53 Rev. 5 - IA-5" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0927", + "external_id": "M0927" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:51:14.526000+00:00\", \"old_value\": \"2023-03-30 20:55:18.097000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - IA-5\", \"old_value\": \"NIST SP 800-53 Rev. 4 - IA-5\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 21:09:47.115000+00:00", + "modified": "2023-09-19 21:51:40.366000+00:00", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 1.3", + "IEC 62443-4-2:2019 - CR 1.3", + "NIST SP 800-53 Rev. 5 - AC-2" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0926", + "external_id": "M0926" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:51:40.366000+00:00\", \"old_value\": \"2023-03-30 20:55:17.929000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AC-2\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AC-2\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 21:16:18.709000+00:00", + "modified": "2023-09-19 21:52:11.728000+00:00", + "name": "Redundancy of Service", + "description": "Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.", + "revoked": false, + "labels": [ + "NIST SP 800-53 Rev. 5 - CP-9" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0811", + "external_id": "M0811" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-19 21:52:11.728000+00:00\", \"old_value\": \"2023-03-30 20:55:15.773000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][0]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - CP-9\", \"old_value\": \"NIST SP 800-53 Rev. 4 - CP-9\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 20:54:49.964000+00:00", + "modified": "2023-09-20 13:10:12.604000+00:00", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 5 - AC-6" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0922", + "external_id": "M0922" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:10:12.604000+00:00\", \"old_value\": \"2023-03-30 20:55:17.592000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AC-6\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AC-6\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 17:00:01.740000+00:00", + "modified": "2023-09-20 13:10:52.949000+00:00", + "name": "Restrict Library Loading", + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 5 - CM-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0944", + "external_id": "M0944" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:10:52.949000+00:00\", \"old_value\": \"2023-04-11 20:51:32.610000+00:00\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - CM-7\", \"old_value\": \"NIST SP 800-53 Rev. 4 - CM-7\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 20:58:59.577000+00:00", + "modified": "2023-09-20 13:11:12.773000+00:00", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 5 - AC-6" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0924", + "external_id": "M0924" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:11:12.773000+00:00\", \"old_value\": \"2023-03-30 20:55:17.759000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AC-6\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AC-6\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 20:52:59.206000+00:00", + "modified": "2023-09-20 13:11:35.668000+00:00", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 2.4", + "IEC 62443-4-2:2019 - HDR 2.4", + "NIST SP 800-53 Rev. 5 - SC-18" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0921", + "external_id": "M0921" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:11:35.668000+00:00\", \"old_value\": \"2023-03-30 20:55:17.426000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SC-18\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SC-18\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-07-19 14:40:23.529000+00:00", + "modified": "2023-09-20 13:12:04.727000+00:00", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 5 - CM-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0954", + "external_id": "M0954" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:12:04.727000+00:00\", \"old_value\": \"2023-03-30 20:55:21.915000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - CM-7\", \"old_value\": \"NIST SP 800-53 Rev. 4 - CM-7\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 21:16:18.709000+00:00", + "modified": "2023-09-20 13:12:24.527000+00:00", + "name": "Software Process and Device Authentication", + "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 1.2", + "IEC 62443-4-2:2019 - CR 1.2", + "NIST SP 800-53 Rev. 5 - IA-9" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0813", + "external_id": "M0813" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:12:24.527000+00:00\", \"old_value\": \"2023-03-30 20:55:15.949000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - IA-9\", \"old_value\": \"NIST SP 800-53 Rev. 4 - IA-9\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 21:16:18.709000+00:00", + "modified": "2023-09-20 13:12:51.139000+00:00", + "name": "Static Network Configuration", + "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 5 - CM-7" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0814", + "external_id": "M0814" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:12:51.139000+00:00\", \"old_value\": \"2023-04-05 14:21:27.977000+00:00\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - CM-7\", \"old_value\": \"NIST SP 800-53 Rev. 4 - CM-7\"}}}", + "previous_version": "1.1" + }, + { + "type": "course-of-action", + "id": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12 17:00:21.233000+00:00", + "modified": "2023-09-20 13:13:12.169000+00:00", + "name": "Supply Chain Management", + "description": "Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.", + "revoked": false, + "labels": [ + "NIST SP 800-53 Rev. 4 - SA-12", + "NIST SP 800-53 Rev. 5 - SR-1" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0817", + "external_id": "M0817" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:13:12.169000+00:00\", \"old_value\": \"2023-03-30 20:55:16.556000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}}, \"iterable_item_added\": {\"root['labels'][1]\": \"NIST SP 800-53 Rev. 5 - SR-1\"}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-11 17:12:55.207000+00:00", + "modified": "2023-09-20 13:13:41.305000+00:00", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.", + "revoked": false, + "labels": [ + "IEC 62443-4-2:2019 - CR 3.10", + "NIST SP 800-53 Rev. 5 - SI-2" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0951", + "external_id": "M0951" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:13:41.305000+00:00\", \"old_value\": \"2023-03-30 20:55:21.512000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][1]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - SI-2\", \"old_value\": \"NIST SP 800-53 Rev. 4 - SI-2\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 16:50:58.767000+00:00", + "modified": "2023-09-20 13:14:10.061000+00:00", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 1.3", + "IEC 62443-4-2:2019 - CR 1.3", + "NIST SP 800-53 Rev. 5 - AC-2" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0918", + "external_id": "M0918" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:14:10.061000+00:00\", \"old_value\": \"2023-03-30 20:55:17.252000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][2]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AC-2\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AC-2\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 16:50:04.963000+00:00", + "modified": "2023-09-20 13:14:30.311000+00:00", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "revoked": false, + "labels": [ + "NIST SP 800-53 Rev. 5 - AT-2" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0917", + "external_id": "M0917" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:14:30.311000+00:00\", \"old_value\": \"2023-03-30 20:55:17.076000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][0]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - AT-2\", \"old_value\": \"NIST SP 800-53 Rev. 4 - AT-2\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-03-22 15:49:55.439000+00:00", + "modified": "2023-09-20 13:14:57.819000+00:00", + "name": "Validate Program Inputs", + "description": "Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 3.5", + "IEC 62443-3-3:2013 - SR 3.6", + "IEC 62443-4-2:2019 - CR 3.5", + "IEC 62443-4-2:2019 - CR 3.6", + "NIST SP 800-53 Rev. 5 - SI-10" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0818", + "external_id": "M0818" + }, + { + "source_name": "PLCTop20 Mar 2023", + "description": "PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023.", + "url": "https://plc-security.com/content/Top_20_Secure_PLC_Coding_Practices_V1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:14:57.819000+00:00\", \"old_value\": \"2023-03-31 19:16:54.636000+00:00\"}}, \"iterable_item_added\": {\"root['labels'][4]\": \"NIST SP 800-53 Rev. 5 - SI-10\"}, \"iterable_item_removed\": {\"root['labels'][0]\": \"NIST SP 800-53 Rev. 4 - SI-10\"}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 16:47:30.700000+00:00", + "modified": "2023-09-20 13:15:23.350000+00:00", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "revoked": false, + "labels": [ + "NIST SP 800-53 Rev. 5 - RA-5" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0916", + "external_id": "M0916" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 13:15:23.350000+00:00\", \"old_value\": \"2023-03-30 20:55:16.897000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['labels'][0]\": {\"new_value\": \"NIST SP 800-53 Rev. 5 - RA-5\", \"old_value\": \"NIST SP 800-53 Rev. 4 - RA-5\"}}}", + "previous_version": "1.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datasources": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datacomponents": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + } + }, + "new-contributors": [ + "Aaron Jornet", + "Adam Lichters", + "Adam Mashinchi", + "Ai Kimura, NEC Corporation", + "Alain Homewood", + "Alex Spivakovsky, Pentera", + "Amir Gharib, Microsoft Threat Intelligence", + "Andrew Northern, @ex_raritas", + "Arad Inbar, Fidelis Security", + "Austin Herrin", + "Ben Smith, @ezaspy", + "Bilal Bahad\u0131r Yenici", + "Blake Strom, Microsoft Threat Intelligence", + "Brian Donohue", + "Caio Silva", + "Christopher Peacock", + "Edward Stevens, BT Security", + "Ford Qin, Trend Micro", + "Giorgi Gurgenidze, ISAC", + "Goldstein Menachem", + "Gregory Lesnewich, @greglesnewich", + "Gunji Satoshi, NEC Corporation", + "Harry Kim, CODEMIZE", + "Harun K\u00fc\u00dfner", + "Hiroki Nagahama, NEC Corporation", + "Itamar Mizrahi, Cymptom", + "Jack Burns, HubSpot", + "Janantha Marasinghe", + "Jennifer Kim Roman, CrowdStrike", + "Joas Antonio dos Santos, @C0d3Cr4zy", + "Joe Gumke, U.S. Bank", + "Joe Slowik - Dragos", + "Joey Lei", + "Juan Tapiador", + "Liran Ravich, CardinalOps", + "Manikantan Srinivasan, NEC Corporation India", + "Martin McCloskey, Datadog", + "Matt Green, @mgreen27", + "Michael Raggi @aRtAGGI", + "Mohit Rathore", + "Naveen Devaraja, bolttech", + "Noam Lifshitz, Sygnia", + "Olaf Hartong, Falcon Force", + "Oren Biderman, Sygnia", + "Pawel Partyka, Microsoft Threat Intelligence", + "Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd", + "Pooja Natarajan, NEC Corporation India", + "Sam Seabrook, Duke Energy", + "Serhii Melnyk, Trustwave SpiderLabs", + "Shailesh Tiwary (Indian Army)", + "Shankar Raman, Gen Digital and Abhinand, Amrita University", + "Sunders Bruskin, Microsoft Threat Intelligence", + "Tahseen Bin Taj", + "Thanabodi Phrakhun, @naikordian", + "The DFIR Report", + "Tim (Wadhwa-)Brown", + "Tom Simpson, CrowdStrike Falcon OverWatch", + "Tristan Madani (Cybereason)", + "TruKno", + "Uriel Kosayev", + "Vijay Lalwani", + "Will Thomas, Equinix", + "Yasuhito Kawanishi, NEC Corporation", + "Yoshihiro Kori, NEC Corporation", + "Yossi Weizman, Microsoft Threat Intelligence" + ] +} \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v13.1-v14.0/layer-enterprise.json b/modules/resources/docs/changelogs/v13.1-v14.0/layer-enterprise.json new file mode 100644 index 00000000000..28226b447f6 --- /dev/null +++ b/modules/resources/docs/changelogs/v13.1-v14.0/layer-enterprise.json @@ -0,0 +1,1441 @@ +{ + "versions": { + "layer": "4.4", + "navigator": "4.8.0", + "attack": "14.0" + }, + "name": "October 2023 Enterprise Updates", + "description": "Enterprise updates for the October 2023 release of ATT&CK", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1098.006", + "tactic": "persistence", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1098.006", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1036.009", + "tactic": "defense-evasion", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1555.006", + "tactic": "credential-access", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1659", + "tactic": "initial-access", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1659", + "tactic": "command-and-control", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1021.008", + "tactic": "lateral-movement", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1562.012", + "tactic": "defense-evasion", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1567.004", + "tactic": "exfiltration", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1657", + "tactic": "impact", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1564.011", + "tactic": "defense-evasion", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1656", + "tactic": "defense-evasion", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1027.012", + "tactic": "defense-evasion", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1654", + "tactic": "discovery", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1578.005", + "tactic": "defense-evasion", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1653", + "tactic": "persistence", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1566.004", + "tactic": "initial-access", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1598.004", + "tactic": "reconnaissance", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1548.005", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1548.005", + "tactic": "defense-evasion", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1016.002", + "tactic": "discovery", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1562.008", + "tactic": "defense-evasion", + "enabled": true, + "color": "#fcf3a2", + "comment": "major_version_change" + }, + { + "techniqueID": "T1547.001", + "tactic": "persistence", + "enabled": true, + "color": "#fcf3a2", + "comment": "major_version_change" + }, + { + "techniqueID": "T1547.001", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#fcf3a2", + "comment": "major_version_change" + }, + { + "techniqueID": "T1548", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1548", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1583", + "tactic": "resource-development", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098.001", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098.001", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098.003", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098.003", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098.002", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098.002", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1557", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1557", + "tactic": "collection", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1560.001", + "tactic": "collection", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1053.002", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1053.002", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1053.002", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1037", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1037", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1070.007", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1070.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1136.003", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.004", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.004", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.004", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.004", + "tactic": "initial-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1538", + "tactic": "discovery", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1554", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1584", + "tactic": "resource-development", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1136", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1110.004", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1552.001", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1555", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1552.002", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1485", + "tactic": "impact", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1530", + "tactic": "collection", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1039", + "tactic": "collection", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1140", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098.005", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098.005", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1006", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1562.002", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1562.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1021.003", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1136.002", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.002", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.002", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.002", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.002", + "tactic": "initial-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1562.010", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1559.002", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1055.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1055.001", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1114", + "tactic": "collection", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1564.008", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1027.009", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1011", + "tactic": "exfiltration", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1567", + "tactic": "exfiltration", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1567.002", + "tactic": "exfiltration", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1567.001", + "tactic": "exfiltration", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1212", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1211", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1071.002", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1187", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1606", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1027.006", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1562", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1562.006", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1105", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1490", + "tactic": "impact", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1553.004", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1056.001", + "tactic": "collection", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1056.001", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1003.001", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1570", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1222.002", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1136.001", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.003", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.003", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.003", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1078.003", + "tactic": "initial-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1127.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1036.004", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1036", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1036.005", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1578", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1112", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1556.006", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1556.006", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1556.006", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1003.003", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1106", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1046", + "tactic": "discovery", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1135", + "tactic": "discovery", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1040", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1040", + "tactic": "discovery", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1095", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1027", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1550.002", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1550.002", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1110.001", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1110.003", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1574.007", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1574.007", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1574.007", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1566", + "tactic": "initial-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1598", + "tactic": "reconnaissance", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1547.012", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1547.012", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1057", + "tactic": "discovery", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1055.012", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1055.012", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1563.002", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1620", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1219", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1021.001", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1114.002", + "tactic": "collection", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1021", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1018", + "tactic": "discovery", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1496", + "tactic": "impact", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1218.011", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1021.002", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1021.004", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098.004", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1098.004", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1053.005", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1053.005", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1053.005", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1546.002", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1546.002", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1003.002", + "tactic": "credential-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1569.002", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1129", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1072", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1072", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1566.002", + "tactic": "initial-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1598.003", + "tactic": "reconnaissance", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1016", + "tactic": "discovery", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1033", + "tactic": "discovery", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1543.002", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1543.002", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1053.006", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1053.006", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1053.006", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1080", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1134.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1134.001", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1071.001", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1059.003", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1047", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1021.006", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1543.003", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1543.003", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1547.004", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1547.004", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1547.013", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1547.013", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1550.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1550.001", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1003.005", + "tactic": "credential-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1526", + "tactic": "discovery", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1218.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1036.008", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1546.013", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1546.013", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1036.003", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1091", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1091", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1606.002", + "tactic": "credential-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1528", + "tactic": "credential-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1539", + "tactic": "credential-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1606.001", + "tactic": "credential-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1550.004", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1550.004", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + } + ], + "sorting": 0, + "hideDisabled": false, + "legendItems": [ + { + "color": "#a1d99b", + "label": "additions: ATT&CK objects which are only present in the new release." + }, + { + "color": "#fcf3a2", + "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)" + }, + { + "color": "#c7c4e0", + "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)" + }, + { + "color": "#B5E5CF", + "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)" + }, + { + "color": "#B99095", + "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)" + }, + { + "color": "#ff9000", + "label": "revocations: ATT&CK objects which are revoked by a different object." + }, + { + "color": "#ff6363", + "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced." + }, + { + "color": "#ff00e1", + "label": "deletions: ATT&CK objects which are no longer found in the STIX data." + }, + { + "color": "#ffffff", + "label": "unchanged: ATT&CK objects which did not change between the two versions." + } + ], + "showTacticRowBackground": true, + "tacticRowBackground": "#205b8f", + "selectTechniquesAcrossTactics": true +} \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v13.1-v14.0/layer-ics.json b/modules/resources/docs/changelogs/v13.1-v14.0/layer-ics.json new file mode 100644 index 00000000000..2931319f1d4 --- /dev/null +++ b/modules/resources/docs/changelogs/v13.1-v14.0/layer-ics.json @@ -0,0 +1,699 @@ +{ + "versions": { + "layer": "4.4", + "navigator": "4.8.0", + "attack": "14.0" + }, + "name": "October 2023 ICS Updates", + "description": "ICS updates for the October 2023 release of ATT&CK", + "domain": "ics-attack", + "techniques": [ + { + "techniqueID": "T0803", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T0821", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T0836", + "tactic": "impair-process-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T0889", + "tactic": "persistence", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T0881", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T0800", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0830", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0878", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0802", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0804", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0805", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0806", + "tactic": "impair-process-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0892", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0858", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0858", + "tactic": "evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0807", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0885", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0884", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0879", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0809", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0811", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0893", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0812", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0813", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0814", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0815", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0868", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0816", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0817", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0871", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0819", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0820", + "tactic": "evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0890", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0866", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0866", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0822", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0823", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0891", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0891", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0874", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0874", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0877", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0872", + "tactic": "evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0883", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0867", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0826", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0827", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0828", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0837", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0880", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0829", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0835", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0831", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0832", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0849", + "tactic": "evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0838", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0839", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0839", + "tactic": "impair-process-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0801", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0834", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0840", + "tactic": "discovery", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0842", + "tactic": "discovery", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0861", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0843", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0845", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0873", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0886", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0886", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0846", + "tactic": "discovery", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0888", + "tactic": "discovery", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0847", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0848", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0851", + "tactic": "evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0851", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0852", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0853", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0865", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0856", + "tactic": "evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0856", + "tactic": "impair-process-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0869", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0862", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0857", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0857", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0882", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0864", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0855", + "tactic": "impair-process-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0863", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0859", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0859", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0860", + "tactic": "initial-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0887", + "tactic": "discovery", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0887", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + } + ], + "sorting": 0, + "hideDisabled": false, + "legendItems": [ + { + "color": "#a1d99b", + "label": "additions: ATT&CK objects which are only present in the new release." + }, + { + "color": "#fcf3a2", + "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)" + }, + { + "color": "#c7c4e0", + "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)" + }, + { + "color": "#B5E5CF", + "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)" + }, + { + "color": "#B99095", + "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)" + }, + { + "color": "#ff9000", + "label": "revocations: ATT&CK objects which are revoked by a different object." + }, + { + "color": "#ff6363", + "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced." + }, + { + "color": "#ff00e1", + "label": "deletions: ATT&CK objects which are no longer found in the STIX data." + }, + { + "color": "#ffffff", + "label": "unchanged: ATT&CK objects which did not change between the two versions." + } + ], + "showTacticRowBackground": true, + "tacticRowBackground": "#205b8f", + "selectTechniquesAcrossTactics": true +} \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v13.1-v14.0/layer-mobile.json b/modules/resources/docs/changelogs/v13.1-v14.0/layer-mobile.json new file mode 100644 index 00000000000..61827882e27 --- /dev/null +++ b/modules/resources/docs/changelogs/v13.1-v14.0/layer-mobile.json @@ -0,0 +1,321 @@ +{ + "versions": { + "layer": "4.4", + "navigator": "4.8.0", + "attack": "14.0" + }, + "name": "October 2023 Mobile Updates", + "description": "Mobile updates for the October 2023 release of ATT&CK", + "domain": "mobile-attack", + "techniques": [ + { + "techniqueID": "T1661", + "tactic": "initial-access", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1661", + "tactic": "defense-evasion", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1662", + "tactic": "impact", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1658", + "tactic": "execution", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1655", + "tactic": "defense-evasion", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1655.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1660", + "tactic": "initial-access", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1663", + "tactic": "command-and-control", + "enabled": true, + "color": "#a1d99b", + "comment": "addition" + }, + { + "techniqueID": "T1481.002", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1616", + "tactic": "collection", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1616", + "tactic": "impact", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1616", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1623", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1481.001", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1637.001", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1407", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1456", + "tactic": "initial-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1637", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1639", + "tactic": "exfiltration", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1646", + "tactic": "exfiltration", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1639.001", + "tactic": "exfiltration", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1544", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1516", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1516", + "tactic": "impact", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1461", + "tactic": "initial-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1406", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1481.003", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1629.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1458", + "tactic": "initial-access", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1458", + "tactic": "lateral-movement", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1623.001", + "tactic": "execution", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1481", + "tactic": "command-and-control", + "enabled": true, + "color": "#c7c4e0", + "comment": "minor_version_change" + }, + { + "techniqueID": "T1634", + "tactic": "credential-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1404", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1430.002", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1430.002", + "tactic": "discovery", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1509", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1625.001", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + } + ], + "sorting": 0, + "hideDisabled": false, + "legendItems": [ + { + "color": "#a1d99b", + "label": "additions: ATT&CK objects which are only present in the new release." + }, + { + "color": "#fcf3a2", + "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)" + }, + { + "color": "#c7c4e0", + "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)" + }, + { + "color": "#B5E5CF", + "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)" + }, + { + "color": "#B99095", + "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)" + }, + { + "color": "#ff9000", + "label": "revocations: ATT&CK objects which are revoked by a different object." + }, + { + "color": "#ff6363", + "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced." + }, + { + "color": "#ff00e1", + "label": "deletions: ATT&CK objects which are no longer found in the STIX data." + }, + { + "color": "#ffffff", + "label": "unchanged: ATT&CK objects which did not change between the two versions." + } + ], + "showTacticRowBackground": true, + "tacticRowBackground": "#205b8f", + "selectTechniquesAcrossTactics": true +} \ No newline at end of file diff --git a/modules/resources/resources.py b/modules/resources/resources.py index 3b84026e294..2396ac05324 100644 --- a/modules/resources/resources.py +++ b/modules/resources/resources.py @@ -1,4 +1,5 @@ import json +import math import os import shutil from datetime import datetime @@ -14,7 +15,7 @@ def generate_resources(): - """Responsible for generating the resources pages""" + """Responsible for generating the resources pages.""" logger.info("Generating Resources") # Create content pages directory if does not already exist util.buildhelpers.create_content_pages_dir() @@ -37,16 +38,27 @@ def generate_resources(): if site_config.resource_nav["children"][i]["id"] == "versions": del site_config.resource_nav["children"][i] + build_benefactors_module = False + for module_info in modules.run_ptr: + if module_info["module_name"] == "benefactors": + build_benefactors_module = True + if not build_benefactors_module: + for i, child in enumerate(site_config.resource_nav["children"]): + if site_config.resource_nav["children"][i]["id"] == "benefactors": + del site_config.resource_nav["children"][i] + # Move templates to templates directory util.buildhelpers.move_templates(resources_config.module_name, resources_config.resources_templates_path) copy_docs(module_docs_path=resources_config.docs_path) generate_working_with_attack() generate_general_information() + generate_contribute_page() generate_training_pages() generate_brand_page() generate_attackcon_page() generate_faq_page() generate_static_pages() + generate_sidebar_resources() def copy_docs(module_docs_path): @@ -181,54 +193,16 @@ def generate_faq_page(): with open(os.path.join(site_config.data_directory, "faq.json"), "r", encoding="utf8") as f: faqdata = json.load(f) - # Below code used to get a list of all faq children - faq_md = [] - faq_name = [] - faq_path = [] - faq_dict_list = {} - for i in range(len(faqdata["sections"])): - faq_name.append(faqdata["sections"][i]["name"]) - title = "Title: " + faqdata["sections"][i]["name"] + "\n" - name = faqdata["sections"][i]["name"].lower().replace(" ", "-").replace("&", "a") - template = "Template: general/faq-overview\n" - faq_path.append("/resources/faq/" + name + "/") - save_as = "save_as: resources/faq/" + name + "/index.html\n" - data = "data: " - content = title + template + save_as + data - faq_md.append(content) - faq_dict_list["faq_name"] = faq_name - faq_dict_list["faq_path"] = faq_path - faq_dict_list["faq_md"] = faq_md - - # Below code used to add the updates children to the resources sidebar - faq_index = 0 - temp_dict = {} - for i in range(len(site_config.resource_nav["children"])): - if site_config.resource_nav["children"][i]["name"] == "FAQ": - faq_index = i - - for i in range(len(faq_dict_list["faq_name"])): - temp_dict["name"] = faq_dict_list["faq_name"][i] - temp_dict["path"] = faq_dict_list["faq_path"][i] - temp_dict["children"] = [] - site_config.resource_nav["children"][faq_index]["children"].append(temp_dict.copy()) - temp_dict = {} - # add unique IDs for i, section in enumerate(faqdata["sections"]): for j, item in enumerate(section["questions"]): item["id"] = f"faq-{i}-{j}" # get markdown - faq_content = resources_config.faq_md + json.dumps(faqdata["sections"][0]) + faq_content = resources_config.faq_md + json.dumps(faqdata) + # write markdown to file - faq_list = faq_dict_list["faq_md"] with open(os.path.join(site_config.resources_markdown_path, "faq.md"), "w", encoding="utf8") as md_file: md_file.write(faq_content) - for i in range(len(faq_list)): - faq_content = faq_list[i] + json.dumps(faqdata["sections"][i]) - f_name = "faq-" + faqdata["sections"][i]["name"].lower().replace(" ", "-") + ".md" - with open(os.path.join(site_config.resources_markdown_path, f_name), "w", encoding="utf8") as md_file: - md_file.write(faq_content) def generate_static_pages(): @@ -308,6 +282,7 @@ def generate_working_with_attack(): "techniques", "datasources", "campaigns", + "assets" ] # Verify if directories exists @@ -318,23 +293,18 @@ def generate_working_with_attack(): if not os.path.isdir(docs_dir): os.makedirs(docs_dir) + ms = util.relationshipgetters.get_ms() + for domain in site_config.domains: if domain["deprecated"]: continue - # TODO: refactor this to use a function rather than copy/paste from modules/util/stixhelpers.py - # this can be used because it was called previously in modules/util/stixhelpers.py to download the file - if domain["location"].startswith("http"): - download_dir = Path(f"{site_config.web_directory}/stix") - stix_filename = f"{download_dir}/{domain['name']}.json" - else: - stix_filename = domain["location"] - + domain_name = domain["name"] attackToExcel.export( - domain=domain["name"], + domain=domain_name, version=site_config.full_attack_version, output_dir=docs_dir, - stix_file=stix_filename, + mem_store=ms[domain_name], ) files_json = {"excel_files": []} @@ -355,3 +325,55 @@ def generate_working_with_attack(): os.path.join(site_config.resources_markdown_path, "working_with_attack.md"), "w", encoding="utf8" ) as md_file: md_file.write(working_with_attack_content) + + +def generate_sidebar_resources(): + """Responsible for generating the sidebar for the resource pages.""" + logger.info("Generating resource sidebar") + + # Sidebar Overview + sidebar_resources_md = resources_config.sidebar_resources_md + + # write markdown to file + with open(os.path.join(site_config.resources_markdown_path, "sidebar_resources.md"), "w", encoding="utf8") as md_file: + md_file.write(sidebar_resources_md) + + +def generate_contribute_page(): + """Responsible for generating the markdown pages of the contribute pages.""" + logger.info("Generating contributing page") + + # Generate redirections + util.buildhelpers.generate_redirections( + redirections_filename=resources_config.contribute_redirection_location, redirect_md=site_config.redirect_md + ) + + ms = util.relationshipgetters.get_ms() + contributors = util.stixhelpers.get_contributors(ms) + + data = {} + + data["contributors"] = [] + + contributors_first_col = [] + contributors_second_col = [] + + half = math.ceil((len(contributors)) / 2) + list_size = len(contributors) + + for index in range(0, half): + contributors_first_col.append(contributors[index]) + + for index in range(half, list_size): + contributors_second_col.append(contributors[index]) + + data["contributors"].append(contributors_first_col) + data["contributors"].append(contributors_second_col) + + subs = resources_config.contribute_md + json.dumps(data) + + # Open markdown file for the contribute page + with open( + os.path.join(site_config.resources_markdown_path, "contribute.md"), "w", encoding="utf8" + ) as md_file: + md_file.write(subs) diff --git a/modules/resources/resources_config.py b/modules/resources/resources_config.py index 5c438a74dad..de8c8f5eb81 100644 --- a/modules/resources/resources_config.py +++ b/modules/resources/resources_config.py @@ -34,6 +34,11 @@ "Template: resources/training-cti\n" "save_as: resources/training/cti/index.html\n" ) +contribute_md = ( + "Title: Contribute\n" "Template: resources/contribute\n" "save_as: resources/contribute/index.html\n" "data: " +) + +contribute_redirection_location = "modules/resources/contribute_redirections.json" # Brand md brand_md = "Title: Brand\n" "Template: resources/brand\n" "save_as: resources/brand/index.html\n" "data: " @@ -45,3 +50,9 @@ "save_as: resources/working-with-attack/index.html\n" "data: " ) + +sidebar_resources_md = ( + "Title: Resources Sidebar\n" + "Template: general/sidebar-resources \n" + "save_as: resources/sidebar-resources/index.html\n" +) diff --git a/modules/resources/static_pages/updates-april-2022.md b/modules/resources/static_pages/updates-april-2022.md index f0de48f0940..e201f87d147 100644 --- a/modules/resources/static_pages/updates-april-2022.md +++ b/modules/resources/static_pages/updates-april-2022.md @@ -806,10 +806,10 @@ ATT&CK for Mobile does not support data sources * Harshal Tupsamudre, Qualys * Hiroki Nagahama, NEC Corporation * Isif Ibrahima, Mandiant +* Jack Burns, HubSpot * James_inthe_box, Me * Jan Petrov, Citi * Jannie Li, Microsoft Threat Intelligence Center (MSTIC) -* Jen Burns, HubSpot * Jeremy Galloway * Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics * John Page (aka hyp3rlinx), ApparitionSec diff --git a/modules/resources/static_pages/updates-april-2023.md b/modules/resources/static_pages/updates-april-2023.md index 76c53579d44..166fde78ff0 100644 --- a/modules/resources/static_pages/updates-april-2023.md +++ b/modules/resources/static_pages/updates-april-2023.md @@ -8,7 +8,7 @@ save_as: resources/updates/updates-april-2023/index.html | Version | Start Date | End Date | Data | Changelogs | |:--------|:-----------|:---------|:-----|:-----------| -| [ATT&CK v13](/versions/v13) | April 25, 2023 | This is the current version of ATT&CK | [v13.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v13.0)
    [v13.1 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v13.1) | v12.1 - v13.0 [Details](/docs/changelogs/v12.1-v13.0/changelog-detailed.html) ([JSON](/docs/changelogs/v12.1-v13.0/changelog.json))
    v13.0 - v13.1 [Details](/docs/changelogs/v13.0-v13.1/changelog-detailed.html) ([JSON](/docs/changelogs/v13.0-v13.1/changelog.json)) | +| [ATT&CK v13](/versions/v13) | April 25, 2023 | October 30, 2023 | [v13.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v13.0)
    [v13.1 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v13.1) | v12.1 - v13.0 [Details](/docs/changelogs/v12.1-v13.0/changelog-detailed.html) ([JSON](/docs/changelogs/v12.1-v13.0/changelog.json))
    v13.0 - v13.1 [Details](/docs/changelogs/v13.0-v13.1/changelog-detailed.html) ([JSON](/docs/changelogs/v13.0-v13.1/changelog.json)) | The April 2023 (v13) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v13 are the addition of detailed detection guidance to some Techniques in ATT&CK for Enterprise, Mobile Data Sources, and two new types of changelogs to help identify more precisely what has changed in ATT&CK. An [accompanying blog post](https://medium.com/mitre-attack/attack-v13-enters-the-room-5cef174c32ff) describes these changes as well as improvements across ATT&CK's various domains and platforms. diff --git a/modules/resources/static_pages/updates-october-2021.md b/modules/resources/static_pages/updates-october-2021.md index 81a720457ec..68ddeb20052 100644 --- a/modules/resources/static_pages/updates-october-2021.md +++ b/modules/resources/static_pages/updates-october-2021.md @@ -781,10 +781,10 @@ No changes * Isif Ibrahima * Itamar Mizrahi, Cymptom * Ivan Sinyakov +* Jack Burns, HubSpot * Janantha Marasinghe * Jaron Bradley @jbradley89 * Jeff Felling, Red Canary -* Jen Burns, HubSpot * Joas Antonio dos Santos, @C0d3Cr4zy * Johann Rehberger * Jon Sheedy diff --git a/modules/resources/static_pages/updates-october-2023.md b/modules/resources/static_pages/updates-october-2023.md new file mode 100644 index 00000000000..39509afc7fd --- /dev/null +++ b/modules/resources/static_pages/updates-october-2023.md @@ -0,0 +1,683 @@ +Title: Updates - October 2023 +Date: October 2023 +Category: Cyber Threat Intelligence +Authors: Adam Pennington +Template: resources/update-post +url: /resources/updates/updates-october-2023 +save_as: resources/updates/updates-october-2023/index.html + +| Version | Start Date | End Date | Data | Changelogs | +|:--------|:-----------|:---------|:-----|:-----------| +| [ATT&CK v14](/versions/v14) | October 31, 2023 | Current version of ATT&CK | [v14.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v14.0) | 13.1 - 14.0 [Details](/docs/changelogs/v13.1-v14.0/changelog-detailed.html) ([JSON](/docs/changelogs/v13.1-v14.0/changelog.json)) | + +The October 2023 (v14) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v14 are a large expansion of detection notes and analytics to Techniques in Enterprise, a minor scoping change to Enterprise resulting in coverage of [Financial Theft](/techniques/T1657) and [Voice](/techniques/T1566/004) [Phishing](/techniques/T1598/004), structured Detections in Mobile, and the (re-)addition of [Assets](/assets) to ICS. An [accompanying blog post](https://medium.com/mitre-attack/attack-v14-fa473603f86b +) describes these changes as well as improvements across ATT&CK's various domains and platforms. + +This release also includes a [human-readable detailed changelog](/docs/changelogs/v13.1-v14.0/changelog-detailed.html) showing more specifically what changed in updated ATT&CK objects, and a [machine-readable JSON changelog](/docs/changelogs/v13.1-v14.0/changelog.json), whose format is described in [ATT&CK's Github](https://github.com/mitre-attack/mitreattack-python/blob/master/mitreattack/diffStix/README.md). + +This version of ATT&CK contains 760 Pieces of Software, 143 Groups, and 24 Campaigns. Broken out by domain: + +* Enterprise: 201 Techniques, 424 Sub-Techniques, 141 Groups, 648 Pieces of Software, 23 Campaigns, 43 Mitigations, and 109 Data Sources +* Mobile: 72 Techniques, 42 Sub-Techniques, 8 Groups, 108 Pieces of Software, 1 Campaign, 12 Mitigations, and 15 Data Sources +* ICS: 81 Techniques, 13 Groups, 21 Pieces of Software, 52 Mitigations, 3 Campaigns, 14 Assets, and 34 Data Sources + +## Release Notes Terminology + +* New: ATT&CK objects which are only present in the new release. +* Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0) +* Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1) +* Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2) +* Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something immaterial like a typo, a URL, or some metadata was fixed) +* Revocations: ATT&CK objects which are revoked by a different object. +* Deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced. +* Deletions: ATT&CK objects which are no longer found in the STIX data. + +## Techniques + +### Enterprise + +#### New Techniques + +* Abuse Elevation Control Mechanism: [Temporary Elevated Cloud Access](/techniques/T1548/005) (v1.0) +* Account Manipulation: [Additional Container Cluster Roles](/techniques/T1098/006) (v1.0) +* [Content Injection](/techniques/T1659) (v1.0) +* Credentials from Password Stores: [Cloud Secrets Management Stores](/techniques/T1555/006) (v1.0) +* Exfiltration Over Web Service: [Exfiltration Over Webhook](/techniques/T1567/004) (v1.0) +* [Financial Theft](/techniques/T1657) (v1.0) +* Hide Artifacts: [Ignore Process Interrupts](/techniques/T1564/011) (v1.0) +* Impair Defenses: [Disable or Modify Linux Audit System](/techniques/T1562/012) (v1.0) +* [Impersonation](/techniques/T1656) (v1.0) +* [Log Enumeration](/techniques/T1654) (v1.0) +* Masquerading: [Break Process Trees](/techniques/T1036/009) (v1.0) +* Modify Cloud Compute Infrastructure: [Modify Cloud Compute Configurations](/techniques/T1578/005) (v1.0) +* Obfuscated Files or Information: [LNK Icon Smuggling](/techniques/T1027/012) (v1.0) +* Phishing: [Spearphishing Voice](/techniques/T1566/004) (v1.0) +* Phishing for Information: [Spearphishing Voice](/techniques/T1598/004) (v1.0) +* [Power Settings](/techniques/T1653) (v1.0) +* Remote Services: [Direct Cloud VM Connections](/techniques/T1021/008) (v1.0) +* System Network Configuration Discovery: [Wi-Fi Discovery](/techniques/T1016/002) (v1.0) + +#### Major Version Changes + +* Boot or Logon Autostart Execution: [Registry Run Keys / Startup Folder](/techniques/T1547/001) (v1.2→v2.0) +* Impair Defenses: [Disable or Modify Cloud Logs](/techniques/T1562/008) (v1.3→v2.0) + +#### Minor Version Changes + +* [Abuse Elevation Control Mechanism](/techniques/T1548) (v1.1→v1.2) +* Access Token Manipulation: [Token Impersonation/Theft](/techniques/T1134/001) (v1.1→v1.2) +* [Account Manipulation](/techniques/T1098) (v2.5→v2.6) + * [Additional Cloud Credentials](/techniques/T1098/001) (v2.5→v2.6) + * [Additional Cloud Roles](/techniques/T1098/003) (v2.2→v2.3) + * [Additional Email Delegate Permissions](/techniques/T1098/002) (v2.0→v2.1) + * [Device Registration](/techniques/T1098/005) (v1.1→v1.2) + * [SSH Authorized Keys](/techniques/T1098/004) (v1.2→v1.3) +* [Acquire Infrastructure](/techniques/T1583) (v1.2→v1.3) +* [Adversary-in-the-Middle](/techniques/T1557) (v2.2→v2.3) +* Application Layer Protocol: [File Transfer Protocols](/techniques/T1071/002) (v1.0→v1.1) +* Application Layer Protocol: [Web Protocols](/techniques/T1071/001) (v1.1→v1.2) +* Archive Collected Data: [Archive via Utility](/techniques/T1560/001) (v1.2→v1.3) +* Boot or Logon Autostart Execution: [Print Processors](/techniques/T1547/012) (v1.0→v1.1) +* Boot or Logon Autostart Execution: [Winlogon Helper DLL](/techniques/T1547/004) (v1.0→v1.1) +* Boot or Logon Autostart Execution: [XDG Autostart Entries](/techniques/T1547/013) (v1.0→v1.1) +* [Boot or Logon Initialization Scripts](/techniques/T1037) (v2.1→v2.2) +* Brute Force: [Credential Stuffing](/techniques/T1110/004) (v1.3→v1.4) +* Brute Force: [Password Guessing](/techniques/T1110/001) (v1.4→v1.5) +* Brute Force: [Password Spraying](/techniques/T1110/003) (v1.3→v1.4) +* [Cloud Service Dashboard](/techniques/T1538) (v1.1→v1.2) +* Command and Scripting Interpreter: [Windows Command Shell](/techniques/T1059/003) (v1.2→v1.3) +* [Compromise Client Software Binary](/techniques/T1554) (v1.0→v1.1) +* [Compromise Infrastructure](/techniques/T1584) (v1.3→v1.4) +* [Create Account](/techniques/T1136) (v2.3→v2.4) + * [Cloud Account](/techniques/T1136/003) (v1.3→v1.4) + * [Domain Account](/techniques/T1136/002) (v1.0→v1.1) + * [Local Account](/techniques/T1136/001) (v1.2→v1.3) +* Create or Modify System Process: [Systemd Service](/techniques/T1543/002) (v1.3→v1.4) +* Create or Modify System Process: [Windows Service](/techniques/T1543/003) (v1.3→v1.4) +* [Credentials from Password Stores](/techniques/T1555) (v1.0→v1.1) +* [Data Destruction](/techniques/T1485) (v1.1→v1.2) +* [Data from Cloud Storage](/techniques/T1530) (v2.0→v2.1) +* [Data from Network Shared Drive](/techniques/T1039) (v1.3→v1.4) +* [Deobfuscate/Decode Files or Information](/techniques/T1140) (v1.2→v1.3) +* [Direct Volume Access](/techniques/T1006) (v2.0→v2.1) +* [Email Collection](/techniques/T1114) (v2.4→v2.5) + * [Remote Email Collection](/techniques/T1114/002) (v1.1→v1.2) +* Event Triggered Execution: [Screensaver](/techniques/T1546/002) (v1.1→v1.2) +* [Exfiltration Over Other Network Medium](/techniques/T1011) (v1.1→v1.2) +* [Exfiltration Over Web Service](/techniques/T1567) (v1.2→v1.3) + * [Exfiltration to Cloud Storage](/techniques/T1567/002) (v1.1→v1.2) + * [Exfiltration to Code Repository](/techniques/T1567/001) (v1.0→v1.1) +* [Exploitation for Credential Access](/techniques/T1212) (v1.4→v1.5) +* [Exploitation for Defense Evasion](/techniques/T1211) (v1.3→v1.4) +* File and Directory Permissions Modification: [Linux and Mac File and Directory Permissions Modification](/techniques/T1222/002) (v1.1→v1.2) +* [Forced Authentication](/techniques/T1187) (v1.2→v1.3) +* [Forge Web Credentials](/techniques/T1606) (v1.3→v1.4) +* Hide Artifacts: [Email Hiding Rules](/techniques/T1564/008) (v1.2→v1.3) +* Hijack Execution Flow: [Path Interception by PATH Environment Variable](/techniques/T1574/007) (v1.0→v1.1) +* [Impair Defenses](/techniques/T1562) (v1.4→v1.5) + * [Disable Windows Event Logging](/techniques/T1562/002) (v1.2→v1.3) + * [Disable or Modify Tools](/techniques/T1562/001) (v1.4→v1.5) + * [Downgrade Attack](/techniques/T1562/010) (v1.1→v1.2) + * [Indicator Blocking](/techniques/T1562/006) (v1.2→v1.3) +* Indicator Removal: [Clear Network Connection History and Configurations](/techniques/T1070/007) (v1.0→v1.1) +* Indicator Removal: [Clear Windows Event Logs](/techniques/T1070/001) (v1.2→v1.3) +* [Ingress Tool Transfer](/techniques/T1105) (v2.2→v2.3) +* [Inhibit System Recovery](/techniques/T1490) (v1.2→v1.3) +* Input Capture: [Keylogging](/techniques/T1056/001) (v1.1→v1.2) +* Inter-Process Communication: [Dynamic Data Exchange](/techniques/T1559/002) (v1.2→v1.3) +* [Lateral Tool Transfer](/techniques/T1570) (v1.2→v1.3) +* [Masquerading](/techniques/T1036) (v1.5→v1.6) + * [Masquerade Task or Service](/techniques/T1036/004) (v1.1→v1.2) + * [Match Legitimate Name or Location](/techniques/T1036/005) (v1.1→v1.2) +* Modify Authentication Process: [Multi-Factor Authentication](/techniques/T1556/006) (v1.0→v1.1) +* [Modify Cloud Compute Infrastructure](/techniques/T1578) (v1.1→v1.2) +* [Modify Registry](/techniques/T1112) (v1.3→v1.4) +* [Native API](/techniques/T1106) (v2.1→v2.2) +* [Network Service Discovery](/techniques/T1046) (v3.0→v3.1) +* [Network Share Discovery](/techniques/T1135) (v3.1→v3.2) +* [Network Sniffing](/techniques/T1040) (v1.4→v1.5) +* [Non-Application Layer Protocol](/techniques/T1095) (v2.2→v2.3) +* OS Credential Dumping: [LSASS Memory](/techniques/T1003/001) (v1.2→v1.3) +* OS Credential Dumping: [NTDS](/techniques/T1003/003) (v1.1→v1.2) +* OS Credential Dumping: [Security Account Manager](/techniques/T1003/002) (v1.0→v1.1) +* [Obfuscated Files or Information](/techniques/T1027) (v1.4→v1.5) + * [Embedded Payloads](/techniques/T1027/009) (v1.0→v1.1) + * [HTML Smuggling](/techniques/T1027/006) (v1.0→v1.1) +* [Phishing](/techniques/T1566) (v2.3→v2.4) + * [Spearphishing Link](/techniques/T1566/002) (v2.4→v2.5) +* [Phishing for Information](/techniques/T1598) (v1.2→v1.3) + * [Spearphishing Link](/techniques/T1598/003) (v1.4→v1.5) +* [Process Discovery](/techniques/T1057) (v1.3→v1.4) +* Process Injection: [Dynamic-link Library Injection](/techniques/T1055/001) (v1.2→v1.3) +* Process Injection: [Process Hollowing](/techniques/T1055/012) (v1.2→v1.3) +* [Reflective Code Loading](/techniques/T1620) (v1.0→v1.1) +* [Remote Access Software](/techniques/T1219) (v2.1→v2.2) +* Remote Service Session Hijacking: [RDP Hijacking](/techniques/T1563/002) (v1.0→v1.1) +* [Remote Services](/techniques/T1021) (v1.3→v1.4) + * [Distributed Component Object Model](/techniques/T1021/003) (v1.2→v1.3) + * [Remote Desktop Protocol](/techniques/T1021/001) (v1.1→v1.2) + * [SMB/Windows Admin Shares](/techniques/T1021/002) (v1.1→v1.2) + * [SSH](/techniques/T1021/004) (v1.1→v1.2) + * [Windows Remote Management](/techniques/T1021/006) (v1.1→v1.2) +* [Remote System Discovery](/techniques/T1018) (v3.4→v3.5) +* [Resource Hijacking](/techniques/T1496) (v1.3→v1.4) +* Scheduled Task/Job: [At](/techniques/T1053/002) (v2.0→v2.1) +* Scheduled Task/Job: [Scheduled Task](/techniques/T1053/005) (v1.3→v1.4) +* Scheduled Task/Job: [Systemd Timers](/techniques/T1053/006) (v1.1→v1.2) +* [Shared Modules](/techniques/T1129) (v2.1→v2.2) +* [Software Deployment Tools](/techniques/T1072) (v2.1→v2.2) +* Subvert Trust Controls: [Install Root Certificate](/techniques/T1553/004) (v1.1→v1.2) +* System Binary Proxy Execution: [Rundll32](/techniques/T1218/011) (v2.1→v2.2) +* [System Network Configuration Discovery](/techniques/T1016) (v1.5→v1.6) +* [System Owner/User Discovery](/techniques/T1033) (v1.4→v1.5) +* System Services: [Service Execution](/techniques/T1569/002) (v1.1→v1.2) +* [Taint Shared Content](/techniques/T1080) (v1.3→v1.4) +* Trusted Developer Utilities Proxy Execution: [MSBuild](/techniques/T1127/001) (v1.2→v1.3) +* Unsecured Credentials: [Credentials In Files](/techniques/T1552/001) (v1.1→v1.2) +* Unsecured Credentials: [Credentials in Registry](/techniques/T1552/002) (v1.0→v1.1) +* Use Alternate Authentication Material: [Pass the Hash](/techniques/T1550/002) (v1.1→v1.2) +* Valid Accounts: [Cloud Accounts](/techniques/T1078/004) (v1.5→v1.6) +* Valid Accounts: [Domain Accounts](/techniques/T1078/002) (v1.3→v1.4) +* Valid Accounts: [Local Accounts](/techniques/T1078/003) (v1.3→v1.4) +* [Windows Management Instrumentation](/techniques/T1047) (v1.3→v1.4) + +#### Patches + +* [Cloud Service Discovery](/techniques/T1526) (v1.3) +* Event Triggered Execution: [PowerShell Profile](/techniques/T1546/013) (v1.1) +* Forge Web Credentials: [SAML Tokens](/techniques/T1606/002) (v1.2) +* Forge Web Credentials: [Web Cookies](/techniques/T1606/001) (v1.1) +* Masquerading: [Masquerade File Type](/techniques/T1036/008) (v1.0) +* Masquerading: [Rename System Utilities](/techniques/T1036/003) (v1.1) +* OS Credential Dumping: [Cached Domain Credentials](/techniques/T1003/005) (v1.0) +* [Replication Through Removable Media](/techniques/T1091) (v1.2) +* [Steal Application Access Token](/techniques/T1528) (v1.2) +* [Steal Web Session Cookie](/techniques/T1539) (v1.2) +* System Binary Proxy Execution: [Compiled HTML File](/techniques/T1218/001) (v2.1) +* Use Alternate Authentication Material: [Application Access Token](/techniques/T1550/001) (v1.5) +* Use Alternate Authentication Material: [Web Session Cookie](/techniques/T1550/004) (v1.3) + +### Mobile + +#### New Techniques + +* [Application Versioning](/techniques/T1661) (v1.0) +* [Data Destruction](/techniques/T1662) (v1.0) +* [Exploitation for Client Execution](/techniques/T1658) (v1.0) +* [Masquerading](/techniques/T1655) (v1.0) + * [Match Legitimate Name or Location](/techniques/T1655/001) (v1.0) +* [Phishing](/techniques/T1660) (v1.0) +* [Remote Access Software](/techniques/T1663) (v1.0) + +#### Minor Version Changes + +* [Call Control](/techniques/T1616) (v1.1→v1.2) +* [Command and Scripting Interpreter](/techniques/T1623) (v1.1→v1.2) + * [Unix Shell](/techniques/T1623/001) (v1.1→v1.2) +* [Download New Code at Runtime](/techniques/T1407) (v1.4→v1.5) +* [Drive-By Compromise](/techniques/T1456) (v2.1→v2.2) +* [Dynamic Resolution](/techniques/T1637) (v1.0→v1.1) + * [Domain Generation Algorithms](/techniques/T1637/001) (v1.0→v1.1) +* [Exfiltration Over Alternative Protocol](/techniques/T1639) (v1.0→v1.1) + * [Exfiltration Over Unencrypted Non-C2 Protocol](/techniques/T1639/001) (v1.0→v1.1) +* [Exfiltration Over C2 Channel](/techniques/T1646) (v1.0→v1.1) +* Impair Defenses: [Prevent Application Removal](/techniques/T1629/001) (v1.1→v1.2) +* [Ingress Tool Transfer](/techniques/T1544) (v2.1→v2.2) +* [Input Injection](/techniques/T1516) (v1.1→v1.2) +* [Lockscreen Bypass](/techniques/T1461) (v1.2→v1.3) +* [Obfuscated Files or Information](/techniques/T1406) (v3.0→v3.1) +* [Replication Through Removable Media](/techniques/T1458) (v2.0→v2.1) +* [Web Service](/techniques/T1481) (v1.2→v1.3) + * [Bidirectional Communication](/techniques/T1481/002) (v1.1→v1.2) + * [Dead Drop Resolver](/techniques/T1481/001) (v1.1→v1.2) + * [One-Way Communication](/techniques/T1481/003) (v1.1→v1.2) + +#### Patches + +* [Credentials from Password Store](/techniques/T1634) (v1.1) +* [Exploitation for Privilege Escalation](/techniques/T1404) (v2.1) +* Hijack Execution Flow: [System Runtime API Hijacking](/techniques/T1625/001) (v1.1) +* Location Tracking: [Impersonate SS7 Nodes](/techniques/T1430/002) (v1.1) +* [Non-Standard Port](/techniques/T1509) (v2.1) + +### ICS + +#### Minor Version Changes + +* [Block Command Message](/techniques/T0803) (v1.0→v1.1) +* [Modify Controller Tasking](/techniques/T0821) (v1.1→v1.2) +* [Modify Parameter](/techniques/T0836) (v1.2→v1.3) +* [Modify Program](/techniques/T0889) (v1.1→v1.2) +* [Service Stop](/techniques/T0881) (v1.0→v1.1) + +#### Patches + +* [Activate Firmware Update Mode](/techniques/T0800) (v1.0) +* [Adversary-in-the-Middle](/techniques/T0830) (v2.0) +* [Alarm Suppression](/techniques/T0878) (v1.2) +* [Automated Collection](/techniques/T0802) (v1.0) +* [Block Reporting Message](/techniques/T0804) (v1.0) +* [Block Serial COM](/techniques/T0805) (v1.1) +* [Brute Force I/O](/techniques/T0806) (v1.1) +* [Change Credential](/techniques/T0892) (v1.0) +* [Change Operating Mode](/techniques/T0858) (v1.0) +* [Command-Line Interface](/techniques/T0807) (v1.1) +* [Commonly Used Port](/techniques/T0885) (v1.1) +* [Connection Proxy](/techniques/T0884) (v1.1) +* [Damage to Property](/techniques/T0879) (v1.1) +* [Data Destruction](/techniques/T0809) (v1.0) +* [Data from Information Repositories](/techniques/T0811) (v1.2) +* [Data from Local System](/techniques/T0893) (v1.0) +* [Default Credentials](/techniques/T0812) (v1.0) +* [Denial of Control](/techniques/T0813) (v1.1) +* [Denial of Service](/techniques/T0814) (v1.1) +* [Denial of View](/techniques/T0815) (v1.1) +* [Detect Operating Mode](/techniques/T0868) (v1.0) +* [Device Restart/Shutdown](/techniques/T0816) (v1.1) +* [Drive-by Compromise](/techniques/T0817) (v1.0) +* [Execution through API](/techniques/T0871) (v1.1) +* [Exploit Public-Facing Application](/techniques/T0819) (v1.0) +* [Exploitation for Evasion](/techniques/T0820) (v1.1) +* [Exploitation for Privilege Escalation](/techniques/T0890) (v1.1) +* [Exploitation of Remote Services](/techniques/T0866) (v1.0) +* [External Remote Services](/techniques/T0822) (v1.1) +* [Graphical User Interface](/techniques/T0823) (v1.1) +* [Hardcoded Credentials](/techniques/T0891) (v1.0) +* [Hooking](/techniques/T0874) (v1.2) +* [I/O Image](/techniques/T0877) (v1.1) +* [Indicator Removal on Host](/techniques/T0872) (v1.0) +* [Internet Accessible Device](/techniques/T0883) (v1.0) +* [Lateral Tool Transfer](/techniques/T0867) (v1.1) +* [Loss of Availability](/techniques/T0826) (v1.0) +* [Loss of Control](/techniques/T0827) (v1.0) +* [Loss of Productivity and Revenue](/techniques/T0828) (v1.0) +* [Loss of Protection](/techniques/T0837) (v1.0) +* [Loss of Safety](/techniques/T0880) (v1.0) +* [Loss of View](/techniques/T0829) (v1.0) +* [Manipulate I/O Image](/techniques/T0835) (v1.1) +* [Manipulation of Control](/techniques/T0831) (v1.0) +* [Manipulation of View](/techniques/T0832) (v1.0) +* [Masquerading](/techniques/T0849) (v1.1) +* [Modify Alarm Settings](/techniques/T0838) (v1.2) +* [Module Firmware](/techniques/T0839) (v1.1) +* [Monitor Process State](/techniques/T0801) (v1.0) +* [Native API](/techniques/T0834) (v1.0) +* [Network Connection Enumeration](/techniques/T0840) (v1.1) +* [Network Sniffing](/techniques/T0842) (v1.0) +* [Point & Tag Identification](/techniques/T0861) (v1.1) +* [Program Download](/techniques/T0843) (v1.1) +* [Program Upload](/techniques/T0845) (v1.0) +* [Project File Infection](/techniques/T0873) (v1.0) +* [Remote Services](/techniques/T0886) (v1.1) +* [Remote System Discovery](/techniques/T0846) (v1.1) +* [Remote System Information Discovery](/techniques/T0888) (v1.1) +* [Replication Through Removable Media](/techniques/T0847) (v1.0) +* [Rogue Master](/techniques/T0848) (v1.2) +* [Rootkit](/techniques/T0851) (v1.1) +* [Screen Capture](/techniques/T0852) (v1.0) +* [Scripting](/techniques/T0853) (v1.0) +* [Spearphishing Attachment](/techniques/T0865) (v1.1) +* [Spoof Reporting Message](/techniques/T0856) (v1.2) +* [Standard Application Layer Protocol](/techniques/T0869) (v1.0) +* [Supply Chain Compromise](/techniques/T0862) (v1.1) +* [System Firmware](/techniques/T0857) (v1.1) +* [Theft of Operational Information](/techniques/T0882) (v1.0) +* [Transient Cyber Asset](/techniques/T0864) (v1.2) +* [Unauthorized Command Message](/techniques/T0855) (v1.2) +* [User Execution](/techniques/T0863) (v1.1) +* [Valid Accounts](/techniques/T0859) (v1.1) +* [Wireless Compromise](/techniques/T0860) (v1.2) +* [Wireless Sniffing](/techniques/T0887) (v1.1) + +## Software + +### Enterprise + +#### New Software + +* [ANDROMEDA](/software/S1074) (v1.0) +* [AsyncRAT](/software/S1087) (v1.0) +* [BADHATCH](/software/S1081) (v1.0) +* [Disco](/software/S1088) (v1.0) +* [KOPILUWAK](/software/S1075) (v1.0) +* [NightClub](/software/S1090) (v1.0) +* [Pacu](/software/S1091) (v1.0) +* [QUIETCANARY](/software/S1076) (v1.0) +* [QUIETEXIT](/software/S1084) (v1.0) +* [RotaJakiro](/software/S1078) (v1.0) +* [Sardonic](/software/S1085) (v1.0) +* [SharpDisco](/software/S1089) (v1.0) +* [Snip3](/software/S1086) (v1.0) +* [ngrok](/software/S0508) (v1.2) + +#### Major Version Changes + +* [OSX_OCEANLOTUS.D](/software/S0352) (v2.2→v3.0) +* [Uroburos](/software/S0022) (v1.0→v2.0) + +#### Minor Version Changes + +* [AdFind](/software/S0552) (v1.2→v1.3) +* [Agent Tesla](/software/S0331) (v1.2→v1.3) +* [Arp](/software/S0099) (v1.1→v1.2) +* [BITSAdmin](/software/S0190) (v1.3→v1.4) +* [BlackEnergy](/software/S0089) (v1.3→v1.4) +* [BloodHound](/software/S0521) (v1.4→v1.5) +* [Cobalt Strike](/software/S0154) (v1.10→v1.11) +* [Conti](/software/S0575) (v2.1→v2.2) +* [CrossRAT](/software/S0235) (v1.1→v1.2) +* [Dridex](/software/S0384) (v2.0→v2.1) +* [Emotet](/software/S0367) (v1.4→v1.5) +* [Empire](/software/S0363) (v1.6→v1.7) +* [Fysbis](/software/S0410) (v1.2→v1.3) +* [GoldMax](/software/S0588) (v2.1→v2.2) +* [Imminent Monitor](/software/S0434) (v1.0→v1.1) +* [Impacket](/software/S0357) (v1.4→v1.5) +* [KillDisk](/software/S0607) (v1.1→v1.2) +* [LaZagne](/software/S0349) (v1.4→v1.5) +* [Mimikatz](/software/S0002) (v1.7→v1.8) +* [NETWIRE](/software/S0198) (v1.5→v1.6) +* [Net](/software/S0039) (v2.4→v2.5) +* [Nltest](/software/S0359) (v1.1→v1.2) +* [OSX/Shlayer](/software/S0402) (v1.3→v1.4) +* [Ping](/software/S0097) (v1.3→v1.4) +* [PsExec](/software/S0029) (v1.4→v1.5) +* [Pupy](/software/S0192) (v1.2→v1.3) +* [Ragnar Locker](/software/S0481) (v1.1→v1.2) +* [Regin](/software/S0019) (v1.1→v1.2) +* [Revenge RAT](/software/S0379) (v1.1→v1.2) +* [Rubeus](/software/S1071) (v1.0→v1.1) +* [Ryuk](/software/S0446) (v1.3→v1.4) +* [TrickBot](/software/S0266) (v2.0→v2.1) +* [WarzoneRAT](/software/S0670) (v1.0→v1.1) +* [certutil](/software/S0160) (v1.3→v1.4) +* [esentutl](/software/S0404) (v1.2→v1.3) +* [jRAT](/software/S0283) (v2.1→v2.2) +* [netstat](/software/S0104) (v1.1→v1.2) +* [njRAT](/software/S0385) (v1.4→v1.5) + +#### Patches + +* [BlackCat](/software/S1068) (v1.0) +* [Calisto](/software/S0274) (v1.1) +* [Carbanak](/software/S0030) (v1.1) +* [Doki](/software/S0600) (v1.0) +* [Industroyer](/software/S0604) (v1.1) +* [LockerGoga](/software/S0372) (v2.0) +* [PUNCHBUGGY](/software/S0196) (v2.1) +* [PUNCHTRACK](/software/S0197) (v1.1) +* [PowerSploit](/software/S0194) (v1.6) + +#### Revocations + +* Ngrok (revoked by [ngrok](/software/S0508)) (v1.1) + +### Mobile + +#### New Software + +* [BOULDSPY](/software/S1079) (v1.0) +* [Chameleon](/software/S1083) (v1.0) +* [Escobar](/software/S1092) (v1.0) +* [Fakecalls](/software/S1080) (v1.0) +* [FlyTrap](/software/S1093) (v1.0) +* [Hornbill](/software/S1077) (v1.0) +* [Sunbird](/software/S1082) (v1.0) + +### ICS + +#### Minor Version Changes + +* [BlackEnergy](/software/S0089) (v1.3→v1.4) +* [KillDisk](/software/S0607) (v1.1→v1.2) +* [Ryuk](/software/S0446) (v1.3→v1.4) + +#### Patches + +* [Industroyer](/software/S0604) (v1.1) +* [LockerGoga](/software/S0372) (v2.0) + +## Groups + +### Enterprise + +#### New Groups + +* [FIN13](/groups/G1016) (v1.0) +* [MoustachedBouncer](/groups/G1019) (v1.0) +* [Scattered Spider](/groups/G1015) (v1.0) +* [TA2541](/groups/G1018) (v1.0) +* [Volt Typhoon](/groups/G1017) (v1.0) + +#### Major Version Changes + +* [APT29](/groups/G0016) (v4.0→v5.0) +* [FIN7](/groups/G0046) (v2.2→v3.0) +* [FIN8](/groups/G0061) (v1.3→v2.0) +* [Indrik Spider](/groups/G0119) (v2.1→v3.0) +* [Turla](/groups/G0010) (v3.1→v4.0) +* [Wizard Spider](/groups/G0102) (v2.1→v3.0) + +#### Minor Version Changes + +* [APT32](/groups/G0050) (v2.6→v2.7) +* [Confucius](/groups/G0142) (v1.0→v1.1) +* [Dragonfly](/groups/G0035) (v3.1→v3.2) +* [LAPSUS$](/groups/G1004) (v1.1→v1.2) +* [Magic Hound](/groups/G0059) (v5.1→v5.2) +* [Sandworm Team](/groups/G0034) (v3.0→v3.1) +* [SilverTerrier](/groups/G0083) (v1.1→v1.2) + +#### Patches + +* [APT37](/groups/G0067) (v2.0) +* [Ajax Security Team](/groups/G0130) (v1.0) +* [Darkhotel](/groups/G0012) (v2.1) +* [Kimsuky](/groups/G0094) (v3.1) + +### Mobile + +#### New Groups + +* [Confucius](/groups/G0142) (v1.1) +* [MoustachedBouncer](/groups/G1019) (v1.0) + +#### Minor Version Changes + +* [Sandworm Team](/groups/G0034) (v3.0→v3.1) + +### ICS + +#### Major Version Changes + +* [FIN7](/groups/G0046) (v2.2→v3.0) +* [Wizard Spider](/groups/G0102) (v2.1→v3.0) + +#### Minor Version Changes + +* [Dragonfly](/groups/G0035) (v3.1→v3.2) +* [Sandworm Team](/groups/G0034) (v3.0→v3.1) + +## Campaigns + +### Enterprise + +#### New Campaigns + +* [2015 Ukraine Electric Power Attack](/campaigns/C0028) (v1.0) +* [C0026](/campaigns/C0026) (v1.0) +* [C0027](/campaigns/C0027) (v1.0) + +#### Minor Version Changes + +* [Operation Dream Job](/campaigns/C0022) (v1.0→v1.1) + +### Mobile + +### ICS + +#### New Campaigns + +* [2015 Ukraine Electric Power Attack](/campaigns/C0028) (v1.0) + +## Assets + +### ICS + +#### New Assets + +* [Application Server](/assets/A0008) (v1.0) +* [Control Server](/assets/A0007) (v1.0) +* [Data Gateway](/assets/A0009) (v1.0) +* [Data Historian](/assets/A0006) (v1.0) +* [Field I/O](/assets/A0013) (v1.0) +* [Human-Machine Interface (HMI)](/assets/A0002) (v1.0) +* [Intelligent Electronic Device (IED)](/assets/A0005) (v1.0) +* [Jump Host](/assets/A0012) (v1.0) +* [Programmable Logic Controller (PLC)](/assets/A0003) (v1.0) +* [Remote Terminal Unit (RTU)](/assets/A0004) (v1.0) +* [Routers](/assets/A0014) (v1.0) +* [Safety Controller](/assets/A0010) (v1.0) +* [Virtual Private Network (VPN) Server](/assets/A0011) (v1.0) +* [Workstation](/assets/A0001) (v1.0) + +## Mitigations + +### Enterprise + +#### Minor Version Changes + +* [Application Developer Guidance](/mitigations/M1013) (v1.0→v1.1) + +### Mobile + +#### New Mitigations + +* [Antivirus/Antimalware](/mitigations/M1058) (v1.0) + +#### Minor Version Changes + +* [Application Developer Guidance](/mitigations/M1013) (v1.0→v1.1) + +#### Patches + +* [Interconnection Filtering](/mitigations/M1014) (v1.0) + +### ICS + +#### Minor Version Changes + +* [Authorization Enforcement](/mitigations/M0800) (v1.0→v1.1) +* [Human User Authentication](/mitigations/M0804) (v1.0→v1.1) + +#### Patches + +* [Access Management](/mitigations/M0801) (v1.0) +* [Account Use Policies](/mitigations/M0936) (v1.0) +* [Antivirus/Antimalware](/mitigations/M0949) (v1.0) +* [Application Developer Guidance](/mitigations/M0913) (v1.0) +* [Application Isolation and Sandboxing](/mitigations/M0948) (v1.0) +* [Audit](/mitigations/M0947) (v1.0) +* [Boot Integrity](/mitigations/M0946) (v1.0) +* [Code Signing](/mitigations/M0945) (v1.0) +* [Communication Authenticity](/mitigations/M0802) (v1.0) +* [Data Backup](/mitigations/M0953) (v1.0) +* [Disable or Remove Feature or Program](/mitigations/M0942) (v1.0) +* [Encrypt Network Traffic](/mitigations/M0808) (v1.0) +* [Encrypt Sensitive Information](/mitigations/M0941) (v1.0) +* [Execution Prevention](/mitigations/M0938) (v1.0) +* [Exploit Protection](/mitigations/M0950) (v1.0) +* [Filter Network Traffic](/mitigations/M0937) (v1.0) +* [Limit Access to Resource Over Network](/mitigations/M0935) (v1.0) +* [Limit Hardware Installation](/mitigations/M0934) (v1.0) +* [Minimize Wireless Signal Propagation](/mitigations/M0806) (v1.0) +* [Multi-factor Authentication](/mitigations/M0932) (v1.0) +* [Network Allowlists](/mitigations/M0807) (v1.0) +* [Network Intrusion Prevention](/mitigations/M0931) (v1.0) +* [Network Segmentation](/mitigations/M0930) (v1.0) +* [Operating System Configuration](/mitigations/M0928) (v1.0) +* [Out-of-Band Communications Channel](/mitigations/M0810) (v1.0) +* [Password Policies](/mitigations/M0927) (v1.0) +* [Privileged Account Management](/mitigations/M0926) (v1.0) +* [Redundancy of Service](/mitigations/M0811) (v1.0) +* [Restrict File and Directory Permissions](/mitigations/M0922) (v1.0) +* [Restrict Library Loading](/mitigations/M0944) (v1.0) +* [Restrict Registry Permissions](/mitigations/M0924) (v1.0) +* [Restrict Web-Based Content](/mitigations/M0921) (v1.0) +* [Software Configuration](/mitigations/M0954) (v1.0) +* [Software Process and Device Authentication](/mitigations/M0813) (v1.0) +* [Static Network Configuration](/mitigations/M0814) (v1.1) +* [Supply Chain Management](/mitigations/M0817) (v1.0) +* [Update Software](/mitigations/M0951) (v1.0) +* [User Account Management](/mitigations/M0918) (v1.0) +* [User Training](/mitigations/M0917) (v1.0) +* [Validate Program Inputs](/mitigations/M0818) (v1.0) +* [Vulnerability Scanning](/mitigations/M0916) (v1.0) + +## Contributors to this release + +* Aaron Jornet +* Adam Lichters +* Adam Mashinchi +* Ai Kimura, NEC Corporation +* Alain Homewood +* Alex Spivakovsky, Pentera +* Amir Gharib, Microsoft Threat Intelligence +* Andrew Northern, @ex_raritas +* Arad Inbar, Fidelis Security +* Austin Herrin +* Ben Smith, @ezaspy +* Bilal Bahadır Yenici +* Blake Strom, Microsoft Threat Intelligence +* Brian Donohue +* Caio Silva +* Christopher Peacock +* Edward Stevens, BT Security +* Ford Qin, Trend Micro +* Giorgi Gurgenidze, ISAC +* Goldstein Menachem +* Gregory Lesnewich, @greglesnewich +* Gunji Satoshi, NEC Corporation +* Harry Kim, CODEMIZE +* Harun Küßner +* Hiroki Nagahama, NEC Corporation +* Itamar Mizrahi, Cymptom +* Jack Burns, HubSpot +* Janantha Marasinghe +* Jennifer Kim Roman, CrowdStrike +* Joas Antonio dos Santos, @C0d3Cr4zy +* Joe Gumke, U.S. Bank +* Joe Slowik - Dragos +* Joey Lei +* Juan Tapiador +* Liran Ravich, CardinalOps +* Manikantan Srinivasan, NEC Corporation India +* Martin McCloskey, Datadog +* Matt Green, @mgreen27 +* Michael Raggi @aRtAGGI +* Mohit Rathore +* Naveen Devaraja, bolttech +* Noam Lifshitz, Sygnia +* Olaf Hartong, Falcon Force +* Oren Biderman, Sygnia +* Pawel Partyka, Microsoft Threat Intelligence +* Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd +* Pooja Natarajan, NEC Corporation India +* Sam Seabrook, Duke Energy +* Serhii Melnyk, Trustwave SpiderLabs +* Shailesh Tiwary (Indian Army) +* Shankar Raman, Gen Digital and Abhinand, Amrita University +* Sunders Bruskin, Microsoft Threat Intelligence +* Tahseen Bin Taj +* Thanabodi Phrakhun, @naikordian +* The DFIR Report +* Tim (Wadhwa-)Brown +* Tom Simpson, CrowdStrike Falcon OverWatch +* Tristan Madani (Cybereason) +* TruKno +* Uriel Kosayev +* Vijay Lalwani +* Will Thomas, Equinix +* Yasuhito Kawanishi, NEC Corporation +* Yoshihiro Kori, NEC Corporation +* Yossi Weizman, Microsoft Threat Intelligence diff --git a/modules/resources/templates/attackcon.html b/modules/resources/templates/attackcon.html deleted file mode 100644 index cd7c8741522..00000000000 --- a/modules/resources/templates/attackcon.html +++ /dev/null @@ -1,137 +0,0 @@ -{% extends "general/two-column.html" %} -{% set active_page = "attackcon" -%} -{% set title = "MITRE ATT&CKcon | MITRE ATT&CK®" -%} -{% set conventions = page.data | from_json %} -{% import 'macros/navigation.html' as navigation %} - -{% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    -{% endblock %} - -{% block innerright %} - -
    -
      -
    1. Home
      2. -
    2. Resources
      3. -
    3. ATT&CKcon
      4. -
    -
    - -
    - -
    - {% for con in conventions %} - {% set conID = "-".join(con.date.split(' ')) %} - {% set active = conID == 'March-2022' %} -
    - - {% if "banner_img" in con %} -

    - -

    - {% endif %} - - {% if "description" in con %} -

    {{con.description}}

    - {% endif %} - {% if "blogpost" in con %} -

    Click here to read our blog post about {{con.title}}! External site

    - {% endif %} - -
    -

    Presentations

    - {% for presentation in con.presentations %} - {% set isPanel = "moderator" in presentation %} -
    - -
    -
    - {% if not isPanel %} -

    {{presentation.description}}

    - {% else %} -

    Panelists:

    -
      - {% for panelist in presentation.panelists %} -
    • - {{panelist}} -
      • - {% endfor %} -
    -

    {{presentation.moderator.name}} moderates a panel that discusses:

    -
      - {% for topic in presentation.topics %} -
    • - {{topic}} -
      • - {% endfor %} -
    - {% endif %} - - {% if "video" in presentation %} - video External site - {% else %} - (no video) - {% endif %} - - {% if "slides" in presentation %} - slides External site - {% else %} - (no slides) - {% endif %} -
    -
    -
    - - {% endfor %} -
    - {% if "sponsors_img" in con %} -
    -

    Sponsors

    - -
    - {% elif "sponsors_img_list" in con %} -
    -

    Sponsors

    -
    - {% for sponsor_img in con.sponsors_img_list %} -
    - -
    - {% endfor %} -
    -
    - {% endif %} -
    - {% endfor %} -
    -
    - -{% endblock %} - - -{% block scripts %} -{{ super() }} - - -{% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/brand.html b/modules/resources/templates/brand.html index 4d6b68a78c0..213f27cdfb2 100644 --- a/modules/resources/templates/brand.html +++ b/modules/resources/templates/brand.html @@ -1,12 +1,10 @@ -{% extends "general/two-column.html" %} +{% extends "general/two-column.html" %} {% set active_page = "resources" -%} -{% set title = "Brand | MITRE ATT&CK®" -%} +{% set title = "Brand | MITRE ATT&CK®" -%} {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} @@ -39,7 +37,7 @@

    Brand Guide

    Both MITRE ATT&CK® and ATT&CK® are separately registered trademarks of The MITRE Corporation and should follow the guidelines below.

    Your first written reference to either trademark in a document must include in writing the ® trademark symbol and must include "MITRE" preceding "ATT&CK". -

    Subsequent references in that same document need not include the "R" trademark symbol. +

    Subsequent references in that same document need not include the "R" trademark symbol.

    • Example of a first reference: MITRE ATT&CK® is a curated knowledge base and model for cyber adversary behavior. @@ -70,7 +68,7 @@

      Brand Guide

    - + {% endblock %} @@ -78,5 +76,5 @@

    Brand Guide

    {% block scripts %} {{ super() }} - -{% endblock %} \ No newline at end of file + +{% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/contact.html b/modules/resources/templates/contact.html index bac0a4d9b8d..b685b5fe773 100644 --- a/modules/resources/templates/contact.html +++ b/modules/resources/templates/contact.html @@ -1,10 +1,15 @@ -{% extends "general/base.html" %} +{% extends "general/two-column.html" %} {% set active_page = "contact" -%} {% set title = "Contact | MITRE ATT&CK®" %} +{% import 'macros/navigation.html' as navigation %} -{% block content %} +{% block innerleft %} + +{% endblock %} + +{% block innerright %} {{ super () }} -
    +

    Contact Us!

    @@ -15,4 +20,10 @@

    Contact Us!

    For learning how to submit contributions to ATT&CK, read our contribute page

    +{% endblock %} + +{% block scripts %} +{{ super() }} + + {% endblock %} \ No newline at end of file diff --git a/modules/contribute/templates/contribute.html b/modules/resources/templates/contribute.html similarity index 77% rename from modules/contribute/templates/contribute.html rename to modules/resources/templates/contribute.html index 9e092044aaf..c1388ef10d8 100644 --- a/modules/contribute/templates/contribute.html +++ b/modules/resources/templates/contribute.html @@ -1,19 +1,27 @@ -{% extends "general/base.html" %} +{% extends "general/two-column.html" %} {% set active_page = "resources" -%} {% set title = "Contribute | MITRE ATT&CK®" -%} {% set parsed = page.data | from_json %} +{% import 'macros/navigation.html' as navigation %} -{% block content %} {{ super () }} -
    -
    -
      +{% block innerleft %} + +{% endblock %} + +{% block innerright %} +
      +
      1. Home
        2. -
      2. Resources
        3. +
      3. Resources
      4. Contribute
        5. -
      - -
      -

      Contribute

      +
    +
    + +
    +
    +
    +
    +

    Contribute

    You can help contribute to ATT&CK.

    @@ -39,10 +47,10 @@

    Contributing to ATT&CK

    Sub-Techniques and Techniques

    - We appreciate your help to let us know about what new techniques and technique variations adversaries - are using in the wild. You can start by emailing us the technique name, a brief description, and - references or knowledge about how it is being used by adversaries. - We suggest you take a close look at what we already have on our site, paying attention + We appreciate your help to let us know about what new techniques and technique variations adversaries + are using in the wild. You can start by emailing us the technique name, a brief description, and + references or knowledge about how it is being used by adversaries. + We suggest you take a close look at what we already have on our site, paying attention to the level of abstraction of techniques and sub-techniques. Since we are working on adding new technique details constantly, we will deconflict what you send with what we’re working on. We’ll provide feedback and work with you to get the content added. @@ -61,20 +69,20 @@

    macOS, Linux, cloud, and ICS
    Threat Intelligence

    - We map Group and Software examples on our site, and there is too much open source threat intelligence - reporting for us to keep up on everything. We appreciate your help with referenced information about - how Groups and Software samples use ATT&CK techniques. - Threat intelligence contributions are most helpful to us when they are in the specific format we have - on our website, including citing techniques and group names or associated groups to - publicly-available references. We ask that you provide the sub-technique or technique name, a brief description of + We map Group and Software examples on our site, and there is too much open source threat intelligence + reporting for us to keep up on everything. We appreciate your help with referenced information about + how Groups and Software samples use ATT&CK techniques. + Threat intelligence contributions are most helpful to us when they are in the specific format we have + on our website, including citing techniques and group names or associated groups to + publicly-available references. We ask that you provide the sub-technique or technique name, a brief description of how the technique is implemented, and the publicly-available reference.

    Data Sources

    - We often don’t have direct access to endpoint or network log data for technique use in incidents. - We’re always looking for partners who would be interested in sharing relevant data from logs that + We often don’t have direct access to endpoint or network log data for technique use in incidents. + We’re always looking for partners who would be interested in sharing relevant data from logs that show how adversaries are using ATT&CK techniques beyond what appears in threat reporting.

    @@ -82,8 +90,8 @@
    Data Sources
    Your Use Cases

    - It’s always helpful for us to hear about how you’re using ATT&CK in your organization. - We appreciate any information you can share with us about your specific use case or + It’s always helpful for us to hear about how you’re using ATT&CK in your organization. + We appreciate any information you can share with us about your specific use case or application of ATT&CK, and particularly any success stories you’ve had as a result.

    @@ -92,47 +100,47 @@

    Contribution Examples

    New Technique Example
    -
    -
    (Sub-)Technique Name:
    -

    COM, ROM, & BE GONE

    -
    Tactic:
    -

    Persistence

    -
    -
    -
    Platform:
    -

    Windows

    -
    Required Permissions:
    -

    User

    -
    +

    + (Sub-)Technique Name: COM, ROM, & BE GONE +

    +

    + Tactic: Persistence +

    +

    + Platform: Windows +

    +

    + Required Permissions: User +

    Sub-techniques: This is a sub-technique of T1XXX, or this would have T1XXX as a sub-technique

    - Data Sources: Windows API, Process monitoring, + Data Sources: Windows API, Process monitoring, or other sources that can be used to detect this activity

    Description: Component Object Model (COM) servers - associated with Graphics Interchange Format (JIF) image viewers can be abused to corrupt arbitrary memory banks. Adversaries may leverage this opportunity to modify, mux, and maliciously annoy (MMA) read-only memory (ROM) regularly accessed during normal system operations. + associated with Graphics Interchange Format (JIF) image viewers can be abused to corrupt arbitrary memory banks. Adversaries may leverage this opportunity to modify, mux, and maliciously annoy (MMA) read-only memory (ROM) regularly accessed during normal system operations.

    - Detection: Monitor the JIF viewers for muxing + Detection: Monitor the JIF viewers for muxing and malicious annoyance. Use event ID 423420 and 234222 to detect changes.

    Mitigation: Configure the Registry key - HKLM\SYSTEM\ControlSet\001\Control\WindowsJIFControl\ to 0 to disable MMA access - if not needed within the environment. + HKLM\SYSTEM\ControlSet\001\Control\WindowsJIFControl\ to 0 to disable MMA access + if not needed within the environment.

    Adversary Use: Here is a publicly-available - reference about FUZZYSNUGGLYDUCK using this technique: - (www[.]awesomeThreatReports[.]org/FUZZYSNUGGLYDUCK_NOMS _ON_ROM_VIA_COM). - Additionally, our red team uses this in our operations. + reference about FUZZYSNUGGLYDUCK using this technique: + (www[.]awesomeThreatReports[.]org/FUZZYSNUGGLYDUCK_NOMS _ON_ROM_VIA_COM). + Additionally, our red team uses this in our operations.

    Additional References: Here is a reference - from the researcher who discovered this technique: + from the researcher who discovered this technique: (www[.]crazySmartResearcher[.]net/POC_DETECTIONS_&_MITIGATIONS_4_WHEN_COM_RAMS_ROM)

    @@ -147,41 +155,41 @@
    Group & Software Example

    Associated Groups: APT1337 (www[.]sourceY[.]com)

    -
    +

    - Description: FUZZYSNUGGLYDUCK - is a Great Lakes-based threat group that has been active since at + Description: FUZZYSNUGGLYDUCK + is a Great Lakes-based threat group that has been active since at least May 2018. The group focuses on targeting the aviation sector. (www[.]sourceY[.]com)

    -
    Techniques:
    -
      +
      Techniques:
      +
      • - Phishing: Spearphishing Attachment (T1566.001) – FUZZYSNUGGLYDUCK has used spearphishing + Phishing: Spearphishing Attachment (T1566.001) – FUZZYSNUGGLYDUCK has used spearphishing email attachments containing images of stale bread to deliver malware. (www[.]sourceX[.]com)
      • - File and Directory Discovery (T1083) – FUZZYSNUGGLYDUCK has searched files + File and Directory Discovery (T1083) – FUZZYSNUGGLYDUCK has searched files and directories for the string *quack*. (www[.]sourceY[.]com)

      - Software Name: FLYINGV + Software Name: FLYINGV (www[.]sourceX[.]com) (wwwVsourceZ[.]com)

      -
      +

      - Group Association: FLYINGV has + Group Association: FLYINGV has been used by FUZZYSNUGGLYDUCK. (www[.]sourceZ[.]com)

      -
      +

      - Description: FLYINGV is custom malware + Description: FLYINGV is custom malware used by FUZZYSNUGGLYDUCK as a second-stage RAT. (www[.]sourceZ[.]com)

      -
      +

      Platform: Windows

      @@ -189,11 +197,11 @@
      Techniques:
      Techniques:
      • - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) – FLYINGV has added + Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) – FLYINGV has added the Registry Run key “HueyDeweyLouie” to establish persistence. (www[.]sourceX[.]com)
      • - File and Directory Discovery (T1083) – FLYINGV has used rundll32.exe + File and Directory Discovery (T1083) – FLYINGV has used rundll32.exe to load its malicious dll file, estevez.dll. (www[.]sourceX[.]com)
      @@ -202,8 +210,8 @@
      Techniques:

      Content Errors on the Website

      - If you find errors or typos on the site related to content, - please let us know by sending an email to + If you find errors or typos on the site related to content, + please let us know by sending an email to attack@mitre.org with the subject Website Content Error.

      @@ -230,8 +238,8 @@

      Content Errors on the Website

    Contributors

    - The following individuals or organizations have contributed information - regarding the existence of a technique, details on how to detect and/or mitigate + The following individuals or organizations have contributed information + regarding the existence of a technique, details on how to detect and/or mitigate use of a technique, or threat intelligence on adversary use:

    @@ -252,8 +260,12 @@

    Contributors

    Thanks to those who have contributed to ATT&CK!

    +
    -{% endblock %} {% block scripts %} {{ super () }} -{% endblock %} \ No newline at end of file +{% endblock %} +{% block scripts %} {{ super () }} + + +{% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/getting-started.html b/modules/resources/templates/getting-started.html index 846d46cb261..3808e7ad20d 100644 --- a/modules/resources/templates/getting-started.html +++ b/modules/resources/templates/getting-started.html @@ -1,12 +1,10 @@ -{% extends "general/two-column.html" %} +{% extends "general/two-column.html" %} {% set active_page = "resources" -%} -{% set title = "Getting Started | MITRE ATT&CK®" -%} +{% set title = "Getting Started | MITRE ATT&CK®" -%} {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} @@ -24,7 +22,7 @@

    Getting Started

    - You want to get started using ATT&CK, but where do you begin? Regardless of what you want to accomplish, it’s important to understand what ATT&CK is and why MITRE created it. + You want to get started using ATT&CK, but where do you begin? Regardless of what you want to accomplish, it’s important to understand what ATT&CK is and why MITRE created it.

    @@ -50,7 +48,7 @@

    Getting Started

  • Finding Cyber Threats with ATT&CK-Based Analytics
    Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities.
    • -
  • +
  • MITRE ATT&CK Introduction Video:
    @@ -59,7 +57,7 @@

    Getting Started

    • -
    +
    @@ -67,7 +65,7 @@

    Getting Started

    Common Use Cases

    -
    +
    +
    {% endblock %} @@ -263,5 +261,5 @@

    Community

    {% block scripts %} {{ super() }} - -{% endblock %} \ No newline at end of file + +{% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/previous-versions.html b/modules/resources/templates/previous-versions.html index 219e3d44b46..08927e07619 100644 --- a/modules/resources/templates/previous-versions.html +++ b/modules/resources/templates/previous-versions.html @@ -1,6 +1,6 @@ -{% extends "general/base.html" %} +{% extends "general/base.html" %} {% set active_page = "resources" -%} -{% set title = "Previous Versions | MITRE ATT&CK®" -%} +{% set title = "Previous Versions | MITRE ATT&CK®" -%} {% set parsed = page.data | from_json %} {% block content %} @@ -26,7 +26,7 @@

    Previous Versions

  • {{version.date_start}} - {{version.date_end}}. This version has been removed from the site. You can still download this version's source data or browse the raw HTML.
    • {% else %}
  • {{version.date_start}} - {{version.date_end}} (Updates)
    • - {% endif %} + {% endif %} {% endfor %}
    @@ -36,4 +36,4 @@

    Previous Versions

    {% endblock %} {% block scripts %} {{ super() }} -{% endblock %} \ No newline at end of file +{% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/related-projects.html b/modules/resources/templates/related-projects.html index 8d8c4547e92..898b38d649c 100644 --- a/modules/resources/templates/related-projects.html +++ b/modules/resources/templates/related-projects.html @@ -1,12 +1,10 @@ -{% extends "general/two-column.html" %} +{% extends "general/two-column.html" %} {% set active_page = "resources" -%} {% set title = "Related Projects | MITRE ATT&CK®" -%} {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} @@ -31,14 +29,14 @@
    The MITRE ATT&CK GitHub organization was created to hold current and future ATT&CK-related content, including this website!

    - +
    CALDERA

    CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks.

    - +
    Card image cap
    @@ -46,14 +44,14 @@
    The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices.

    - +
    CASCADE

    CASCADE is a research project at MITRE which seeks to automate much of the investigative work a “blue-team” team would perform to determine the scope and maliciousness of suspicious behavior on a network using host data.

    - +
    Card image cap
    @@ -61,7 +59,7 @@
    Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).

    - +
    CAR
    @@ -116,5 +114,5 @@
    - + {% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/resources.html b/modules/resources/templates/resources.html index bab4d488e9b..2884de7aa4c 100644 --- a/modules/resources/templates/resources.html +++ b/modules/resources/templates/resources.html @@ -5,9 +5,7 @@ {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} @@ -95,7 +93,7 @@

    Other ATT&CK Efforts

    - ATT&CK Evaluations + ATT&CK Evaluations
    Evaluations of cybersecurity products using an open methodology based on ATT&CK. @@ -157,5 +155,5 @@

    Other Resources

    {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/training-cti.html b/modules/resources/templates/training-cti.html index a4678ca8422..40b86ec8923 100644 --- a/modules/resources/templates/training-cti.html +++ b/modules/resources/templates/training-cti.html @@ -1,12 +1,10 @@ -{% extends "general/two-column.html" %} +{% extends "general/two-column.html" %} {% set active_page = "resources" -%} {% set title = "Using ATT&CK for CTI Training | MITRE ATT&CK®" -%} {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} @@ -44,7 +42,7 @@

    Using ATT&CK for Cyber Threat Intelligence Training

    Training Modules

    -
    +
    @@ -79,7 +77,7 @@
    Module 2 Video
  • -
    Module 2 Slides
    +
    Module 2 Slides

    • Exercise 2: Mapping from finished reporting @@ -87,7 +85,7 @@

    Exercise 2: Mapping from finished reporting

    Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v6 if you want to match the training.

    -
    +
    Cybereason Cobalt Kitty Report: we walk through this exercise in the video and slides.
    • @@ -138,7 +136,7 @@

      Exercise 2: Mapping from finished reporting
      @@ -148,7 +146,7 @@
      Module 3 Video

    • -
      Module 3 Slides
      +
      Module 3 Slides

    Exercise 3: Working with raw data @@ -156,7 +154,7 @@

    Exercise 3: Working with raw data

    Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v6 if you want to match the training.

    -
    +
    Ticket 473822: we walk through this exercise in the video and slides

    Exercise 4: Comparing layers in ATT&CK Navigator @@ -210,7 +208,7 @@

    Exercise 4: Comparing layers in ATT&CK Navigator

    Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK Navigator v2 if you want to match the training.

    -
    +
    -

    Exercise 5: Making defensive recommendations +

    Exercise 5: Making defensive recommendations

    Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v6 if you want to match the training.

    -
    +
    Guided Exercise: we walk through this exercise in the video and slides.
    -
    +

    @@ -284,5 +282,5 @@

    Exercise 5: Making defensive recommendations {% block scripts %} {{ super() }} - -{% endblock %} \ No newline at end of file + +{% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/training.html b/modules/resources/templates/training.html index aa624821f44..dfa63a99cef 100644 --- a/modules/resources/templates/training.html +++ b/modules/resources/templates/training.html @@ -1,12 +1,10 @@ -{% extends "general/two-column.html" %} +{% extends "general/two-column.html" %} {% set active_page = "resources" -%} {% set title = "ATT&CK Training | MITRE ATT&CK®" -%} {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} @@ -49,5 +47,5 @@

    ATT&CK Training

    {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/update-post.html b/modules/resources/templates/update-post.html index d860bc2ed33..5862306d6d9 100644 --- a/modules/resources/templates/update-post.html +++ b/modules/resources/templates/update-post.html @@ -1,12 +1,10 @@ {% extends "general/two-column.html" %} -{% set active_article = "resources" -%} -{% set title = "Updates - " + article.title + " | MITRE ATT&CK®" -%} +{% set active_article = "resources" -%} +{% set title = "Updates - " + article.title + " | MITRE ATT&CK®" -%} {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} @@ -24,5 +22,5 @@

    {{ article.title }}

    {% endblock %} {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/updates-index.html b/modules/resources/templates/updates-index.html index 108694145f1..ebd874d9392 100644 --- a/modules/resources/templates/updates-index.html +++ b/modules/resources/templates/updates-index.html @@ -1,13 +1,11 @@ -{% extends "general/two-column.html" %} +{% extends "general/two-column.html" %} {% set active_page = "resources" -%} {% set title = "Updates | MITRE ATT&CK®" -%} {% set found = {'found': True} -%} {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} {{ super () }} @@ -26,5 +24,5 @@

    {{ (articles|selectattr('template', 'equalto', {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/resources/templates/working-with-attack.html b/modules/resources/templates/working-with-attack.html index b8973088de3..4e49e274068 100644 --- a/modules/resources/templates/working-with-attack.html +++ b/modules/resources/templates/working-with-attack.html @@ -6,9 +6,7 @@ {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} @@ -29,8 +27,8 @@

    Accessing ATT&CK Data

    ATT&CK in STIX

    - Structured Threat Information Expression (STIX™) is a language and serialization - format used to exchange cyber threat intelligence (CTI). The ATT&CK dataset is available in STIX 2.0 and STIX 2.1. + Structured Threat Information Expression (STIX™) is a language and serialization + format used to exchange cyber threat intelligence (CTI). The ATT&CK dataset is available in STIX 2.0 and STIX 2.1. Other presentations of this dataset, including the ATT&CK Navigator and this website, are built from the STIX data.

    @@ -43,8 +41,8 @@

    ATT&CK in STIX

    - STIX is a machine-readable format providing access to the ATT&CK knowledge base. It is the most granular - representation of the ATT&CK data, and all other representations are derived from the STIX dataset. + STIX is a machine-readable format providing access to the ATT&CK knowledge base. It is the most granular + representation of the ATT&CK data, and all other representations are derived from the STIX dataset.

    Consider using ATT&CK in STIX if you:

      @@ -55,11 +53,11 @@

      ATT&CK in STIX

    The ATT&CK STIX representation is most easily manipulated in Python using the - stix2 library. However, because STIX is represented in JSON, + stix2 library. However, because STIX is represented in JSON, other programming languages can easily interact with the raw content.

    - The ATT&CK STIX data can be retrieved from GitHub directly, or accessed via the official ATT&CK TAXII™ server. + The ATT&CK STIX data can be retrieved from GitHub directly, or accessed via the official ATT&CK TAXII™ server. Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI over HTTPS. The ATT&CK TAXII server provides API access to the ATT&CK STIX knowledge base. Learn more about accessing the TAXII server here.

    @@ -70,7 +68,7 @@

    ATT&CK in STIX 2.1

    -

    Visit the repository

    +

    Visit the repository

    Read the docs

    @@ -79,7 +77,7 @@

    ATT&CK in STIX 2.0

    -

    Visit the repository

    +

    Visit the repository

    Read the docs

    @@ -96,8 +94,8 @@

    Le

    ATT&CK in Excel

    - Excel spreadsheets representing the ATT&CK dataset. These spreadsheets are built from the STIX dataset - and provide a more human-accessible view into the knowledge base while also supporting + Excel spreadsheets representing the ATT&CK dataset. These spreadsheets are built from the STIX dataset + and provide a more human-accessible view into the knowledge base while also supporting rudimentary querying/filtering capabilities.

    @@ -115,15 +113,15 @@

    ATT&CK in Excel

  • Are not comfortable enough in Python or other programming languages to work with the STIX representation.

    • - The Excel representation of the ATT&CK dataset includes both master spreadsheets, containing all object types, and - individual spreadsheets for each object type. The individual type spreadsheets break out relationships + The Excel representation of the ATT&CK dataset includes both master spreadsheets, containing all object types, and + individual spreadsheets for each object type. The individual type spreadsheets break out relationships (e.g procedure examples connecting groups to techniques) into separate sheets by relationship type, - while the master spreadsheet includes all relationship types in a single sheet. + while the master spreadsheet includes all relationship types in a single sheet. Otherwise the representation is identical.

    - A citations sheet can be used to look up the in-text citations which appear in some fields. - For domains that include multiple matrices, such as Mobile ATT&CK, each matrix gets its own named sheet. + A citations sheet can be used to look up the in-text citations which appear in some fields. + For domains that include multiple matrices, such as Mobile ATT&CK, each matrix gets its own named sheet. Unlike the STIX dataset, objects that have been revoked or deprecated are not included in the spreadsheets.

    @@ -174,7 +172,7 @@

    ATT&CK Python Utilities

    - ATT&CK provides a variety of Python tools for accessing, querying, and processing the ATT&CK dataset. + ATT&CK provides a variety of Python tools for accessing, querying, and processing the ATT&CK dataset. These scripts can be useful utilities or serve as examples for how to work with ATT&CK programmatically.

    Install our pip module

    @@ -194,5 +192,5 @@

    Explore our standa {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/software/__init__.py b/modules/software/__init__.py index e9d0f6a651b..103553ec56d 100644 --- a/modules/software/__init__.py +++ b/modules/software/__init__.py @@ -5,16 +5,6 @@ def get_priority(): return software_config.priority -def get_menu(): - return { - "display_name": software_config.module_name, - "module_name": software_config.module_name, - "url": "/software/", - "external_link": False, - "priority": software_config.priority, - "children": [] - } - # TODO commented out to resolve infinite redirect loop when run locally. Needs further testing before code removal. # def get_redirections(): # with open(software_config.software_redirection_location , "r", encoding="utf8") as json_redirections: diff --git a/modules/software/software.py b/modules/software/software.py index b93a6faee0b..0feab0f498e 100644 --- a/modules/software/software.py +++ b/modules/software/software.py @@ -30,7 +30,6 @@ def generate_software(): # Generates the markdown files to be used for page generation and verifies if a software was generated software_generated = generate_markdown_files() - if not software_generated: util.buildhelpers.remove_module_from_menu(software_config.module_name) @@ -55,6 +54,7 @@ def generate_markdown_files(): side_menu_data = util.buildhelpers.get_side_menu_data( "software", "/software/", software_list_no_deprecated_revoked ) + generate_sidebar_software(side_menu_data) data["side_menu_data"] = side_menu_data data["software_table"] = get_software_table_data(software_list_no_deprecated_revoked) @@ -129,6 +129,7 @@ def generate_software_md(software, side_menu_data, notes): data["name"], data["attack_id"], "software", + "used by", data["version"] if "version" in data else None, data["technique_table_data"], ) @@ -350,3 +351,16 @@ def get_campaign_table_data(software, reference_list): campaign_data = [campaign_list[item] for item in campaign_list] campaign_data = sorted(campaign_data, key=lambda k: k["name"].lower()) return campaign_data + +def generate_sidebar_software(side_menu_data): + """Responsible for generating the sidebar for the software pages.""" + logger.info("Generating software sidebar") + data = {} + data["menu"] = side_menu_data + + # Sidebar Overview + sidebar_software_md = software_config.sidebar_software_md + json.dumps(data) + + # write markdown to file + with open(os.path.join(software_config.software_markdown_path, "sidebar_software.md"), "w", encoding="utf8") as md_file: + md_file.write(sidebar_software_md) \ No newline at end of file diff --git a/modules/software/software_config.py b/modules/software/software_config.py index 438da972ac9..304e3ca3a6f 100644 --- a/modules/software/software_config.py +++ b/modules/software/software_config.py @@ -21,4 +21,11 @@ "save_as: software/${attack_id}/index.html\n" "data: ") -software_redirection_location = "modules/software/software_redirections.json" \ No newline at end of file +software_redirection_location = "modules/software/software_redirections.json" + +sidebar_software_md = ( + "Title: Software Sidebar\n" + "Template: general/sidebar-template \n" + "save_as: software/sidebar-software/index.html\n" + "data: " +) \ No newline at end of file diff --git a/modules/software/templates/software-index.html b/modules/software/templates/software-index.html index 573481e8c33..0c43f5b1055 100644 --- a/modules/software/templates/software-index.html +++ b/modules/software/templates/software-index.html @@ -7,9 +7,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.side_menu_data, output_file) }} -
    + {% endblock %} @@ -46,6 +44,7 @@

    Software

    Software: {{ parsed.software_list_len }}
    +
    @@ -77,6 +76,7 @@
    Software: {{ parsed.software_list_len }}
    {% endfor %}
    +

    @@ -87,5 +87,5 @@
    Software: {{ parsed.software_list_len }}
    {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/software/templates/software.html b/modules/software/templates/software.html index 0e1275cf6e0..3d606f47a9f 100644 --- a/modules/software/templates/software.html +++ b/modules/software/templates/software.html @@ -21,9 +21,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.side_menu_data, output_file) }} -
    + {% endblock %} @@ -144,6 +142,7 @@

    {% if parsed.alias_descriptions %}

    Associated Software Descriptions

    +
    @@ -164,6 +163,7 @@

    Associated Software Descriptions

    {% endfor %}
    +
    {% endif %} {% if parsed.technique_table_data %} @@ -173,6 +173,7 @@

    Associated Software Descriptions

    {% if parsed.groups %}

    Groups That Use This Software

    +
    @@ -197,10 +198,12 @@

    Groups That Use This Software

    {% endfor %}
    +
    {% endif %} {% if parsed.campaign_data %}

    Campaigns

    +
    @@ -227,6 +230,7 @@

    Campaigns

    {% endfor %}
    +
    {% endif %} {{ citations.reference_section(parsed.citations) }} @@ -242,7 +246,7 @@

    Campaigns

    {% block scripts %} {{ super() }} - + diff --git a/modules/tactics/tactics.py b/modules/tactics/tactics.py index 740f039fce0..2008ddbd57b 100644 --- a/modules/tactics/tactics.py +++ b/modules/tactics/tactics.py @@ -46,6 +46,7 @@ def generate_tactics(): tactics[domain["name"]] = util.stixhelpers.get_tactic_list(ms[domain["name"]], domain["name"]) side_nav_data = util.buildhelpers.get_side_nav_domains_data("tactics", tactics) + generate_sidebar_tactics(side_nav_data) for domain in site_config.domains: deprecated = True if domain["deprecated"] else False @@ -188,3 +189,17 @@ def get_techniques_of_tactic(tactic, techniques): techniques_list = sorted(techniques_list, key=lambda k: k["name"].lower()) return techniques_list + +def generate_sidebar_tactics(side_nav_data): + """Responsible for generating the sidebar for the tactics pages.""" + logger.info("Generating tactics sidebar") + data = {} + data["menu"] = side_nav_data + + # Sidebar Overview + sidebar_tactics_md = tactics_config.sidebar_tactics_md + json.dumps(data) + + # write markdown to file + with open(os.path.join(tactics_config.tactics_markdown_path, "sidebar_tactics.md"), "w", encoding="utf8") as md_file: + md_file.write(sidebar_tactics_md) + diff --git a/modules/tactics/tactics_config.py b/modules/tactics/tactics_config.py index d645a08bd38..b8dd5e4fa71 100644 --- a/modules/tactics/tactics_config.py +++ b/modules/tactics/tactics_config.py @@ -28,3 +28,10 @@ ) tactics_redirection_location = "modules/tactics/tactics_redirections.json" + +sidebar_tactics_md = ( + "Title: Tactics Sidebar\n" + "Template: general/sidebar-template \n" + "save_as: tactics/sidebar-tactics/index.html\n" + "data: " +) \ No newline at end of file diff --git a/modules/tactics/templates/tactic.html b/modules/tactics/templates/tactic.html index 5ae8e3aa715..fec15eaca49 100644 --- a/modules/tactics/templates/tactic.html +++ b/modules/tactics/templates/tactic.html @@ -25,9 +25,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.side_menu_data, output_file) }} -
    + {% endblock %} @@ -108,5 +106,5 @@

    Techniques

    {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/tactics/templates/tactics-domain-index.html b/modules/tactics/templates/tactics-domain-index.html index ab231368b91..ad0de01a2a4 100644 --- a/modules/tactics/templates/tactics-domain-index.html +++ b/modules/tactics/templates/tactics-domain-index.html @@ -23,9 +23,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.side_menu_data, output_file) }} -
    + {% endblock %} @@ -79,6 +77,7 @@
    Tactics: {{ parsed.tactics_list_len }}
    +
    @@ -103,6 +102,7 @@
    Tactics: {{ parsed.tactics_list_len }}
    {% endfor %}
    +

    @@ -116,5 +116,5 @@
    Tactics: {{ parsed.tactics_list_len }}
    {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/techniques/techniques.py b/modules/techniques/techniques.py index e5ab5e051c0..3d88ed39f3f 100644 --- a/modules/techniques/techniques.py +++ b/modules/techniques/techniques.py @@ -55,10 +55,10 @@ def generate_techniques(): check_if_generated = generate_domain_markdown( domain["name"], techniques_no_sub, tactics, side_nav_data, notes, deprecated ) - if not technique_generated: - if check_if_generated: - technique_generated = True + if not technique_generated and check_if_generated: + technique_generated = True + generate_sidebar_techniques(side_nav_data) if not technique_generated: util.buildhelpers.remove_module_from_menu(techniques_config.module_name) @@ -220,6 +220,9 @@ def generate_data_for_md(technique_dict, technique, tactic_list, is_sub_techniqu # Get examples technique_dict["examples_table"] = get_examples_table_data(technique, reference_list) + # Get asset table + technique_dict["assets_table"] = get_assets_table_data(technique, reference_list) + # Get technique version if technique.get("x_mitre_version"): technique_dict["version"] = technique["x_mitre_version"] @@ -357,26 +360,60 @@ def get_mitigations_table_data(technique, reference_list): # Do not add deprecated mitigation to table if not mitigation["object"].get("x_mitre_deprecated"): attack_id = util.buildhelpers.get_attack_id(mitigation["object"]) - # Only add if mitigation attack id is found - if attack_id: - row = {} - row["mid"] = attack_id - row["name"] = mitigation["object"]["name"] - if mitigation["relationship"].get("description"): - # Get filtered description - reference_list = util.buildhelpers.update_reference_list( - reference_list, mitigation["relationship"] - ) - row["descr"] = mitigation["relationship"]["description"] + if not attack_id: continue + row = {} + row["mid"] = attack_id + row["name"] = mitigation["object"]["name"] + if mitigation["relationship"].get("description"): + # Get filtered description + reference_list = util.buildhelpers.update_reference_list( + reference_list, mitigation["relationship"] + ) + row["descr"] = mitigation["relationship"]["description"] - mitigation_data.append(row) + mitigation_data.append(row) if mitigation_data: mitigation_data = sorted(mitigation_data, key=lambda k: k["name"].lower()) return mitigation_data +def get_assets_table_data(technique, reference_list): + """Given a technique a reference list, find assets that are targeted by the + technique and return list with asset data. Also modifies the + reference list if it finds a reference that is not on the list + """ + asset_data = [] + + # Check if technique has assets + assets_targeted_by_techniques = util.relationshipgetters.get_assets_targeted_by_techniques().get(technique["id"]) + if assets_targeted_by_techniques: + # Iterate through technique assets + for asset in assets_targeted_by_techniques: + # Do not add deprecated assets to table + if not asset["object"].get("x_mitre_deprecated"): + attack_id = util.buildhelpers.get_attack_id(asset["object"]) + + # Only add if attack id is found + if not attack_id: continue + row = {} + row["id"] = attack_id + row["name"] = asset["object"]["name"] + if asset["relationship"].get("description"): + # Get filtered description + reference_list = util.buildhelpers.update_reference_list( + reference_list, asset["relationship"] + ) + row["descr"] = asset["relationship"]["description"] + + asset_data.append(row) + + if asset_data: + asset_data = sorted(asset_data, key=lambda k: k["name"].lower()) + return asset_data + + def get_examples_table_data(technique, reference_list): """Given a technique object, find examples in malware using technique, tools using technique and groups using technique. Return list with @@ -399,23 +436,23 @@ def get_examples_table_data(technique, reference_list): attack_id = util.buildhelpers.get_attack_id(example["object"]) # Only add example data if the attack id is found - if attack_id: - row = {} + if not attack_id: continue + row = {} - row["id"] = attack_id + row["id"] = attack_id - row["path"] = get_path_from_type(example["object"]) + row["path"] = get_path_from_type(example["object"]) - row["name"] = example["object"]["name"] + row["name"] = example["object"]["name"] - if example["relationship"].get("description"): - # Get filtered description - reference_list = util.buildhelpers.update_reference_list( - reference_list, example["relationship"] - ) - row["descr"] = example["relationship"]["description"] + if example["relationship"].get("description"): + # Get filtered description + reference_list = util.buildhelpers.update_reference_list( + reference_list, example["relationship"] + ) + row["descr"] = example["relationship"]["description"] - example_data.append(row) + example_data.append(row) if example_data: example_data = sorted(example_data, key=lambda k: k["name"].lower()) @@ -507,20 +544,21 @@ def get_techniques_list(techniques): if not technique.get("revoked") and not technique.get("x_mitre_deprecated"): attack_id = util.buildhelpers.get_attack_id(technique) - if attack_id: - technique_dict = {} - technique_dict["id"] = attack_id - technique_dict["stix_id"] = technique["id"] - technique_dict["name"] = technique["name"] - technique_dict["description"] = technique["description"] + if not attack_id: continue + + technique_dict = {} + technique_dict["id"] = attack_id + technique_dict["stix_id"] = technique["id"] + technique_dict["name"] = technique["name"] + technique_dict["description"] = technique["description"] - if technique.get("kill_chain_phases"): - for elem in technique["kill_chain_phases"]: - # Fill dict - if elem["phase_name"] not in technique_list: - technique_list[elem["phase_name"]] = [] + if technique.get("kill_chain_phases"): + for elem in technique["kill_chain_phases"]: + # Fill dict + if elem["phase_name"] not in technique_list: + technique_list[elem["phase_name"]] = [] - technique_list[elem["phase_name"]].append(technique_dict) + technique_list[elem["phase_name"]].append(technique_dict) for key, __ in technique_list.items(): technique_list[key] = sorted(technique_list[key], key=lambda k: k["name"].lower()) @@ -531,8 +569,6 @@ def get_techniques_list(techniques): def get_subtechniques(technique): """Given a technique, return the ID and name of the subtechnique.""" subtechs = [] - attack_id = util.buildhelpers.get_attack_id(technique) - subtechniques_of = util.relationshipgetters.get_subtechniques_of() if technique["id"] in subtechniques_of: @@ -612,3 +648,16 @@ def get_datasources_and_components_of_technique(technique, reference_list): datasource_and_components = sorted(datasource_and_components, key=lambda k: k["name"].lower()) return datasource_and_components, show_descriptions + +def generate_sidebar_techniques(side_nav_data): + """Responsible for generating the sidebar for the technique pages.""" + logger.info("Generating technique sidebar") + data = {} + data["menu"] = side_nav_data + + # Sidebar Overview + sidebar_techniques_md = techniques_config.sidebar_techniques_md + json.dumps(data) + + # write markdown to file + with open(os.path.join(techniques_config.techniques_markdown_path, "sidebar_techniques.md"), "w", encoding="utf8") as md_file: + md_file.write(sidebar_techniques_md) diff --git a/modules/techniques/techniques_config.py b/modules/techniques/techniques_config.py index d3947171d3a..1679960fb7d 100644 --- a/modules/techniques/techniques_config.py +++ b/modules/techniques/techniques_config.py @@ -42,3 +42,10 @@ "save_as: techniques/${parent_id}/${sub_number}/index.html\n" "data: " ) + +sidebar_techniques_md = ( + "Title: Techniques Sidebar\n" + "Template: general/sidebar-template \n" + "save_as: techniques/sidebar-techniques/index.html\n" + "data: " +) \ No newline at end of file diff --git a/modules/techniques/templates/technique.html b/modules/techniques/templates/technique.html index 12faafebbbf..43259e9be5e 100644 --- a/modules/techniques/templates/technique.html +++ b/modules/techniques/templates/technique.html @@ -37,9 +37,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.menu, output_file) }} -
    + {% endblock %} @@ -342,6 +340,7 @@
    Sub-techniques ({{parsed.subtechniques|len
    {% if parsed.examples_table %}

    Procedure Examples

    +
    @@ -368,10 +367,35 @@

    Procedure Examples

    {% endfor %}
    +
    + {% endif %} + {% if parsed.assets_table %} +

    Targeted Assets

    + + + + + + + + + {% for asset in parsed.assets_table %} + + + + + {% endfor %} + +
    IDAsset
    + {{asset.id}} + + {{asset.name}} +
    {% endif %} {% if parsed.domain != 'pre' %}

    Mitigations

    {% if parsed.mitigation_table %} +
    @@ -398,6 +422,7 @@

    Mitigations

    {% endfor %}
    +
    {% else %}

    This type of attack technique cannot be easily mitigated with preventive controls since @@ -448,7 +473,6 @@

    Difficulty for the Adversary

    {% block scripts %} {{ super() }} - {% if parsed.is_subtechnique %} @@ -456,4 +480,5 @@

    Difficulty for the Adversary

    {% else %} {% endif %} + {% endblock %} \ No newline at end of file diff --git a/modules/techniques/templates/techniques-domain-index.html b/modules/techniques/templates/techniques-domain-index.html index 0f4d018a689..9cd8308b4ee 100644 --- a/modules/techniques/templates/techniques-domain-index.html +++ b/modules/techniques/templates/techniques-domain-index.html @@ -23,9 +23,7 @@ {% block innerleft %} -
    - {{ navigation.sidenav(parsed.menu, output_file) }} -
    + {% endblock %} @@ -86,5 +84,5 @@
    Sub-techniques: {{ parsed.subtechniques_len }}
    {% block scripts %} {{ super() }} - + {% endblock %} \ No newline at end of file diff --git a/modules/tests/linkchecker.py b/modules/tests/linkchecker.py index d385a2a0d1c..ad847506b8f 100644 --- a/modules/tests/linkchecker.py +++ b/modules/tests/linkchecker.py @@ -6,7 +6,7 @@ from loguru import logger from modules import site_config - +import modules from . import tests_config # STATIC PROPERTIES @@ -433,7 +433,8 @@ def check_links(external_links=False): if unlinked_pages: f.write("Pages listed were not linked from another page\n\n") for page in unlinked_pages: - f.write(page + "\n") + if 'sidebar' not in page: #remove the sidebar html pages from unlinked pages + f.write(page + "\n") else: f.write("No unlinked pages found\n") @@ -441,12 +442,21 @@ def check_links(external_links=False): broken_count = 0 with open(os.path.join(site_config.test_report_directory, tests_config.links_report_filename), "w") as f: f.write("Broken links report:\n\n") + build_versions_module = False + for module_info in modules.run_ptr: + if module_info["module_name"] == "versions": + build_versions_module = True if broken_pages: for page in broken_pages: f.write(page["path"] + "\n") for problem in page["problems"]: - f.write("\t- " + problem + "\n") - broken_count += 1 + if "versions" in problem: + if build_versions_module: + f.write("\t- " + problem + "\n") + broken_count += 1 + else: + f.write("\t- " + problem + "\n") + broken_count += 1 else: f.write("No broken links found\n") diff --git a/modules/util/buildhelpers.py b/modules/util/buildhelpers.py index ea0c6eb92ab..20b82e56d26 100644 --- a/modules/util/buildhelpers.py +++ b/modules/util/buildhelpers.py @@ -507,17 +507,17 @@ def replace_html_chars(to_be_replaced): } -def get_navigator_layers(name, attack_id, obj_type, version, techniques_used, inheritance=False): +def get_navigator_layers(name, attack_id, obj_type, rel_type, version, techniques_used, inheritance=False): """Generate the Enterprise, Mobile, and ICS Navigator JSON layers for the given object.""" # Generate Enterprise base layer - enterprise_layer = build_base_layer("enterprise-attack", name, obj_type, attack_id, version, inheritance) + enterprise_layer = build_base_layer("enterprise-attack", name, obj_type, rel_type, attack_id, version, inheritance) # Generate Mobile base layer - mobile_layer = build_base_layer("mobile-attack", name, obj_type, attack_id, version, inheritance) + mobile_layer = build_base_layer("mobile-attack", name, obj_type, rel_type, attack_id, version, inheritance) # Generate ICS base layer - ics_layer = build_base_layer("ics-attack", name, obj_type, attack_id, version, inheritance) + ics_layer = build_base_layer("ics-attack", name, obj_type, rel_type, attack_id, version, inheritance) # Add technique data to layer for technique in techniques_used: @@ -584,12 +584,12 @@ def get_navigator_layers(name, attack_id, obj_type, version, techniques_used, in return layers -def build_base_layer(domain, object_name, object_type, attack_id, version, inheritance=False): +def build_base_layer(domain, object_name, object_type, rel_type, attack_id, version, inheritance=False): """Build the base Navigator layer for the given object.""" layer = {} # Layer description - layer["description"] = f"{domain_name_map[domain]} techniques used by {object_name}, ATT&CK {object_type} {attack_id}" + layer["description"] = f"{domain_name_map[domain]} techniques {rel_type} {object_name}, ATT&CK {object_type} {attack_id}" if version: # Add object version number if it exists layer["description"] += f" (v{version})" @@ -616,14 +616,14 @@ def build_base_layer(domain, object_name, object_type, attack_id, version, inher # Layer legend layer["legendItems"] = [ - {"label": f"used by {object_name}", "color": colorMap[1]} + {"label": f"{rel_type} {object_name}", "color": colorMap[1]} ] # Add campaign inheritance to legend, if applicable if inheritance: layer["legendItems"].extend([ - {"label": f"used by a campaign attributed to {object_name}", "color": colorMap[2]}, - {"label": f"used by {object_name} and used by a campaign attributed to {object_name}", "color": colorMap[3]} + {"label": f"{rel_type} a campaign attributed to {object_name}", "color": colorMap[2]}, + {"label": f"{rel_type} {object_name} and {rel_type} a campaign attributed to {object_name}", "color": colorMap[3]} ]) return layer diff --git a/modules/util/relationshipgetters.py b/modules/util/relationshipgetters.py index 8cd981f9a56..ff92451a1a0 100644 --- a/modules/util/relationshipgetters.py +++ b/modules/util/relationshipgetters.py @@ -11,6 +11,7 @@ techniques_used_by_tools = {} techniques_used_by_groups = {} techniques_used_by_campaigns = {} +techniques_targeting_assets = {} techniques_detected_by_datacomponent = {} groups_using_tool = {} groups_using_malware = {} @@ -20,6 +21,7 @@ tools_using_technique = {} malware_using_technique = {} groups_using_technique = {} +assets_targeted_by_techniques = {} campaigns_using_technique = {} campaigns_using_tool = {} campaigns_using_malware = {} @@ -44,6 +46,7 @@ datacomponent_list = [] mitigation_list = [] campaign_list = [] +asset_list = [] technique_to_domain = {} @@ -130,6 +133,25 @@ def get_techniques_used_by_campaigns(): return techniques_used_by_campaigns +def get_techniques_targeting_assets(): + """techniques targeting assets getter""" + global techniques_targeting_assets + + if not techniques_targeting_assets: + techniques_targeting_assets = rsh.techniques_targeting_assets(get_srcs()) + + return techniques_targeting_assets + + +def get_assets_targeted_by_techniques(): + """assets targeted by techniques getter""" + global assets_targeted_by_techniques + + if not assets_targeted_by_techniques: + assets_targeted_by_techniques = rsh.assets_targeted_by_techniques(get_srcs()) + + return assets_targeted_by_techniques + def get_techniques_detected_by_datacomponent(): global techniques_detected_by_datacomponent @@ -431,6 +453,15 @@ def get_campaign_list(): return campaign_list +def get_asset_list(): + """asset list getter""" + global asset_list + + if not asset_list: + asset_list = get_resources()["assets"] + + return asset_list + def get_technique_to_domain(): """technique to domain getter""" diff --git a/modules/util/relationshiphelpers.py b/modules/util/relationshiphelpers.py index 13f6ab734e1..3a8d42db620 100644 --- a/modules/util/relationshiphelpers.py +++ b/modules/util/relationshiphelpers.py @@ -247,6 +247,21 @@ def campaigns_attributed_to_group(srcs): return get_related(srcs, "campaign", "attributed-to", "intrusion-set", reverse=True) +# technique:asset +def techniques_targeting_assets(srcs): + """Return asset_id => {technique, relationship} for each technique targeting the asset. + + srcs should be an array of memorystores for enterprise, mobile, and pre + """ + return get_related(srcs, "attack-pattern", "targets", "x-mitre-asset", reverse=True) + +def assets_targeted_by_techniques(srcs): + """Return technique_id => {asset, relationship} for each asset targeted by the technique. + + srcs should be an array of memorystores for enterprise, mobile, and pre + """ + return get_related(srcs, "attack-pattern", "targets", "x-mitre-asset") + # technique:malware def techniques_used_by_malware(srcs): """Return malware => {technique, relationship} for each technique used by the malware. diff --git a/modules/util/stixhelpers.py b/modules/util/stixhelpers.py index 3925b04fdfa..6edcb949101 100644 --- a/modules/util/stixhelpers.py +++ b/modules/util/stixhelpers.py @@ -1,5 +1,6 @@ import json import os +import shutil from pathlib import Path import requests @@ -15,18 +16,18 @@ def get_mitigation_list(src, get_deprecated=False): - """Reads the STIX and returns a list of all mitigations in the STIX""" + """Read the STIX and return a list of all mitigations in the STIX.""" mitigations = src.query([stix2.Filter("type", "=", "course-of-action"), stix2.Filter("revoked", "=", False)]) if not get_deprecated: # Filter out deprecated objects for mitigation pages - mitigations = [x for x in mitigations if not hasattr(x, "x_mitre_deprecated") or x.x_mitre_deprecated == False] + mitigations = [x for x in mitigations if not hasattr(x, "x_mitre_deprecated") or x.x_mitre_deprecated is False] return sorted(mitigations, key=lambda k: k["name"].lower()) def get_matrices(src, domain): - """Reads the STIX and returns a list of all matrices in the STIX""" + """Read the STIX and return a list of all matrices in the STIX.""" stix_matrices = src.query( [ stix2.Filter("type", "=", "x-mitre-matrix"), @@ -48,14 +49,14 @@ def get_matrices(src, domain): def get_datasources(srcs): - """Reads the STIX and returns a list of data sources in the STIX""" + """Read the STIX and return a list of data sources in the STIX.""" datasources = rsh.query_all(srcs, [stix2.Filter("type", "=", "x-mitre-data-source")]) resultUsedIds = [] results = [] # Filter out duplicates for datasource in datasources: - if not datasource["id"] in resultUsedIds: + if datasource["id"] not in resultUsedIds: results.append(datasource) resultUsedIds.append(datasource["id"]) @@ -63,14 +64,14 @@ def get_datasources(srcs): def get_datacomponents(srcs): - """Reads the STIX and returns a list of data components in the STIX""" + """Read the STIX and return a list of data components in the STIX.""" datacomponents = rsh.query_all(srcs, [stix2.Filter("type", "=", "x-mitre-data-component")]) resultUsedIds = [] results = [] # Filter out duplicates for datacomponent in datacomponents: - if not datacomponent["id"] in resultUsedIds: + if datacomponent["id"] not in resultUsedIds: results.append(datacomponent) resultUsedIds.append(datacomponent["id"]) @@ -78,7 +79,7 @@ def get_datacomponents(srcs): def get_tactic_list(src, domain, matrix_id=None): - """Reads the STIX and returns a list of all tactics in the STIX""" + """Read the STIX and return a list of all tactics in the STIX.""" tactics = [] matrices = src.query( [ @@ -105,7 +106,10 @@ def get_tactic_list(src, domain, matrix_id=None): def get_all_of_type(src, types): - """Reads the STIX and returns a list of all of a particular type of object in the STIX, removes duplicate STIX and ATT&CK IDs.""" + """Read the STIX and return a list of all of a particular type of object in the STIX. + + Removes duplicate STIX and ATT&CK IDs. + """ stix_objs = {} attack_id_objs = {} @@ -122,7 +126,7 @@ def get_all_of_type(src, types): def get_techniques(src, domain): - """Reads the STIX and returns a list of all techniques in the STIX by given domain.""" + """Read the STIX and return a list of all techniques in the STIX by given domain.""" tech_list = src.query([stix2.Filter("type", "=", "attack-pattern"), stix2.Filter("revoked", "=", False)]) # Filter out by domain tech_list = [x for x in tech_list if not hasattr(x, "x_mitre_domains") or domain in x.get("x_mitre_domains")] @@ -224,7 +228,7 @@ def get_datasource_from_list(datasource_stix_id): def datasource_of(): - """Builds map from data component STIX ID to data source STIX object.""" + """Build map from data component STIX ID to data source STIX object.""" datacomponents = relationshipgetters.get_datacomponent_list() datasource_of = {} @@ -239,7 +243,8 @@ def datasource_of(): def add_replace_or_ignore(stix_objs, attack_id_objs, obj_in_question): - """Add if object does not already exist + """Add if object does not already exist. + Replace object if exist depending on deprecation status or modified date Ignore if object already exists but object in question is outdated @@ -319,7 +324,7 @@ def replace_object(attack_id, conflict_attack_id): def grab_resources(ms): - """Returns a dict that contains lists for the software, group, technique and mitigation objects.""" + """Return a dict that contains lists for the software, group, technique and mitigation objects.""" def get_domain_resources(types): # Track objects by STIX ID @@ -359,6 +364,9 @@ def get_domain_resources(types): # Generates list of campaigns campaign_list = get_domain_resources(["campaign"]) + # Generates list of assets + asset_list = get_domain_resources(["x-mitre-asset"]) + # Generates list of relationships rel_list = [] for domain in site_config.domains: @@ -377,34 +385,39 @@ def get_domain_resources(types): "techniques": tech_list, "mitigations": coa_list, "campaigns": campaign_list, + "assets": asset_list, } return resources def get_stix_memory_stores(): - """This function reads the json files for each domain and creates a dict that contains the memory stores for each domain.""" + """Read the json files for each domain and create a dict that contains the memory stores for each domain.""" # suppress InsecureRequestWarning: Unverified HTTPS request is being made urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) ms = {} srcs = [] + stix_output_dir = Path(f"{site_config.web_directory}/stix") + stix_output_dir.mkdir(parents=True, exist_ok=True) + for domain in site_config.domains: stix_filename = None + # Download json from http or https + stix_filename = f"{stix_output_dir}/{domain['name']}.json" if domain["location"].startswith("http"): - download_dir = Path(f"{site_config.web_directory}/stix") - stix_filename = f"{download_dir}/{domain['name']}.json" - download_stix_file(url=domain["location"], download_dir=download_dir, filepath=stix_filename) + download_stix_file(url=domain["location"], filepath=stix_filename) else: - stix_filename = domain["location"] + shutil.copy(domain["location"], str(stix_filename)) if os.path.exists(stix_filename): logger.info(f"Loading STIX file from: {stix_filename}") ms[domain["name"]] = stix2.MemoryStore() ms[domain["name"]].load_from_file(stix_filename) else: - exit(f"\n{stix_filename} file does not exist.") + logger.error(f"\n{stix_filename} file does not exist.") + exit() if not domain["deprecated"]: srcs.append(ms[domain["name"]]) @@ -413,7 +426,7 @@ def get_stix_memory_stores(): def get_contributors(ms): - """Gets all contributors in the STIX content""" + """Get all contributors in the STIX content.""" # contributors not in STIX are stored here: contributors = ["Craig Aitchison", "Elly Searle, CrowdStrike — contributed to tactic definitions"] @@ -430,6 +443,7 @@ def get_contributors(ms): "x-mitre-data-component", "x-mitre-data-source", "x-mitre-tactic", + "x-mitre-asset", ] src = ms[domain["name"]] obj_list = [] @@ -444,10 +458,9 @@ def get_contributors(ms): return sorted(contributors, key=lambda k: k.lower()) -def download_stix_file(url, download_dir, filepath): +def download_stix_file(url, filepath): """Download a STIX file to disk.""" logger.info(f"Downloading {url} --> {filepath}") - download_dir.mkdir(parents=True, exist_ok=True) # Set proxy proxy = "" diff --git a/modules/versions/templates/versions.html b/modules/versions/templates/versions.html index e317438935b..39b8aeff481 100644 --- a/modules/versions/templates/versions.html +++ b/modules/versions/templates/versions.html @@ -5,9 +5,7 @@ {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} @@ -32,6 +30,7 @@

    Versions of ATT&CK

    Below are a list of versions of the ATT&CK website preserved for posterity, including a permalink to the current version of the site:

    +
    @@ -78,6 +77,7 @@

    Versions of ATT&CK

    {% endfor %}
    +
    @@ -90,5 +90,5 @@

    Versions of ATT&CK

    - + {% endblock %} diff --git a/modules/website_build/templates/changelog.html b/modules/website_build/templates/changelog.html index c06d974bf2b..6366ad7bc91 100644 --- a/modules/website_build/templates/changelog.html +++ b/modules/website_build/templates/changelog.html @@ -4,9 +4,7 @@ {% import 'macros/navigation.html' as navigation %} {% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    + {% endblock %} {% block innerright %} @@ -35,5 +33,5 @@

    Changelog

    {% endblock %} {% block scripts %} {{ super () }} - + {% endblock %} diff --git a/modules/website_build/templates/faq.html b/modules/website_build/templates/faq.html deleted file mode 100644 index 76f1799579f..00000000000 --- a/modules/website_build/templates/faq.html +++ /dev/null @@ -1,52 +0,0 @@ -{% extends "general/two-column.html" %} -{% set active_page = "resources" -%} -{% set title = "FAQ | MITRE ATT&CK®" -%} -{% set parsed = page.data | from_json %} -{% import 'macros/navigation.html' as navigation %} - -{% block innerleft %} -
    - {{navigation.sidenav(RESOURCE_NAV, output_file)}} -
    -{% endblock %} - -{% block innerright %} - -
    -
      -
    1. Home
      2. -
    2. Resources
      3. -
    3. FAQ
      4. -
    -
    -
    -

    Frequently Asked Questions

    -
    - {% for section in parsed.sections %} -
    -

    {{section.name}}

    -
    - {% for qa in section.questions %} -
    - -
    -
    - {{qa.answer}} -
    -
    -
    - {% endfor %} -
    -
    - {% endfor %} -
    -
    -{% endblock %} - -{% block scripts %} -{{ super() }} - - -{% endblock %} \ No newline at end of file diff --git a/modules/website_build/website_build.py b/modules/website_build/website_build.py index 1270d672d3c..b36e54c8fd7 100644 --- a/modules/website_build/website_build.py +++ b/modules/website_build/website_build.py @@ -31,6 +31,7 @@ def generate_website(): ) generate_javascript_settings() generate_base_html() + generate_sidebar_html() generate_index_page() generate_static_pages() generate_changelog_page() @@ -143,6 +144,17 @@ def generate_base_html(): with open(os.path.join(website_build_config.template_dir, "base.html"), "w", encoding="utf8") as base_template_f: base_template_f.write(subs) +def generate_sidebar_html(): + with open( + os.path.join(website_build_config.template_dir, "sidebar-resources-template.html"), "r", encoding="utf8" + ) as sidebar_template_f: + sidebar_template = sidebar_template_f.read() + sidebar_template = Template(sidebar_template) + subs = sidebar_template.substitute(website_build_config.sidebar_page_data) + + with open(os.path.join(website_build_config.template_dir, "sidebar-resources.html"), "w", encoding="utf8") as sidebar_template_f: + sidebar_template_f.write(subs) + def generate_index_page(): """Responsible for creating the landing page""" @@ -168,6 +180,7 @@ def generate_index_page(): "groups": "Group", "software": "Software", "campaigns": "Campaign", + "assets": "Asset", } routes = {} diff --git a/modules/website_build/website_build_config.py b/modules/website_build/website_build_config.py index 2220f1f8c27..86512e1b851 100644 --- a/modules/website_build/website_build_config.py +++ b/modules/website_build/website_build_config.py @@ -32,6 +32,10 @@ "RESOURCE_NAV": site_config.resource_nav, } +sidebar_page_data = { + "RESOURCE_NAV": site_config.resource_nav, +} + # config for the matrix shown on the index page index_matrix = { "name": "ATT&CK Matrix for Enterprise", diff --git a/pyproject.toml b/pyproject.toml index af04b688a95..5fc78204d95 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ profile = "black" [tool.towncrier] name = "ATT&CK website" - version = "4.0.5" + version = "4.0.6" filename = "CHANGELOG.md" issue_format = "[#{issue}](https://github.com/mitre-attack/attack-website/issues/{issue})" template = ".towncrier.template.md" diff --git a/requirements.txt b/requirements.txt index 065c5a9d9b6..014e58ac755 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,10 +1,10 @@ -GitPython==3.1.32 +GitPython==3.1.37 Markdown==3.4.3 bleach==6.0.0 colorama==0.4.6 future==0.18.3 loguru==0.6.0 -mitreattack-python==2.0.14 +mitreattack-python==3.0.0 pelican==4.8.0 pyScss==1.4.0 python-dotenv==1.0.0 @@ -13,7 +13,7 @@ stix2==3.0.1 stix2-validator==3.1.3 toml==0.10.2 towncrier==22.12.0 -urllib3==1.26.15 +urllib3==1.26.17 webassets==2.0 # dev dependencies diff --git a/update-attack.py b/update-attack.py index 602fd29cc56..4b4fc048bdb 100644 --- a/update-attack.py +++ b/update-attack.py @@ -22,6 +22,7 @@ "tactics", "techniques", "campaigns", + "assets", "tour", "website_build", "random_page", @@ -29,7 +30,7 @@ "subdirectory", "tests", ] -extras = ["resources", "versions", "contribute", "blog", "stixtests"] +extras = ["resources", "versions", "blog", "stixtests", "benefactors"] test_choices = ["size", "links", "external_links", "citations"] @@ -229,7 +230,7 @@ def remove_from_menu(): ptr["run_module"]() end_time = time.time() util.buildhelpers.print_end(ptr["module_name"], start_time, end_time) - + # Print end of module update_end = time.time() util.buildhelpers.print_end("TOTAL Update Time", update_start, update_end) diff --git a/website-banner.production b/website-banner.production index e69de29bb2d..4a0d5defefe 100644 --- a/website-banner.production +++ b/website-banner.production @@ -0,0 +1 @@ +ATT&CK v14 has been released! Check out the blog post or release notes for more information. \ No newline at end of file