|
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
This JSON file contains the machine readble output used to create this page: changelog.json
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2024-04-18 15:03:32.158000+00:00 | 2024-04-28 15:44:25.342000+00:00 |
| x_mitre_contributors[1] | Ivy Bostock | Ivy Drexel |
Current version: 1.6
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2024-04-12 21:18:28.848000+00:00 | 2024-04-28 15:43:18.080000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | Pawel Partyka, Microsoft Threat Intelligence |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may execute commands and perform malicious tasks | t | 1 | Adversaries may execute commands and perform malicious tasks |
| > | using AutoIT and AutoHotKey automation scripts. AutoIT and | > | using AutoIT and AutoHotKey automation scripts. AutoIT and | ||
| > | AutoHotkey (AHK) are scripting languages that enable users t | > | AutoHotkey (AHK) are scripting languages that enable users t | ||
| > | o automate Windows tasks. These automation scripts can be us | > | o automate Windows tasks. These automation scripts can be us | ||
| > | ed to perform a wide variety of actions, such as clicking on | > | ed to perform a wide variety of actions, such as clicking on | ||
| > | buttons, entering text, and opening and closing programs.(C | > | buttons, entering text, and opening and closing programs.(C | ||
| > | itation: AutoIT)(Citation: AutoHotKey) Adversaries may use | > | itation: AutoIT)(Citation: AutoHotKey) Adversaries may use | ||
| > | AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute maliciou | > | AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute maliciou | ||
| > | s code on a victim's system. For example, adversaries have u | > | s code on a victim's system. For example, adversaries have u | ||
| > | sed for AHK to execute payloads and other modular malware su | > | sed for AHK to execute payloads and other modular malware su | ||
| > | ch as keyloggers. Adversaries have also used custom AHK file | > | ch as keyloggers. Adversaries have also used custom AHK file | ||
| > | s containing embedded malware as [Phishing](https://attack.m | > | s containing embedded malware as [Phishing](https://attack.m | ||
| > | itre.org/techniques/T1566) payloads.(Citation: Splunk DarkGa | > | itre.org/techniques/T1566) payloads.(Citation: Splunk DarkGa | ||
| > | te) These scripts may also be compiled into self-contained | > | te) These scripts may also be compiled into self-contained | ||
| > | exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: Au | > | executable payloads (`.exe`).(Citation: AutoIT)(Citation: Au | ||
| > | toHotKey) | > | toHotKey) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2024-04-10 16:05:22.456000+00:00 | 2024-04-28 15:58:48.119000+00:00 |
| description | Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey) Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate) These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey) | Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey) Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate) These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey) |
| x_mitre_contributors[4] | Monty | @_montysecurity |
Current version: 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2024-04-18 22:54:54.668000+00:00 | 2024-04-28 15:51:58.945000+00:00 |
| x_mitre_contributors[3] | Will Alexander | Ami Holeston, CrowdStrike |
| x_mitre_contributors[4] | Ami Holeston | Will Alexander, CrowdStrike |
Current version: 1.3
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may acquire domains that can be used during targ | t | 1 | Adversaries may acquire domains that can be used during targ |
| > | eting. Domain names are the human readable names used to rep | > | eting. Domain names are the human readable names used to rep | ||
| > | resent one or more IP addresses. They can be purchased or, i | > | resent one or more IP addresses. They can be purchased or, i | ||
| > | n some cases, acquired for free. Adversaries may use acquir | > | n some cases, acquired for free. Adversaries may use acquir | ||
| > | ed domains for a variety of purposes, including for [Phishin | > | ed domains for a variety of purposes, including for [Phishin | ||
| > | g](https://attack.mitre.org/techniques/T1566), [Drive-by Com | > | g](https://attack.mitre.org/techniques/T1566), [Drive-by Com | ||
| > | promise](https://attack.mitre.org/techniques/T1189), and Com | > | promise](https://attack.mitre.org/techniques/T1189), and Com | ||
| > | mand and Control.(Citation: CISA MSS Sep 2020) Adversaries m | > | mand and Control.(Citation: CISA MSS Sep 2020) Adversaries m | ||
| > | ay choose domains that are similar to legitimate domains, in | > | ay choose domains that are similar to legitimate domains, in | ||
| > | cluding through use of homoglyphs or use of a different top- | > | cluding through use of homoglyphs or use of a different top- | ||
| > | level domain (TLD).(Citation: FireEye APT28)(Citation: Paypa | > | level domain (TLD).(Citation: FireEye APT28)(Citation: Paypa | ||
| > | lScam) Typosquatting may be used to aid in delivery of paylo | > | lScam) Typosquatting may be used to aid in delivery of paylo | ||
| > | ads via [Drive-by Compromise](https://attack.mitre.org/techn | > | ads via [Drive-by Compromise](https://attack.mitre.org/techn | ||
| > | iques/T1189). Adversaries may also use internationalized dom | > | iques/T1189). Adversaries may also use internationalized dom | ||
| > | ain names (IDNs) and different character sets (e.g. Cyrillic | > | ain names (IDNs) and different character sets (e.g. Cyrillic | ||
| > | , Greek, etc.) to execute "IDN homograph attacks," creating | > | , Greek, etc.) to execute "IDN homograph attacks," creating | ||
| > | visually similar lookalike domains used to deliver malware t | > | visually similar lookalike domains used to deliver malware t | ||
| > | o victim machines.(Citation: CISA IDN ST05-016)(Citation: tt | > | o victim machines.(Citation: CISA IDN ST05-016)(Citation: tt | ||
| > | _httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: ht | > | _httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: ht | ||
| > | track_unhcr)(Citation: lazgroup_idn_phishing) Different URIs | > | track_unhcr)(Citation: lazgroup_idn_phishing) Different URI | ||
| > | /URLs may also be dynamically generated to uniquely serve ma | > | s/URLs may also be dynamically generated to uniquely serve m | ||
| > | licious content to victims.(Citation: iOS URL Scheme)(Citati | > | alicious content to victims (including one-time, single use | ||
| > | on: URI)(Citation: URI Use)(Citation: URI Unique) Adversari | > | domain names).(Citation: iOS URL Scheme)(Citation: URI)(Cita | ||
| > | es may also acquire and repurpose expired domains, which may | > | tion: URI Use)(Citation: URI Unique) Adversaries may also a | ||
| > | be potentially already allowlisted/trusted by defenders bas | > | cquire and repurpose expired domains, which may be potential | ||
| > | ed on an existing reputation/history.(Citation: Categorisati | > | ly already allowlisted/trusted by defenders based on an exis | ||
| > | on_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redire | > | ting reputation/history.(Citation: Categorisation_not_bounda | ||
| > | ctors_Domain_Fronting)(Citation: bypass_webproxy_filtering) | > | ry)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_ | ||
| > | Domain registrars each maintain a publicly viewable databas | > | Fronting)(Citation: bypass_webproxy_filtering) Domain regis | ||
| > | e that displays contact information for every registered dom | > | trars each maintain a publicly viewable database that displa | ||
| > | ain. Private WHOIS services display alternative information, | > | ys contact information for every registered domain. Private | ||
| > | such as their own company data, rather than the owner of th | > | WHOIS services display alternative information, such as thei | ||
| > | e domain. Adversaries may use such private WHOIS services to | > | r own company data, rather than the owner of the domain. Adv | ||
| > | obscure information about who owns a purchased domain. Adve | > | ersaries may use such private WHOIS services to obscure info | ||
| > | rsaries may further interrupt efforts to track their infrast | > | rmation about who owns a purchased domain. Adversaries may f | ||
| > | ructure by using varied registration information and purchas | > | urther interrupt efforts to track their infrastructure by us | ||
| > | ing domains with different domain registrars.(Citation: Mand | > | ing varied registration information and purchasing domains w | ||
| > | iant APT1) | > | ith different domain registrars.(Citation: Mandiant APT1) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2024-04-13 14:03:04.511000+00:00 | 2024-04-28 15:55:55.068000+00:00 |
| description | Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering) Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) | Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering) Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2024-04-12 02:23:44.583000+00:00 | 2024-04-28 15:52:44.332000+00:00 |
| x_mitre_contributors[1] | Alexander Rodchenko | Rodchenko Aleksandr |
Current version: 1.4
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may put in place resources that are referenced b | t | 1 | Adversaries may put in place resources that are referenced b |
| > | y a link that can be used during targeting. An adversary may | > | y a link that can be used during targeting. An adversary may | ||
| > | rely upon a user clicking a malicious link in order to divu | > | rely upon a user clicking a malicious link in order to divu | ||
| > | lge information (including credentials) or to gain execution | > | lge information (including credentials) or to gain execution | ||
| > | , as in [Malicious Link](https://attack.mitre.org/techniques | > | , as in [Malicious Link](https://attack.mitre.org/techniques | ||
| > | /T1204/001). Links can be used for spearphishing, such as se | > | /T1204/001). Links can be used for spearphishing, such as se | ||
| > | nding an email accompanied by social engineering text to coa | > | nding an email accompanied by social engineering text to coa | ||
| > | x the user to actively click or copy and paste a URL into a | > | x the user to actively click or copy and paste a URL into a | ||
| > | browser. Prior to a phish for information (as in [Spearphish | > | browser. Prior to a phish for information (as in [Spearphish | ||
| > | ing Link](https://attack.mitre.org/techniques/T1598/003)) or | > | ing Link](https://attack.mitre.org/techniques/T1598/003)) or | ||
| > | a phish to gain initial access to a system (as in [Spearphi | > | a phish to gain initial access to a system (as in [Spearphi | ||
| > | shing Link](https://attack.mitre.org/techniques/T1566/002)), | > | shing Link](https://attack.mitre.org/techniques/T1566/002)), | ||
| > | an adversary must set up the resources for a link target fo | > | an adversary must set up the resources for a link target fo | ||
| > | r the spearphishing link. Typically, the resources for a l | > | r the spearphishing link. Typically, the resources for a l | ||
| > | ink target will be an HTML page that may include some client | > | ink target will be an HTML page that may include some client | ||
| > | -side script such as [JavaScript](https://attack.mitre.org/t | > | -side script such as [JavaScript](https://attack.mitre.org/t | ||
| > | echniques/T1059/007) to decide what content to serve to the | > | echniques/T1059/007) to decide what content to serve to the | ||
| > | user. Adversaries may clone legitimate sites to serve as the | > | user. Adversaries may clone legitimate sites to serve as the | ||
| > | link target, this can include cloning of login pages of leg | > | link target, this can include cloning of login pages of leg | ||
| > | itimate web services or organization login pages in an effor | > | itimate web services or organization login pages in an effor | ||
| > | t to harvest credentials during [Spearphishing Link](https:/ | > | t to harvest credentials during [Spearphishing Link](https:/ | ||
| > | /attack.mitre.org/techniques/T1598/003).(Citation: Malwareby | > | /attack.mitre.org/techniques/T1598/003).(Citation: Malwareby | ||
| > | tes Silent Librarian October 2020)(Citation: Proofpoint TA40 | > | tes Silent Librarian October 2020)(Citation: Proofpoint TA40 | ||
| > | 7 September 2019) Adversaries may also [Upload Malware](http | > | 7 September 2019) Adversaries may also [Upload Malware](http | ||
| > | s://attack.mitre.org/techniques/T1608/001) and have the link | > | s://attack.mitre.org/techniques/T1608/001) and have the link | ||
| > | target point to malware for download/execution by the user. | > | target point to malware for download/execution by the user. | ||
| > | Adversaries may purchase domains similar to legitimate dom | > | Adversaries may purchase domains similar to legitimate dom | ||
| > | ains (ex: homoglyphs, typosquatting, different top-level dom | > | ains (ex: homoglyphs, typosquatting, different top-level dom | ||
| > | ain, etc.) during acquisition of infrastructure ([Domains](h | > | ain, etc.) during acquisition of infrastructure ([Domains](h | ||
| > | ttps://attack.mitre.org/techniques/T1583/001)) to help facil | > | ttps://attack.mitre.org/techniques/T1583/001)) to help facil | ||
| > | itate [Malicious Link](https://attack.mitre.org/techniques/T | > | itate [Malicious Link](https://attack.mitre.org/techniques/T | ||
| > | 1204/001). Links can be written by adversaries to mask the | > | 1204/001). Links can be written by adversaries to mask the | ||
| > | true destination in order to deceive victims by abusing the | > | true destination in order to deceive victims by abusing the | ||
| > | URL schema and increasing the effectiveness of phishing.(Cit | > | URL schema and increasing the effectiveness of phishing.(Cit | ||
| > | ation: Kaspersky-masking)(Citation: mandiant-masking) Adver | > | ation: Kaspersky-masking)(Citation: mandiant-masking) Adver | ||
| > | saries may also use free or paid accounts on link shortening | > | saries may also use free or paid accounts on link shortening | ||
| > | services and Platform-as-a-Service providers to host link t | > | services and Platform-as-a-Service providers to host link t | ||
| > | argets while taking advantage of the widely trusted domains | > | argets while taking advantage of the widely trusted domains | ||
| > | of those providers to avoid being blocked while redirecting | > | of those providers to avoid being blocked while redirecting | ||
| > | victims to malicious pages.(Citation: Netskope GCP Redirecti | > | victims to malicious pages.(Citation: Netskope GCP Redirecti | ||
| > | on)(Citation: Netskope Cloud Phishing)(Citation: Intezer App | > | on)(Citation: Netskope Cloud Phishing)(Citation: Intezer App | ||
| > | Service Phishing)(Citation: Cofense-redirect) In addition, | > | Service Phishing)(Citation: Cofense-redirect) In addition, | ||
| > | adversaries may serve a variety of malicious links through u | > | adversaries may serve a variety of malicious links through u | ||
| > | niquely generated URIs/URLs.(Citation: iOS URL Scheme)(Citat | > | niquely generated URIs/URLs (including one-time, single use | ||
| > | ion: URI)(Citation: URI Use)(Citation: URI Unique) Finally, | > | links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: U | ||
| > | adversaries may take advantage of the decentralized nature o | > | RI Use)(Citation: URI Unique) Finally, adversaries may take | ||
| > | f the InterPlanetary File System (IPFS) to host link targets | > | advantage of the decentralized nature of the InterPlanetary | ||
| > | that are difficult to remove.(Citation: Talos IPFS 2022) | > | File System (IPFS) to host link targets that are difficult t | ||
| > | o remove.(Citation: Talos IPFS 2022) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2024-04-13 14:03:24.673000+00:00 | 2024-04-28 15:57:26.842000+00:00 |
| description | Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking) Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022) | Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking) Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs (including one-time, single use links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022) |
Current version: 1.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2024-04-12 21:18:23.798000+00:00 | 2024-04-28 15:43:30.271000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | Pawel Partyka, Microsoft Threat Intelligence |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_deprecated | False |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 17:14:31.945000+00:00 | 2024-04-24 19:08:50.637000+00:00 |
| external_references[1]['description'] | SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015. | SecureWorks. (2012). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015. |
| external_references[1]['url'] | http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/ | https://www.secureworks.com/research/The-Lifecycle-of-Peer-to-Peer-Gameover-ZeuS |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |