|
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
This JSON file contains the machine readble output used to create this page: changelog.json
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_data_sources | ['Sensor Health: Host Status'] | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-23 12:51:45.475000+00:00 | 2022-04-28 16:05:10.755000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | ['File: File Metadata'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-19 20:10:09.368000+00:00 | 2022-04-28 16:03:59.172000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | ['File: File Metadata'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-19 20:10:59.465000+00:00 | 2022-04-28 16:04:36.636000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_data_sources | ['Application Log: Application Log Content'] | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-29 21:03:09.766000+00:00 | 2022-04-28 16:07:48.062000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.4
Version changed from: 1.1 → 1.4
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_data_sources | ['Application Log: Application Log Content', 'User Account: User Account Authentication', 'Process: Process Creation'] | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-25 18:51:01.070000+00:00 | 2022-04-28 16:06:49.447000+00:00 |
external_references[1]['source_name'] | Technet MS14-068 | ADSecurity Detecting Forged Tickets |
external_references[1]['description'] | Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015. | Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. |
external_references[1]['url'] | https://technet.microsoft.com/en-us/library/security/ms14-068.aspx | https://adsecurity.org/?p=1515 |
external_references[2]['source_name'] | ADSecurity Detecting Forged Tickets | Technet MS14-068 |
external_references[2]['description'] | Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. | Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015. |
external_references[2]['url'] | https://adsecurity.org/?p=1515 | https://technet.microsoft.com/en-us/library/security/ms14-068.aspx |
x_mitre_version | 1.1 | 1.4 |
Current version: 1.3
Version changed from: 1.1 → 1.3
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_data_sources | ['Process: Process Creation', 'Application Log: Application Log Content'] | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-29 20:00:46.900000+00:00 | 2022-04-28 16:10:16.632000+00:00 |
x_mitre_version | 1.1 | 1.3 |
Current version: 1.6
Version changed from: 1.3 → 1.6
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | ['Application Log: Application Log Content', 'Drive: Drive Creation', 'Network Traffic: Network Traffic Flow'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-19 17:12:28.626000+00:00 | 2022-04-28 16:09:12.782000+00:00 |
x_mitre_version | 1.3 | 1.6 |
Current version: 1.5
Version changed from: 1.3 → 1.5
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | ['File: File Metadata', 'Sensor Health: Host Status'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-19 20:09:21.256000+00:00 | 2022-04-28 16:03:22.870000+00:00 |
x_mitre_version | 1.3 | 1.5 |
Current version: 2.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False | |
external_references | Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017. | |
external_references | CAPEC-633 |
STIX Field | Old value | New Value |
---|---|---|
external_references | CAPEC-633 | |
external_references | Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-17 14:51:49.334000+00:00 | 2022-05-03 02:14:43.557000+00:00 |
external_references[1]['source_name'] | capec | BlackHat Atkinson Winchester Token Manipulation |
external_references[1]['url'] | https://capec.mitre.org/data/definitions/633.html | https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf |
external_references[2]['source_name'] | Pentestlab Token Manipulation | Microsoft Command-line Logging |
external_references[2]['description'] | netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017. | Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. |
external_references[2]['url'] | https://pentestlab.blog/2017/04/03/token-manipulation/ | https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing |
external_references[3]['source_name'] | Microsoft Command-line Logging | Microsoft LogonUser |
external_references[3]['description'] | Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. | Microsoft TechNet. (n.d.). Retrieved April 25, 2017. |
external_references[3]['url'] | https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing | https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx |
external_references[4]['source_name'] | Microsoft LogonUser | Microsoft DuplicateTokenEx |
external_references[4]['url'] | https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx | https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx |
external_references[5]['source_name'] | Microsoft DuplicateTokenEx | Microsoft ImpersonateLoggedOnUser |
external_references[5]['url'] | https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx | https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx |
external_references[6]['source_name'] | Microsoft ImpersonateLoggedOnUser | Pentestlab Token Manipulation |
external_references[6]['description'] | Microsoft TechNet. (n.d.). Retrieved April 25, 2017. | netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017. |
external_references[6]['url'] | https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx | https://pentestlab.blog/2017/04/03/token-manipulation/ |
external_references[7]['source_name'] | BlackHat Atkinson Winchester Token Manipulation | capec |
external_references[7]['url'] | https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf | https://capec.mitre.org/data/definitions/633.html |
x_mitre_data_sources[0] | Active Directory: Active Directory Object Modification | User Account: User Account Metadata |
x_mitre_data_sources[1] | Command: Command Execution | Process: OS API Execution |
x_mitre_data_sources[2] | Process: Process Creation | Process: Process Metadata |
x_mitre_data_sources[3] | Process: Process Metadata | Process: Process Creation |
x_mitre_data_sources[4] | Process: OS API Execution | Command: Command Execution |
x_mitre_data_sources[5] | User Account: User Account Metadata | Active Directory: Active Directory Object Modification |
x_mitre_defense_bypassed[1] | System access controls | Heuristic Detection |
x_mitre_defense_bypassed[2] | File system access controls | System Access Controls |
x_mitre_defense_bypassed[3] | Heuristic Detection | Host Forensic Analysis |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Host forensic analysis |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-04-26 15:41:39.155000+00:00 | 2022-05-05 05:00:03.480000+00:00 |
external_references[1]['source_name'] | Microsoft DSE June 2017 | Apple Disable SIP |
external_references[1]['description'] | Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021. | Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021. |
external_references[1]['url'] | https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN | https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection |
external_references[2]['source_name'] | Apple Disable SIP | F-Secure BlackEnergy 2014 |
external_references[2]['description'] | Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021. | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. |
external_references[2]['url'] | https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf |
external_references[3]['source_name'] | Microsoft Unsigned Driver Apr 2017 | FireEye HIKIT Rootkit Part 2 |
external_references[3]['description'] | Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021. | Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020. |
external_references[3]['url'] | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test | https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html |
external_references[4]['source_name'] | Microsoft TESTSIGNING Feb 2021 | Microsoft Unsigned Driver Apr 2017 |
external_references[4]['description'] | Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021. | Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021. |
external_references[4]['url'] | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test |
external_references[5]['source_name'] | FireEye HIKIT Rootkit Part 2 | Microsoft DSE June 2017 |
external_references[5]['description'] | Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020. | Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021. |
external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html | https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN |
external_references[6]['source_name'] | GitHub Turla Driver Loader | Microsoft TESTSIGNING Feb 2021 |
external_references[6]['description'] | TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021. | Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021. |
external_references[6]['url'] | https://github.com/hfiref0x/TDL | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option |
external_references[7]['source_name'] | F-Secure BlackEnergy 2014 | Unit42 AcidBox June 2020 |
external_references[7]['description'] | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. | Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. |
external_references[7]['url'] | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf | https://unit42.paloaltonetworks.com/acidbox-rare-malware/ |
external_references[8]['source_name'] | Unit42 AcidBox June 2020 | GitHub Turla Driver Loader |
external_references[8]['description'] | Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. | TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021. |
external_references[8]['url'] | https://unit42.paloaltonetworks.com/acidbox-rare-malware/ | https://github.com/hfiref0x/TDL |
x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Modification | Command: Command Execution |
x_mitre_data_sources[2] | Command: Command Execution | Windows Registry: Windows Registry Key Modification |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Application Control |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Application control |
Current version: 2.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
external_references | Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020. | |
external_references | CAPEC-641 |
STIX Field | Old value | New Value |
---|---|---|
external_references | CAPEC-641 | |
external_references | Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-04-26 18:31:34.954000+00:00 | 2022-05-05 04:07:48.912000+00:00 |
external_references[1]['source_name'] | capec | FireEye DLL Side-Loading |
external_references[1]['url'] | https://capec.mitre.org/data/definitions/641.html | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf |
external_references[2]['source_name'] | FireEye DLL Side-Loading | capec |
external_references[2]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf | https://capec.mitre.org/data/definitions/641.html |
x_mitre_data_sources[0] | Process: Process Creation | File: File Modification |
x_mitre_data_sources[1] | Module: Module Load | File: File Creation |
x_mitre_data_sources[2] | File: File Creation | Module: Module Load |
x_mitre_data_sources[3] | File: File Modification | Process: Process Creation |
x_mitre_defense_bypassed[1] | Application control | Application Control |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-07-09 14:42:23.122000+00:00 | 2022-05-05 04:05:42.508000+00:00 |
external_references[1]['source_name'] | Malwarebytes Targeted Attack against Saudi Arabia | Volexity PowerDuke November 2016 |
external_references[1]['description'] | Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017. | Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. |
external_references[1]['url'] | https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/ | https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ |
external_references[2]['source_name'] | Carbon Black Obfuscation Sept 2016 | Malwarebytes Targeted Attack against Saudi Arabia |
external_references[2]['description'] | Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. | Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017. |
external_references[2]['url'] | https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/ | https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/ |
external_references[3]['source_name'] | Volexity PowerDuke November 2016 | Carbon Black Obfuscation Sept 2016 |
external_references[3]['description'] | Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. | Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. |
external_references[3]['url'] | https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ | https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/ |
x_mitre_data_sources[0] | Script: Script Execution | File: File Modification |
x_mitre_data_sources[2] | File: File Modification | Script: Script Execution |
x_mitre_defense_bypassed[1] | Host intrusion prevention systems | Host Intrusion Prevention Systems |
x_mitre_defense_bypassed[2] | Signature-based detection | Signature-based Detection |
x_mitre_defense_bypassed[3] | Network intrusion detection system | Network Intrusion Detection System |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-20 16:44:02.983000+00:00 | 2022-04-25 16:26:53.204000+00:00 |
x_mitre_data_sources[0] | User Account: User Account Modification | Application Log: Application Log Content |
x_mitre_data_sources[2] | Application Log: Application Log Content | User Account: User Account Modification |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Mike Moran |
Current version: 2.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
external_references | Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021. | |
external_references | CAPEC-471 |
STIX Field | Old value | New Value |
---|---|---|
external_references | CAPEC-471 | |
external_references | Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-04-27 20:19:15.212000+00:00 | 2022-05-05 04:08:30.203000+00:00 |
external_references[1]['source_name'] | capec | MalwareUnicorn macOS Dylib Injection MachO |
external_references[1]['url'] | https://capec.mitre.org/data/definitions/471.html | https://malwareunicorn.org/workshops/macos_dylib_injection.html#5 |
external_references[2]['source_name'] | Wardle Dylib Hijack Vulnerable Apps | Apple Developer Doco Archive Run-Path |
external_references[2]['description'] | Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021. | Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021. |
external_references[2]['url'] | https://objective-see.com/blog/blog_0x46.html | https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html |
external_references[4]['source_name'] | Github EmpireProject HijackScanner | Writing Bad Malware for OSX |
external_references[4]['description'] | Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021. | Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017. |
external_references[4]['url'] | https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py | https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf |
external_references[5]['source_name'] | Github EmpireProject CreateHijacker Dylib | Wardle Dylib Hijack Vulnerable Apps |
external_references[5]['description'] | Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021. | Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021. |
external_references[5]['url'] | https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py | https://objective-see.com/blog/blog_0x46.html |
external_references[6]['source_name'] | Writing Bad Malware for OSX | wardle artofmalware volume1 |
external_references[6]['description'] | Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017. | Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021. |
external_references[6]['url'] | https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf | https://taomm.org/vol1/pdfs.html |
external_references[7]['source_name'] | wardle artofmalware volume1 | Github EmpireProject HijackScanner |
external_references[7]['description'] | Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021. | Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021. |
external_references[7]['url'] | https://taomm.org/vol1/pdfs.html | https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py |
external_references[8]['source_name'] | MalwareUnicorn macOS Dylib Injection MachO | Github EmpireProject CreateHijacker Dylib |
external_references[8]['description'] | Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021. | Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021. |
external_references[8]['url'] | https://malwareunicorn.org/workshops/macos_dylib_injection.html#5 | https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py |
external_references[9]['source_name'] | Apple Developer Doco Archive Run-Path | capec |
external_references[9]['url'] | https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html | https://capec.mitre.org/data/definitions/471.html |
x_mitre_defense_bypassed[0] | Application control | Application Control |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Module: Module Load |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Module: Module Load |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-06-09 18:53:58.159000+00:00 | 2022-05-04 14:52:51.290000+00:00 |
external_references[1]['source_name'] | EK Clueless Agents | Proofpoint Router Malvertising |
external_references[1]['description'] | Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019. | Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019. |
external_references[1]['url'] | https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf | https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices |
external_references[3]['source_name'] | Proofpoint Router Malvertising | Ebowla: Genetic Malware |
external_references[3]['description'] | Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019. | Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019. |
external_references[3]['url'] | https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices | https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf |
external_references[4]['source_name'] | EK Impeding Malware Analysis | EK Clueless Agents |
external_references[4]['description'] | Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019. | Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019. |
external_references[4]['url'] | https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf | https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf |
external_references[5]['source_name'] | Environmental Keyed HTA | EK Impeding Malware Analysis |
external_references[5]['description'] | Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019. | Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019. |
external_references[5]['url'] | https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/ | https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf |
external_references[6]['source_name'] | Ebowla: Genetic Malware | Demiguise Guardrail Router Logo |
external_references[6]['description'] | Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019. | Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019. |
external_references[6]['url'] | https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf | https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js |
external_references[7]['source_name'] | Demiguise Guardrail Router Logo | Environmental Keyed HTA |
external_references[7]['description'] | Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019. | Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019. |
external_references[7]['url'] | https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js | https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/ |
x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
x_mitre_defense_bypassed[1] | Host forensic analysis | Host Forensic Analysis |
x_mitre_defense_bypassed[2] | Signature-based detection | Signature-based Detection |
x_mitre_defense_bypassed[3] | Static file analysis | Static File Analysis |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-06-09 18:53:58.471000+00:00 | 2022-05-03 02:39:29.314000+00:00 |
external_references[1]['source_name'] | FireEye Kevin Mandia Guardrails | FireEye Outlook Dec 2019 |
external_references[1]['description'] | Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019. | McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020. |
external_references[1]['url'] | https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/ | https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html |
external_references[2]['source_name'] | FireEye Outlook Dec 2019 | FireEye Kevin Mandia Guardrails |
external_references[2]['description'] | McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020. | Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019. |
external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html | https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/ |
x_mitre_data_sources[0] | Command: Command Execution | Process: Process Creation |
x_mitre_data_sources[1] | Process: Process Creation | Command: Command Execution |
x_mitre_defense_bypassed[1] | Host forensic analysis | Host Forensic Analysis |
x_mitre_defense_bypassed[2] | Signature-based detection | Signature-based Detection |
x_mitre_defense_bypassed[3] | Static file analysis | Static File Analysis |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User', 'Administrator'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-14 21:18:30.629000+00:00 | 2022-05-05 04:58:34.172000+00:00 |
external_references[1]['source_name'] | TheEclecticLightCompany apple notarization | theevilbit gatekeeper bypass 2021 |
external_references[1]['description'] | How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021. | Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021. |
external_references[1]['url'] | https://eclecticlight.co/2020/08/28/how-notarization-works/ | https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/ |
external_references[2]['source_name'] | Bypassing Gatekeeper | OceanLotus for OS X |
external_references[2]['description'] | Thomas Reed. (2016, March 31). Bypassing Apple's Gatekeeper. Retrieved July 5, 2017. | Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. |
external_references[2]['url'] | https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/ | https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update |
external_references[3]['source_name'] | 20 macOS Common Tools and Techniques | TheEclecticLightCompany Quarantine and the flag |
external_references[3]['description'] | Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. | hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021. |
external_references[3]['url'] | https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ | https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/ |
external_references[4]['source_name'] | TheEclecticLightCompany Quarantine and the flag | TheEclecticLightCompany apple notarization |
external_references[4]['description'] | hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021. | How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021. |
external_references[4]['url'] | https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/ | https://eclecticlight.co/2020/08/28/how-notarization-works/ |
external_references[5]['source_name'] | theevilbit gatekeeper bypass 2021 | Methods of Mac Malware Persistence |
external_references[5]['description'] | Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021. | Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. |
external_references[5]['url'] | https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/ | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf |
external_references[6]['source_name'] | Methods of Mac Malware Persistence | 20 macOS Common Tools and Techniques |
external_references[6]['description'] | Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. | Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. |
external_references[6]['url'] | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf | https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ |
external_references[8]['source_name'] | OceanLotus for OS X | Bypassing Gatekeeper |
external_references[8]['description'] | Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. | Thomas Reed. (2016, March 31). Bypassing Apple's Gatekeeper. Retrieved July 5, 2017. |
external_references[8]['url'] | https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update | https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/ |
x_mitre_data_sources[0] | File: File Metadata | Process: Process Creation |
x_mitre_data_sources[1] | Command: Command Execution | File: File Modification |
x_mitre_data_sources[2] | File: File Modification | Command: Command Execution |
x_mitre_data_sources[3] | Process: Process Creation | File: File Metadata |
x_mitre_defense_bypassed[0] | Application control | Anti-virus |
x_mitre_defense_bypassed[1] | Anti-virus | Application Control |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-18 12:03:12.510000+00:00 | 2022-05-04 15:06:14.630000+00:00 |
external_references[1]['source_name'] | HTML Smuggling Menlo Security 2020 | Outlflank HTML Smuggling 2018 |
external_references[1]['description'] | Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021. | Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021. |
external_references[1]['url'] | https://www.menlosecurity.com/blog/new-attack-alert-duri | https://outflank.nl/blog/2018/08/14/html-smuggling-explained/ |
external_references[2]['source_name'] | Outlflank HTML Smuggling 2018 | MSTIC NOBELIUM May 2021 |
external_references[2]['description'] | Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021. | Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. |
external_references[2]['url'] | https://outflank.nl/blog/2018/08/14/html-smuggling-explained/ | https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ |
external_references[3]['source_name'] | MSTIC NOBELIUM May 2021 | HTML Smuggling Menlo Security 2020 |
external_references[3]['description'] | Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. | Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021. |
external_references[3]['url'] | https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ | https://www.menlosecurity.com/blog/new-attack-alert-duri |
x_mitre_defense_bypassed[0] | Web content filters | Anti-virus |
x_mitre_defense_bypassed[1] | Anti-virus | Web Content Filters |
x_mitre_defense_bypassed[2] | Static file analysis | Static File Analysis |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-03-18 14:48:33.512000+00:00 | 2022-05-05 04:07:01.191000+00:00 |
x_mitre_data_sources[0] | Command: Command Execution | Service: Service Metadata |
x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Modification | Module: Module Load |
x_mitre_data_sources[2] | File: File Creation | Process: Process Creation |
x_mitre_data_sources[4] | Process: Process Creation | File: File Creation |
x_mitre_data_sources[5] | Module: Module Load | Windows Registry: Windows Registry Key Modification |
x_mitre_data_sources[6] | Service: Service Metadata | Command: Command Execution |
x_mitre_defense_bypassed[1] | Application control | Application Control |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-06-20 22:09:22.559000+00:00 | 2022-05-05 05:06:38.938000+00:00 |
external_references[1]['source_name'] | VectorSec ForFiles Aug 2017 | Evi1cg Forfiles Nov 2017 |
external_references[1]['description'] | vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018. | Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018. |
external_references[1]['url'] | https://twitter.com/vector_sec/status/896049052642533376 | https://twitter.com/Evi1cg/status/935027922397573120 |
external_references[2]['source_name'] | Evi1cg Forfiles Nov 2017 | RSA Forfiles Aug 2017 |
external_references[2]['description'] | Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018. | Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018. |
external_references[2]['url'] | https://twitter.com/Evi1cg/status/935027922397573120 | https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe |
external_references[3]['source_name'] | RSA Forfiles Aug 2017 | VectorSec ForFiles Aug 2017 |
external_references[3]['description'] | Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018. | vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018. |
external_references[3]['url'] | https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe | https://twitter.com/vector_sec/status/896049052642533376 |
x_mitre_data_sources[0] | Command: Command Execution | Process: Process Creation |
x_mitre_data_sources[1] | Process: Process Creation | Command: Command Execution |
x_mitre_defense_bypassed[1] | Application control | Application Control |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Application control by file name or path |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-16 20:03:39.460000+00:00 | 2022-05-05 04:59:32.535000+00:00 |
x_mitre_data_sources[0] | File: File Metadata | File: File Creation |
x_mitre_data_sources[1] | File: File Creation | File: File Metadata |
x_mitre_defense_bypassed[0] | Anti-virus, Application control | Anti-virus |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Application Control |
Current version: 1.4
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False | |
external_references | Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. | |
external_references | CAPEC-177 |
STIX Field | Old value | New Value |
---|---|---|
external_references | CAPEC-177 | |
external_references | Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-18 13:24:52.973000+00:00 | 2022-05-05 04:56:08.978000+00:00 |
external_references[1]['source_name'] | capec | Twitter ItsReallyNick Masquerading Update |
external_references[1]['url'] | https://capec.mitre.org/data/definitions/177.html | https://twitter.com/ItsReallyNick/status/1055321652777619457 |
external_references[2]['source_name'] | LOLBAS Main Site | Elastic Masquerade Ball |
external_references[2]['description'] | LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020. | Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. |
external_references[2]['url'] | https://lolbas-project.github.io/ | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf |
external_references[3]['source_name'] | Elastic Masquerade Ball | LOLBAS Main Site |
external_references[3]['description'] | Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. | LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020. |
external_references[3]['url'] | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf | https://lolbas-project.github.io/ |
external_references[4]['source_name'] | Twitter ItsReallyNick Masquerading Update | capec |
external_references[4]['url'] | https://twitter.com/ItsReallyNick/status/1055321652777619457 | https://capec.mitre.org/data/definitions/177.html |
x_mitre_data_sources[0] | Process: Process Metadata | File: File Modification |
x_mitre_data_sources[1] | Scheduled Job: Scheduled Job Modification | Service: Service Creation |
x_mitre_data_sources[2] | Image: Image Metadata | Service: Service Metadata |
x_mitre_data_sources[3] | Command: Command Execution | Scheduled Job: Scheduled Job Metadata |
x_mitre_data_sources[5] | Scheduled Job: Scheduled Job Metadata | Command: Command Execution |
x_mitre_data_sources[6] | Service: Service Metadata | Image: Image Metadata |
x_mitre_data_sources[7] | Service: Service Creation | Scheduled Job: Scheduled Job Modification |
x_mitre_data_sources[8] | File: File Modification | Process: Process Metadata |
x_mitre_defense_bypassed[0] | Application control by file name or path | Application Control |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
external_references | Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. | |
external_references | CAPEC-177 |
STIX Field | Old value | New Value |
---|---|---|
external_references | CAPEC-177 | |
external_references | Docker. (n.d.). Docker Images. Retrieved April 6, 2021. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-04-20 19:23:37.762000+00:00 | 2022-05-05 04:56:50.197000+00:00 |
external_references[1]['source_name'] | capec | Twitter ItsReallyNick Masquerading Update |
external_references[1]['url'] | https://capec.mitre.org/data/definitions/177.html | https://twitter.com/ItsReallyNick/status/1055321652777619457 |
external_references[2]['source_name'] | Elastic Masquerade Ball | Docker Images |
external_references[2]['description'] | Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. | Docker. (n.d.). Docker Images. Retrieved April 6, 2021. |
external_references[2]['url'] | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf | https://docs.docker.com/engine/reference/commandline/images/ |
external_references[3]['source_name'] | Twitter ItsReallyNick Masquerading Update | Elastic Masquerade Ball |
external_references[3]['description'] | Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. | Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. |
external_references[3]['url'] | https://twitter.com/ItsReallyNick/status/1055321652777619457 | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf |
external_references[4]['source_name'] | Docker Images | capec |
external_references[4]['url'] | https://docs.docker.com/engine/reference/commandline/images/ | https://capec.mitre.org/data/definitions/177.html |
x_mitre_data_sources[0] | File: File Metadata | Image: Image Metadata |
x_mitre_data_sources[2] | Image: Image Metadata | File: File Metadata |
x_mitre_defense_bypassed[0] | Application control by file name or path | Application Control |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-19 21:44:17.057000+00:00 | 2022-05-05 05:05:44.200000+00:00 |
x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
x_mitre_defense_bypassed[0] | Router ACL | Firewall |
x_mitre_defense_bypassed[1] | Firewall | System Access Controls |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False | |
external_references | Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. | |
external_references | CAPEC-267 |
STIX Field | Old value | New Value |
---|---|---|
external_references | CAPEC-267 | |
external_references | Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-03-11 16:45:38.033000+00:00 | 2022-05-05 05:08:05.584000+00:00 |
external_references[1]['source_name'] | capec | Volexity PowerDuke November 2016 |
external_references[1]['url'] | https://capec.mitre.org/data/definitions/267.html | https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ |
external_references[2]['source_name'] | Volexity PowerDuke November 2016 | GitHub Revoke-Obfuscation |
external_references[2]['description'] | Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. | Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018. |
external_references[2]['url'] | https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ | https://github.com/danielbohannon/Revoke-Obfuscation |
external_references[3]['source_name'] | Linux/Cdorked.A We Live Security Analysis | FireEye Obfuscation June 2017 |
external_references[3]['description'] | Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017. | Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. |
external_references[3]['url'] | https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/ | https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html |
external_references[4]['source_name'] | Carbon Black Obfuscation Sept 2016 | FireEye Revoke-Obfuscation July 2017 |
external_references[4]['description'] | Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. | Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018. |
external_references[4]['url'] | https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/ | https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf |
external_references[5]['source_name'] | FireEye Obfuscation June 2017 | GitHub Office-Crackros Aug 2016 |
external_references[5]['description'] | Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. | Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018. |
external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html | https://github.com/itsreallynick/office-crackros |
external_references[6]['source_name'] | FireEye Revoke-Obfuscation July 2017 | Linux/Cdorked.A We Live Security Analysis |
external_references[6]['description'] | Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018. | Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017. |
external_references[6]['url'] | https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf | https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/ |
external_references[7]['source_name'] | PaloAlto EncodedCommand March 2017 | Carbon Black Obfuscation Sept 2016 |
external_references[7]['description'] | White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018. | Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. |
external_references[7]['url'] | https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ | https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/ |
external_references[8]['source_name'] | GitHub Revoke-Obfuscation | PaloAlto EncodedCommand March 2017 |
external_references[8]['description'] | Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018. | White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018. |
external_references[8]['url'] | https://github.com/danielbohannon/Revoke-Obfuscation | https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ |
external_references[9]['source_name'] | GitHub Office-Crackros Aug 2016 | capec |
external_references[9]['url'] | https://github.com/itsreallynick/office-crackros | https://capec.mitre.org/data/definitions/267.html |
x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
x_mitre_data_sources[1] | File: File Metadata | File: File Creation |
x_mitre_data_sources[2] | File: File Creation | File: File Metadata |
x_mitre_data_sources[3] | Command: Command Execution | Process: Process Creation |
x_mitre_defense_bypassed[0] | Host forensic analysis | Host Forensic Analysis |
x_mitre_defense_bypassed[1] | Signature-based detection | Signature-based Detection |
x_mitre_defense_bypassed[2] | Host intrusion prevention systems | Host Intrusion Prevention Systems |
x_mitre_defense_bypassed[3] | Application control | Application Control |
x_mitre_defense_bypassed[4] | Log analysis | Log Analysis |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Application control by file name or path |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-02-09 14:11:20.296000+00:00 | 2022-05-03 02:15:42.360000+00:00 |
external_references[1]['source_name'] | DidierStevens SelectMyParent Nov 2009 | XPNSec PPID Nov 2017 |
external_references[1]['description'] | Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019. | Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019. |
external_references[1]['url'] | https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/ | https://blog.xpnsec.com/becoming-system/ |
external_references[2]['source_name'] | Microsoft UAC Nov 2018 | CounterCept PPID Spoofing Dec 2018 |
external_references[2]['description'] | Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019. | Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019. |
external_references[2]['url'] | https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works | https://www.countercept.com/blog/detecting-parent-pid-spoofing/ |
external_references[3]['source_name'] | CounterCept PPID Spoofing Dec 2018 | Microsoft UAC Nov 2018 |
external_references[3]['description'] | Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019. | Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019. |
external_references[3]['url'] | https://www.countercept.com/blog/detecting-parent-pid-spoofing/ | https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works |
external_references[4]['source_name'] | CTD PPID Spoofing Macro Mar 2019 | Microsoft Process Creation Flags May 2018 |
external_references[4]['description'] | Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019. | Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019. |
external_references[4]['url'] | https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/ | https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags |
external_references[5]['source_name'] | XPNSec PPID Nov 2017 | Secuirtyinbits Ataware3 May 2019 |
external_references[5]['description'] | Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019. | Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019. |
external_references[5]['url'] | https://blog.xpnsec.com/becoming-system/ | https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3 |
external_references[6]['source_name'] | Microsoft Process Creation Flags May 2018 | DidierStevens SelectMyParent Nov 2009 |
external_references[6]['description'] | Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019. | Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019. |
external_references[6]['url'] | https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags | https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/ |
external_references[7]['source_name'] | Secuirtyinbits Ataware3 May 2019 | CTD PPID Spoofing Macro Mar 2019 |
external_references[7]['description'] | Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019. | Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019. |
external_references[7]['url'] | https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3 | https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/ |
x_mitre_data_sources[0] | Process: Process Creation | Process: OS API Execution |
x_mitre_data_sources[2] | Process: OS API Execution | Process: Process Creation |
x_mitre_defense_bypassed[1] | Host forensic analysis | Host Forensic Analysis |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-09-16 16:56:34.583000+00:00 | 2022-05-05 04:08:56.402000+00:00 |
x_mitre_data_sources[0] | File: File Modification | Process: Process Creation |
x_mitre_data_sources[1] | File: File Creation | Windows Registry: Windows Registry Key Modification |
x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Modification | File: File Creation |
x_mitre_data_sources[3] | Process: Process Creation | File: File Modification |
x_mitre_defense_bypassed[0] | Application control | Application Control |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-16 01:50:40.276000+00:00 | 2022-05-05 05:10:23.890000+00:00 |
external_references[1]['source_name'] | macOS Hierarchical File System Overview | tau bundlore erika noerenberg 2020 |
external_references[1]['description'] | Tenon. (n.d.). Retrieved October 12, 2021. | Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021. |
external_references[1]['url'] | http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553 | https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html |
external_references[5]['source_name'] | tau bundlore erika noerenberg 2020 | macOS Hierarchical File System Overview |
external_references[5]['description'] | Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021. | Tenon. (n.d.). Retrieved October 12, 2021. |
external_references[5]['url'] | https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html | http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553 |
x_mitre_data_sources[0] | File: File Metadata | Process: Process Creation |
x_mitre_data_sources[1] | File: File Creation | Command: Command Execution |
x_mitre_data_sources[2] | Command: Command Execution | File: File Creation |
x_mitre_data_sources[3] | Process: Process Creation | File: File Metadata |
x_mitre_defense_bypassed[0] | Notarization; Gatekeeper | Notarization |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Gatekeeper |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False | |
external_references | Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017. | |
external_references | CAPEC-552 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'root'] | |
external_references | CAPEC-552 | |
external_references | Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-06-20 22:29:55.496000+00:00 | 2022-05-05 05:09:39.723000+00:00 |
external_references[1]['source_name'] | capec | CrowdStrike Linux Rootkit |
external_references[1]['url'] | https://capec.mitre.org/data/definitions/552.html | https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ |
external_references[2]['source_name'] | Symantec Windows Rootkits | BlackHat Mac OSX Rootkit |
external_references[2]['description'] | Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017. | Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017. |
external_references[2]['url'] | https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf | http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf |
external_references[3]['source_name'] | Wikipedia Rootkit | Symantec Windows Rootkits |
external_references[3]['description'] | Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016. | Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017. |
external_references[3]['url'] | https://en.wikipedia.org/wiki/Rootkit | https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf |
external_references[4]['source_name'] | CrowdStrike Linux Rootkit | Wikipedia Rootkit |
external_references[4]['description'] | Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017. | Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016. |
external_references[4]['url'] | https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ | https://en.wikipedia.org/wiki/Rootkit |
external_references[5]['source_name'] | BlackHat Mac OSX Rootkit | capec |
external_references[5]['url'] | http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf | https://capec.mitre.org/data/definitions/552.html |
x_mitre_data_sources[0] | File: File Modification | Firmware: Firmware Modification |
x_mitre_data_sources[2] | Firmware: Firmware Modification | File: File Modification |
x_mitre_defense_bypassed[0] | File monitoring | Anti-virus |
x_mitre_defense_bypassed[1] | Host intrusion prevention systems | File Monitoring |
x_mitre_defense_bypassed[2] | Application control | Host Intrusion Prevention Systems |
x_mitre_defense_bypassed[3] | Signature-based detection | Application Control |
x_mitre_defense_bypassed[4] | System access controls | Signature-based Detection |
x_mitre_defense_bypassed[5] | Application control by file name or path | System Access Controls |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Anti-virus |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['SYSTEM', 'Administrator'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-02-09 15:58:04.719000+00:00 | 2022-05-05 04:58:58.214000+00:00 |
external_references[1]['source_name'] | Microsoft Authenticode | Entrust Enable CAPI2 Aug 2017 |
external_references[1]['description'] | Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018. | Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018. |
external_references[1]['url'] | https://msdn.microsoft.com/library/ms537359.aspx | http://www.entrust.net/knowledge-base/technote.cfm?tn=8165 |
external_references[2]['source_name'] | Microsoft WinVerifyTrust | GitHub SIP POC Sept 2017 |
external_references[2]['description'] | Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018. | Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018. |
external_references[2]['url'] | https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx | https://github.com/mattifestation/PoCSubjectInterfacePackage |
external_references[4]['source_name'] | EduardosBlog SIPs July 2008 | Microsoft Catalog Files and Signatures April 2017 |
external_references[4]['description'] | Navarro, E. (2008, July 11). SIP’s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018. | Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018. |
external_references[4]['url'] | https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/ | https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files |
external_references[5]['source_name'] | Microsoft Catalog Files and Signatures April 2017 | Microsoft Audit Registry July 2012 |
external_references[5]['description'] | Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018. | Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018. |
external_references[5]['url'] | https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files | https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10) |
external_references[6]['source_name'] | GitHub SIP POC Sept 2017 | Microsoft Registry Auditing Aug 2016 |
external_references[6]['description'] | Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018. | Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018. |
external_references[6]['url'] | https://github.com/mattifestation/PoCSubjectInterfacePackage | https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11) |
external_references[7]['source_name'] | Entrust Enable CAPI2 Aug 2017 | Microsoft Authenticode |
external_references[7]['description'] | Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018. | Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018. |
external_references[7]['url'] | http://www.entrust.net/knowledge-base/technote.cfm?tn=8165 | https://msdn.microsoft.com/library/ms537359.aspx |
external_references[8]['source_name'] | Microsoft Registry Auditing Aug 2016 | Microsoft WinVerifyTrust |
external_references[8]['description'] | Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018. | Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018. |
external_references[8]['url'] | https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11) | https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx |
external_references[9]['source_name'] | Microsoft Audit Registry July 2012 | EduardosBlog SIPs July 2008 |
external_references[9]['description'] | Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018. | Navarro, E. (2008, July 11). SIP’s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018. |
external_references[9]['url'] | https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10) | https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/ |
x_mitre_data_sources[0] | Module: Module Load | File: File Modification |
x_mitre_data_sources[2] | File: File Modification | Module: Module Load |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Application Control |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Application control |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
external_references | @r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018. | |
external_references | CAPEC-478 |
STIX Field | Old value | New Value |
---|---|---|
external_references | CAPEC-478 | |
external_references | Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-14 23:52:52.058000+00:00 | 2022-05-05 04:53:45.640000+00:00 |
external_references[1]['source_name'] | capec | Tweet Registry Perms Weakness |
external_references[1]['url'] | https://capec.mitre.org/data/definitions/478.html | https://twitter.com/r0wdy_/status/936365549553991680 |
external_references[2]['source_name'] | Registry Key Security | insecure_reg_perms |
external_references[2]['description'] | Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017. | Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021. |
external_references[2]['url'] | https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN | https://itm4n.github.io/windows-registry-rpceptmapper-eop/ |
external_references[3]['source_name'] | malware_hides_service | Kansa Service related collectors |
external_references[3]['description'] | Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021. | Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019. |
external_references[3]['url'] | https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/ | https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html |
external_references[4]['source_name'] | Kansa Service related collectors | malware_hides_service |
external_references[4]['description'] | Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019. | Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021. |
external_references[4]['url'] | https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html | https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/ |
external_references[5]['source_name'] | Tweet Registry Perms Weakness | Autoruns for Windows |
external_references[5]['description'] | @r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018. | Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020. |
external_references[5]['url'] | https://twitter.com/r0wdy_/status/936365549553991680 | https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns |
external_references[6]['source_name'] | microsoft_services_registry_tree | Registry Key Security |
external_references[6]['description'] | Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021. | Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017. |
external_references[6]['url'] | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree | https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN |
external_references[7]['source_name'] | insecure_reg_perms | microsoft_services_registry_tree |
external_references[7]['description'] | Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021. | Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021. |
external_references[7]['url'] | https://itm4n.github.io/windows-registry-rpceptmapper-eop/ | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree |
external_references[9]['source_name'] | Autoruns for Windows | capec |
external_references[9]['url'] | https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns | https://capec.mitre.org/data/definitions/478.html |
x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Modification | Command: Command Execution |
x_mitre_data_sources[1] | Service: Service Modification | Process: Process Creation |
x_mitre_data_sources[2] | Process: Process Creation | Service: Service Modification |
x_mitre_data_sources[3] | Command: Command Execution | Windows Registry: Windows Registry Key Modification |
x_mitre_defense_bypassed[0] | Application control | Application Control |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-03-24 14:12:38.264000+00:00 | 2022-05-05 05:04:52.387000+00:00 |
external_references[1]['source_name'] | SpectorOps Subverting Trust Sept 2017 | SpectorOps Code Signing Dec 2017 |
external_references[1]['description'] | Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. | Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. |
external_references[1]['url'] | https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf | https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec |
external_references[2]['source_name'] | Securelist Digital Certificates | SpectorOps Subverting Trust Sept 2017 |
external_references[2]['description'] | Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016. | Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. |
external_references[2]['url'] | https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/ | https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf |
external_references[3]['source_name'] | Symantec Digital Certificates | Securelist Digital Certificates |
external_references[3]['description'] | Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016. | Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016. |
external_references[3]['url'] | http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates | https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/ |
external_references[4]['source_name'] | SpectorOps Code Signing Dec 2017 | Symantec Digital Certificates |
external_references[4]['description'] | Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. | Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016. |
external_references[4]['url'] | https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec | http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates |
x_mitre_data_sources[0] | File: File Modification | File: File Metadata |
x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Creation | Process: Process Creation |
x_mitre_data_sources[2] | Command: Command Execution | Module: Module Load |
x_mitre_data_sources[4] | Module: Module Load | Command: Command Execution |
x_mitre_data_sources[5] | Process: Process Creation | Windows Registry: Windows Registry Key Creation |
x_mitre_data_sources[6] | File: File Metadata | File: File Modification |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Application Control |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_defense_bypassed | Application control | |
x_mitre_defense_bypassed | Process whitelisting |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-15 23:57:08.312000+00:00 | 2022-05-05 05:00:37.443000+00:00 |
external_references[1]['source_name'] | engima0x3 DNX Bypass | Exploit Monday WinDbg |
external_references[1]['description'] | Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017. | Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017. |
external_references[1]['url'] | https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ | http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html |
external_references[2]['source_name'] | engima0x3 RCSI Bypass | LOLBAS Tracker |
external_references[2]['description'] | Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017. | LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019. |
external_references[2]['url'] | https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ | https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ |
external_references[3]['source_name'] | Exploit Monday WinDbg | engima0x3 RCSI Bypass |
external_references[3]['description'] | Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017. | Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017. |
external_references[3]['url'] | http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html | https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ |
external_references[4]['source_name'] | LOLBAS Tracker | engima0x3 DNX Bypass |
external_references[4]['description'] | LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019. | Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017. |
external_references[4]['url'] | https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ | https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ |
x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
x_mitre_defense_bypassed[0] | Application control | Application Control |
Current version: 2.4
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False | |
external_references | Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022. | |
external_references | CAPEC-560 |
STIX Field | Old value | New Value |
---|---|---|
external_references | CAPEC-560 | |
external_references | Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-01 15:20:44.039000+00:00 | 2022-05-05 04:55:21.981000+00:00 |
external_references[1]['source_name'] | capec | CISA MFA PrintNightmare |
external_references[1]['url'] | https://capec.mitre.org/data/definitions/560.html | https://www.cisa.gov/uscert/ncas/alerts/aa22-074a |
external_references[2]['source_name'] | CISA MFA PrintNightmare | TechNet Credential Theft |
external_references[2]['description'] | Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022. | Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. |
external_references[2]['url'] | https://www.cisa.gov/uscert/ncas/alerts/aa22-074a | https://technet.microsoft.com/en-us/library/dn535501.aspx |
external_references[3]['source_name'] | TechNet Credential Theft | TechNet Audit Policy |
external_references[3]['description'] | Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. | Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. |
external_references[3]['url'] | https://technet.microsoft.com/en-us/library/dn535501.aspx | https://technet.microsoft.com/en-us/library/dn487457.aspx |
external_references[4]['source_name'] | TechNet Audit Policy | capec |
external_references[4]['url'] | https://technet.microsoft.com/en-us/library/dn487457.aspx | https://capec.mitre.org/data/definitions/560.html |
x_mitre_data_sources[0] | Logon Session: Logon Session Metadata | Logon Session: Logon Session Creation |
x_mitre_data_sources[2] | Logon Session: Logon Session Creation | Logon Session: Logon Session Metadata |
x_mitre_defense_bypassed[1] | Host intrusion prevention systems | Anti-virus |
x_mitre_defense_bypassed[2] | Network intrusion detection system | Host Intrusion Prevention Systems |
x_mitre_defense_bypassed[3] | Application control | Network Intrusion Detection System |
x_mitre_defense_bypassed[4] | System access controls | Application Control |
x_mitre_defense_bypassed[5] | Anti-virus | System Access Controls |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False | |
x_mitre_is_subtechnique | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-02-09 15:07:00.842000+00:00 | 2022-05-05 05:04:14.238000+00:00 |
external_references[1]['source_name'] | Microsoft XSLT Script Mar 2017 | Reaqta MSXSL Spearphishing MAR 2018 |
external_references[1]['description'] | Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using | Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018. |
external_references[1]['url'] | https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script | https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/ |
external_references[2]['source_name'] | Microsoft msxsl.exe | Twitter SquiblyTwo Detection APR 2018 |
external_references[2]['description'] | Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018. | Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018. |
external_references[2]['url'] | https://www.microsoft.com/download/details.aspx?id=21714 | https://twitter.com/dez_/status/986614411711442944 |
external_references[3]['source_name'] | Penetration Testing Lab MSXSL July 2017 | LOLBAS Wmic |
external_references[3]['description'] | netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved July 3, 2018. | LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019. |
external_references[3]['url'] | https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/ | https://lolbas-project.github.io/lolbas/Binaries/Wmic/ |
external_references[4]['source_name'] | Reaqta MSXSL Spearphishing MAR 2018 | Microsoft msxsl.exe |
external_references[4]['description'] | Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018. | Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018. |
external_references[4]['url'] | https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/ | https://www.microsoft.com/download/details.aspx?id=21714 |
external_references[5]['source_name'] | XSL Bypass Mar 2019 | Penetration Testing Lab MSXSL July 2017 |
external_references[5]['description'] | Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to Proxy Code Execution. Retrieved August 2, 2019. | netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved July 3, 2018. |
external_references[5]['url'] | https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75 | https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/ |
external_references[6]['source_name'] | LOLBAS Wmic | XSL Bypass Mar 2019 |
external_references[6]['description'] | LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019. | Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to Proxy Code Execution. Retrieved August 2, 2019. |
external_references[6]['url'] | https://lolbas-project.github.io/lolbas/Binaries/Wmic/ | https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75 |
external_references[7]['source_name'] | Twitter SquiblyTwo Detection APR 2018 | Microsoft XSLT Script Mar 2017 |
external_references[7]['description'] | Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018. | Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using |
external_references[7]['url'] | https://twitter.com/dez_/status/986614411711442944 | https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script |
x_mitre_data_sources[0] | Module: Module Load | Process: Process Creation |
x_mitre_data_sources[1] | Process: Process Creation | Module: Module Load |
x_mitre_defense_bypassed[1] | Application control | Digital Certificate Validation |
x_mitre_defense_bypassed[2] | Digital Certificate Validation | Application Control |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.828000+00:00 | 2022-05-06 17:47:23.886000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0800 | https://attack.mitre.org/techniques/T0800 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.830000+00:00 | 2022-05-06 17:47:23.889000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0878 | https://attack.mitre.org/techniques/T0878 |
x_mitre_platforms[2] | Device Configuration/Parameters | Device Configuration/Parameters |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.830000+00:00 | 2022-05-06 17:47:23.889000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0802 | https://attack.mitre.org/techniques/T0802 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.832000+00:00 | 2022-05-06 17:47:23.891000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0803 | https://attack.mitre.org/techniques/T0803 |
x_mitre_platforms[1] | Device Configuration/Parameters | Device Configuration/Parameters |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.834000+00:00 | 2022-05-06 17:47:23.892000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0804 | https://attack.mitre.org/techniques/T0804 |
Current version: 1.0
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.834000+00:00 | 2022-05-06 17:47:23.892000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0805 | https://attack.mitre.org/techniques/T0805 |
x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic: Network Connection Creation | Network Traffic: Network Traffic Flow |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Network Traffic: Network Connection Creation |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.834000+00:00 | 2022-05-06 17:47:23.893000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0806 | https://attack.mitre.org/techniques/T0806 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.838000+00:00 | 2022-05-06 17:47:23.897000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0858 | https://attack.mitre.org/techniques/T0858 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.839000+00:00 | 2022-05-06 17:47:23.898000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0807 | https://attack.mitre.org/techniques/T0807 |
x_mitre_platforms[1] | Data Historian | Data Historian |
x_mitre_platforms[2] | Field Controller/RTU/PLC/IED | Field Controller/RTU/PLC/IED |
x_mitre_platforms[3] | Human-Machine Interface | Human-Machine Interface |
x_mitre_platforms[4] | Input/Output Server | Input/Output Server |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.840000+00:00 | 2022-05-06 17:47:23.898000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0885 | https://attack.mitre.org/techniques/T0885 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.841000+00:00 | 2022-05-06 17:47:23.900000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0884 | https://attack.mitre.org/techniques/T0884 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.844000+00:00 | 2022-05-06 17:47:23.903000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0879 | https://attack.mitre.org/techniques/T0879 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.845000+00:00 | 2022-05-06 17:47:23.904000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0809 | https://attack.mitre.org/techniques/T0809 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.846000+00:00 | 2022-05-06 17:47:23.905000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0811 | https://attack.mitre.org/techniques/T0811 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.847000+00:00 | 2022-05-06 17:47:23.906000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0812 | https://attack.mitre.org/techniques/T0812 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.849000+00:00 | 2022-05-06 17:47:23.908000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T813 | https://attack.mitre.org/techniques/T0813 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.851000+00:00 | 2022-05-06 17:47:23.911000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0814 | https://attack.mitre.org/techniques/T0814 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.853000+00:00 | 2022-05-06 17:47:23.912000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0815 | https://attack.mitre.org/techniques/T0815 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.856000+00:00 | 2022-05-06 17:47:23.916000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0868 | https://attack.mitre.org/techniques/T0868 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.856000+00:00 | 2022-05-06 17:47:23.917000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0816 | https://attack.mitre.org/techniques/T0816 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.858000+00:00 | 2022-05-06 17:47:23.918000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0817 | https://attack.mitre.org/techniques/T0817 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.858000+00:00 | 2022-05-06 17:47:23.918000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0871 | https://attack.mitre.org/techniques/T0871 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.858000+00:00 | 2022-05-06 17:47:23.919000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0819 | https://attack.mitre.org/techniques/T0819 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.859000+00:00 | 2022-05-06 17:47:23.919000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0820 | https://attack.mitre.org/techniques/T0820 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.860000+00:00 | 2022-05-06 17:47:23.920000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0890 | https://attack.mitre.org/techniques/T0890 |
x_mitre_platforms[1] | Safety Instrumented System/Protection Relay | Safety Instrumented System/Protection Relay |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.861000+00:00 | 2022-05-06 17:47:23.922000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0866 | https://attack.mitre.org/techniques/T0866 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.863000+00:00 | 2022-05-06 17:47:23.923000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0822 | https://attack.mitre.org/techniques/T0822 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.864000+00:00 | 2022-05-06 17:47:23.924000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0823 | https://attack.mitre.org/techniques/T0823 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.865000+00:00 | 2022-05-06 17:47:23.926000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0874 | https://attack.mitre.org/techniques/T0874 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.866000+00:00 | 2022-05-06 17:47:23.927000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0877 | https://attack.mitre.org/techniques/T0877 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.866000+00:00 | 2022-05-06 17:47:23.927000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0872 | https://attack.mitre.org/techniques/T0872 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.869000+00:00 | 2022-05-06 17:47:23.930000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0883 | https://attack.mitre.org/techniques/T0883 |
x_mitre_platforms[1] | Data Historian | Data Historian |
x_mitre_platforms[2] | Field Controller/RTU/PLC/IED | Field Controller/RTU/PLC/IED |
x_mitre_platforms[3] | Human-Machine Interface | Human-Machine Interface |
x_mitre_platforms[4] | Input/Output Server | Input/Output Server |
x_mitre_platforms[5] | Safety Instrumented System/Protection Relay | Safety Instrumented System/Protection Relay |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.870000+00:00 | 2022-05-06 17:47:23.932000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0867 | https://attack.mitre.org/techniques/T0867 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.872000+00:00 | 2022-05-06 17:47:23.934000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0826 | https://attack.mitre.org/techniques/T0826 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.874000+00:00 | 2022-05-06 17:47:23.936000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0827 | https://attack.mitre.org/techniques/T0827 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.876000+00:00 | 2022-05-06 17:47:23.938000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0828 | https://attack.mitre.org/techniques/T0828 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.877000+00:00 | 2022-05-06 17:47:23.938000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0837 | https://attack.mitre.org/techniques/T0837 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.877000+00:00 | 2022-05-06 17:47:23.939000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0880 | https://attack.mitre.org/techniques/T0880 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.879000+00:00 | 2022-05-06 17:47:23.940000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0829 | https://attack.mitre.org/techniques/T0829 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.880000+00:00 | 2022-05-06 17:47:23.942000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0830 | https://attack.mitre.org/techniques/T0830 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.881000+00:00 | 2022-05-06 17:47:23.943000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T835 | https://attack.mitre.org/techniques/T0835 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.883000+00:00 | 2022-05-06 17:47:23.945000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0831 | https://attack.mitre.org/techniques/T0831 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.885000+00:00 | 2022-05-06 17:47:23.947000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0832 | https://attack.mitre.org/techniques/T0832 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.885000+00:00 | 2022-05-06 17:47:23.947000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0849 | https://attack.mitre.org/techniques/T0849 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.886000+00:00 | 2022-05-06 17:47:23.949000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0838 | https://attack.mitre.org/techniques/T0838 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.887000+00:00 | 2022-05-06 17:47:23.950000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0821 | https://attack.mitre.org/techniques/T0821 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.888000+00:00 | 2022-05-06 17:47:23.952000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0836 | https://attack.mitre.org/techniques/T0836 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.889000+00:00 | 2022-05-06 17:47:23.953000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0889 | https://attack.mitre.org/techniques/T0889 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.890000+00:00 | 2022-05-06 17:47:23.954000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0839 | https://attack.mitre.org/techniques/T0839 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.890000+00:00 | 2022-05-06 17:47:23.955000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0801 | https://attack.mitre.org/techniques/T0801 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.891000+00:00 | 2022-05-06 17:47:23.956000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0834 | https://attack.mitre.org/techniques/T0834 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.892000+00:00 | 2022-05-06 17:47:23.957000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0840 | https://attack.mitre.org/techniques/T0840 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.893000+00:00 | 2022-05-06 17:47:23.958000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0842 | https://attack.mitre.org/techniques/T0842 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.894000+00:00 | 2022-05-06 17:47:23.960000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0861 | https://attack.mitre.org/techniques/T0861 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.894000+00:00 | 2022-05-06 17:47:23.960000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0843 | https://attack.mitre.org/techniques/T0843 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.894000+00:00 | 2022-05-06 17:47:23.960000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0845 | https://attack.mitre.org/techniques/T0845 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.896000+00:00 | 2022-05-06 17:47:23.963000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0873 | https://attack.mitre.org/techniques/T0873 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.899000+00:00 | 2022-05-06 17:47:23.967000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0886 | https://attack.mitre.org/techniques/T0886 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.900000+00:00 | 2022-05-06 17:47:23.968000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0846 | https://attack.mitre.org/techniques/T0846 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.900000+00:00 | 2022-05-06 17:47:23.968000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0888 | https://attack.mitre.org/techniques/T0888 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.904000+00:00 | 2022-05-06 17:47:23.973000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0847 | https://attack.mitre.org/techniques/T0847 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.906000+00:00 | 2022-05-06 17:47:23.975000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0848 | https://attack.mitre.org/techniques/T0848 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.907000+00:00 | 2022-05-06 17:47:23.976000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0851 | https://attack.mitre.org/techniques/T0851 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.908000+00:00 | 2022-05-06 17:47:23.976000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0852 | https://attack.mitre.org/techniques/T0852 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.908000+00:00 | 2022-05-06 17:47:23.977000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0853 | https://attack.mitre.org/techniques/T0853 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.909000+00:00 | 2022-05-06 17:47:23.978000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0881 | https://attack.mitre.org/techniques/T0881 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.911000+00:00 | 2022-05-06 17:47:23.980000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0865 | https://attack.mitre.org/techniques/T0865 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.912000+00:00 | 2022-05-06 17:47:23.981000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0856 | https://attack.mitre.org/techniques/T0856 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.912000+00:00 | 2022-05-06 17:47:23.981000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0869 | https://attack.mitre.org/techniques/T0869 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.914000+00:00 | 2022-05-06 17:47:23.983000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0862 | https://attack.mitre.org/techniques/T0862 |
x_mitre_platforms[1] | Data Historian | Data Historian |
x_mitre_platforms[2] | Field Controller/RTU/PLC/IED | Field Controller/RTU/PLC/IED |
x_mitre_platforms[3] | Human-Machine Interface | Human-Machine Interface |
x_mitre_platforms[4] | Input/Output Server | Input/Output Server |
x_mitre_platforms[5] | Safety Instrumented System/Protection Relay | Safety Instrumented System/Protection Relay |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.915000+00:00 | 2022-05-06 17:47:23.984000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0857 | https://attack.mitre.org/techniques/T0857 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.916000+00:00 | 2022-05-06 17:47:23.985000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0882 | https://attack.mitre.org/techniques/T0882 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.920000+00:00 | 2022-05-06 17:47:23.989000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0864 | https://attack.mitre.org/techniques/T0864 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.918000+00:00 | 2022-05-06 17:47:23.987000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0855 | https://attack.mitre.org/techniques/T0855 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.921000+00:00 | 2022-05-06 17:47:23.991000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0863 | https://attack.mitre.org/techniques/T0863 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.922000+00:00 | 2022-05-06 17:47:23.992000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0859 | https://attack.mitre.org/techniques/T0859 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.925000+00:00 | 2022-05-06 17:47:23.995000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0860 | https://attack.mitre.org/techniques/T0860 |
x_mitre_platforms[1] | Field Controller/RTU/PLC/IED | Field Controller/RTU/PLC/IED |
x_mitre_platforms[2] | Input/Output Server | Input/Output Server |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.927000+00:00 | 2022-05-06 17:47:23.997000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Technique/T0887 | https://attack.mitre.org/techniques/T0887 |
Current version: 1.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [Chrommme](https://attack.mitre.org/software/S0667) is a bac | t | 1 | [Chrommme](https://attack.mitre.org/software/S0667) is a bac |
> | kdoor tool, written using the Microsoft Foundation Class (MF | > | kdoor tool written using the Microsoft Foundation Class (MFC | ||
> | C) framework, that has infrastructure overlaps with [Gelsemi | > | ) framework that was first reported in June 2021; security r | ||
> | um](https://attack.mitre.org/software/S0666).(Citation: ESET | > | esearchers noted infrastructure overlaps with [Gelsemium](ht | ||
> | Gelsemium June 2021) | > | tps://attack.mitre.org/software/S0666) malware.(Citation: ES | ||
> | ET Gelsemium June 2021) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-12-01 18:55:30.931000+00:00 | 2022-05-04 22:38:46.222000+00:00 |
description | [Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool, written using the Microsoft Foundation Class (MFC) framework, that has infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666).(Citation: ESET Gelsemium June 2021) | [Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666) malware.(Citation: ESET Gelsemium June 2021) |
Current version: 1.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [Gelsemium](https://attack.mitre.org/software/S0666) is a mo | t | 1 | [Gelsemium](https://attack.mitre.org/software/S0666) is a mo |
> | dular malware comprised of dropper (Gelsemine), loader (Gels | > | dular malware comprised of a dropper (Gelsemine), a loader ( | ||
> | enicine), and main (Gelsevirine) plug ins that has been used | > | Gelsenicine), and main (Gelsevirine) plug-ins written using | ||
> | by the [Gelsemium](https://attack.mitre.org/groups/G0141) g | > | the Microsoft Foundation Class (MFC) framework. [Gelsemium]( | ||
> | roup since at least 2014.(Citation: ESET Gelsemium June 2021 | > | https://attack.mitre.org/software/S0666) has been used by th | ||
> | ) | > | e Gelsemium group since at least 2014.(Citation: ESET Gelsem | ||
> | ium June 2021) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-12-01 18:28:21.437000+00:00 | 2022-05-06 19:37:01.617000+00:00 |
description | [Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of dropper (Gelsemine), loader (Gelsenicine), and main (Gelsevirine) plug ins that has been used by the [Gelsemium](https://attack.mitre.org/groups/G0141) group since at least 2014.(Citation: ESET Gelsemium June 2021) | [Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021) |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.937000+00:00 | 2022-05-06 17:47:24.008000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Software/S0018 | https://attack.mitre.org/software/S0018 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.944000+00:00 | 2022-05-06 17:47:24.022000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Software/S0009 | https://attack.mitre.org/software/S0009 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.950000+00:00 | 2022-05-06 17:47:24.030000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Software/S0013 | https://attack.mitre.org/software/S0013 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.951000+00:00 | 2022-05-06 17:47:24.032000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Software/S0002 | https://attack.mitre.org/software/S0002 |
Current version: 3.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-03-23 18:54:26.218000+00:00 | 2022-04-25 12:25:09.059000+00:00 |
external_references[1]['source_name'] | Kimsuky | Thallium |
external_references[1]['description'] | (Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021) | (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021) |
external_references[2]['source_name'] | STOLEN PENCIL | Black Banshee |
external_references[2]['description'] | (Citation: Netscout Stolen Pencil Dec 2018) | (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021) |
external_references[3]['source_name'] | Thallium | STOLEN PENCIL |
external_references[3]['description'] | (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021) | (Citation: Netscout Stolen Pencil Dec 2018) |
external_references[4]['source_name'] | Black Banshee | Kimsuky |
external_references[4]['description'] | (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021) | (Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021) |
external_references[6]['source_name'] | EST Kimsuky April 2019 | AhnLab Kimsuky Kabar Cobra Feb 2019 |
external_references[6]['description'] | Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. | AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021. |
external_references[6]['url'] | https://blog.alyac.co.kr/2234 | https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdf |
external_references[7]['source_name'] | BRI Kimsuky April 2019 | EST Kimsuky April 2019 |
external_references[7]['description'] | BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019. | Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. |
external_references[7]['url'] | https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/ | https://blog.alyac.co.kr/2234 |
external_references[8]['source_name'] | Cybereason Kimsuky November 2020 | Netscout Stolen Pencil Dec 2018 |
external_references[8]['description'] | Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. | ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. |
external_references[8]['url'] | https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite | https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/ |
external_references[9]['source_name'] | Malwarebytes Kimsuky June 2021 | BRI Kimsuky April 2019 |
external_references[9]['description'] | Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. | BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019. |
external_references[9]['url'] | https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/ | https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/ |
external_references[10]['source_name'] | CISA AA20-301A Kimsuky | Zdnet Kimsuky Dec 2018 |
external_references[10]['description'] | CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. | Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019. |
external_references[10]['url'] | https://us-cert.cisa.gov/ncas/alerts/aa20-301a | https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/ |
external_references[11]['source_name'] | Netscout Stolen Pencil Dec 2018 | CISA AA20-301A Kimsuky |
external_references[11]['description'] | ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. | CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. |
external_references[11]['url'] | https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/ | https://us-cert.cisa.gov/ncas/alerts/aa20-301a |
external_references[12]['source_name'] | EST Kimsuky SmokeScreen April 2019 | Cybereason Kimsuky November 2020 |
external_references[12]['description'] | ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021. | Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. |
external_references[12]['url'] | https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf | https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite |
external_references[13]['source_name'] | AhnLab Kimsuky Kabar Cobra Feb 2019 | EST Kimsuky SmokeScreen April 2019 |
external_references[13]['description'] | AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021. | ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021. |
external_references[13]['url'] | https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdf | https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf |
external_references[14]['source_name'] | Securelist Kimsuky Sept 2013 | Malwarebytes Kimsuky June 2021 |
external_references[14]['description'] | Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. | Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. |
external_references[14]['url'] | https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/ | https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/ |
external_references[15]['source_name'] | Zdnet Kimsuky Dec 2018 | Securelist Kimsuky Sept 2013 |
external_references[15]['description'] | Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019. | Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. |
external_references[15]['url'] | https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/ | https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/ |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Dongwook Kim, KISA |
Current version: 1.0
Description: [Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 2.1.0 | |
x_mitre_deprecated | True |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-12-02 14:15:49.640000+00:00 | 2022-05-04 22:15:12.759000+00:00 |
description | [Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in Eastern Asia and the Middle East.(Citation: ESET Gelsemium June 2021) | [Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021) |
Current version: 1.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [ALLANITE](https://attack.mitre.org/groups/G0009) is a suspe | t | 1 | [ALLANITE](https://attack.mitre.org/groups/G1000) is a suspe |
> | cted Russian cyber espionage group, that has primarily targe | > | cted Russian cyber espionage group, that has primarily targe | ||
> | ted the electric utility sector within the United States and | > | ted the electric utility sector within the United States and | ||
> | United Kingdom. The group's tactics and techniques are repo | > | United Kingdom. The group's tactics and techniques are repo | ||
> | rtedly similar to [Dragonfly](https://attack.mitre.org/group | > | rtedly similar to [Dragonfly](https://attack.mitre.org/group | ||
> | s/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G | > | s/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G | ||
> | 0006), although [ALLANITE](https://attack.mitre.org/groups/G | > | 0035), although [ALLANITE](https://attack.mitre.org/groups/G | ||
> | 0009)s technical capabilities have not exhibited disruptive | > | 1000)s technical capabilities have not exhibited disruptive | ||
> | or destructive abilities. It has been suggested that the gro | > | or destructive abilities. It has been suggested that the gro | ||
> | up maintains a presence in ICS for the purpose of gaining un | > | up maintains a presence in ICS for the purpose of gaining un | ||
> | derstanding of processes and to maintain persistence. (Citat | > | derstanding of processes and to maintain persistence. (Citat | ||
> | ion: Dragos) | > | ion: Dragos) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_domains | ['ics-attack'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.928000+00:00 | 2022-05-06 17:47:23.998000+00:00 |
description | [ALLANITE](https://attack.mitre.org/groups/G0009) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G0006), although [ALLANITE](https://attack.mitre.org/groups/G0009)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos) | [ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos) |
external_references[0]['url'] | https://attack.mitre.org/Group/G0009 | https://attack.mitre.org/groups/G1000 |
Current version: 1.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [HEXANE](https://attack.mitre.org/groups/G0005) is a threat | t | 1 | [HEXANE](https://attack.mitre.org/groups/G1001) is a threat |
> | group that has targeted ICS organization within the oil & ga | > | group that has targeted ICS organization within the oil & ga | ||
> | s, and telecommunications sectors. Many of the targeted orga | > | s, and telecommunications sectors. Many of the targeted orga | ||
> | nizations have been located in the Middle East including Kuw | > | nizations have been located in the Middle East including Kuw | ||
> | ait. [HEXANE](https://attack.mitre.org/groups/G0005)'s targe | > | ait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targe | ||
> | ting of telecommunications has been speculated to be part of | > | ting of telecommunications has been speculated to be part of | ||
> | an effort to establish man-in-the-middle capabilities throu | > | an effort to establish man-in-the-middle capabilities throu | ||
> | ghout the region. [HEXANE](https://attack.mitre.org/groups/G | > | ghout the region. [HEXANE](https://attack.mitre.org/groups/G | ||
> | 0005)'s TTPs appear similar to [APT33](https://attack.mitre. | > | 1001)'s TTPs appear similar to [APT33](https://attack.mitre. | ||
> | org/groups/G0003) and [OilRig](https://attack.mitre.org/grou | > | org/groups/G0003) and [OilRig](https://attack.mitre.org/grou | ||
> | ps/G0010) but due to differences in victims and tools it is | > | ps/G0010) but due to differences in victims and tools it is | ||
> | tracked as a separate entity. (Citation: Dragos) | > | tracked as a separate entity. (Citation: Dragos) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_domains | ['ics-attack'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.931000+00:00 | 2022-05-06 17:47:24.002000+00:00 |
description | [HEXANE](https://attack.mitre.org/groups/G0005) is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. [HEXANE](https://attack.mitre.org/groups/G0005)'s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. [HEXANE](https://attack.mitre.org/groups/G0005)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0003) and [OilRig](https://attack.mitre.org/groups/G0010) but due to differences in victims and tools it is tracked as a separate entity. (Citation: Dragos) | [HEXANE](https://attack.mitre.org/groups/G1001) is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0003) and [OilRig](https://attack.mitre.org/groups/G0010) but due to differences in victims and tools it is tracked as a separate entity. (Citation: Dragos) |
external_references[0]['url'] | https://attack.mitre.org/Group/G0005 | https://attack.mitre.org/groups/G1001 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.953000+00:00 | 2022-05-06 17:47:24.034000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0801 | https://attack.mitre.org/mitigations/M0801 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.953000+00:00 | 2022-05-06 17:47:24.034000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0936 | https://attack.mitre.org/mitigations/M0936 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.954000+00:00 | 2022-05-06 17:47:24.035000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0915 | https://attack.mitre.org/mitigations/M0915 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.955000+00:00 | 2022-05-06 17:47:24.036000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0949 | https://attack.mitre.org/mitigations/M0949 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.955000+00:00 | 2022-05-06 17:47:24.036000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0913 | https://attack.mitre.org/mitigations/M0913 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.955000+00:00 | 2022-05-06 17:47:24.036000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0948 | https://attack.mitre.org/mitigations/M0948 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.955000+00:00 | 2022-05-06 17:47:24.037000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0947 | https://attack.mitre.org/mitigations/M0947 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.957000+00:00 | 2022-05-06 17:47:24.038000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0800 | https://attack.mitre.org/mitigations/M0800 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.957000+00:00 | 2022-05-06 17:47:24.038000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0946 | https://attack.mitre.org/mitigations/M0946 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.957000+00:00 | 2022-05-06 17:47:24.039000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0945 | https://attack.mitre.org/mitigations/M0945 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.958000+00:00 | 2022-05-06 17:47:24.039000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0802 | https://attack.mitre.org/mitigations/M0802 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.959000+00:00 | 2022-05-06 17:47:24.040000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0953 | https://attack.mitre.org/mitigations/M0953 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.959000+00:00 | 2022-05-06 17:47:24.040000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0803 | https://attack.mitre.org/mitigations/M0803 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.959000+00:00 | 2022-05-06 17:47:24.041000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0942 | https://attack.mitre.org/mitigations/M0942 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.959000+00:00 | 2022-05-06 17:47:24.041000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0808 | https://attack.mitre.org/mitigations/M0808 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.960000+00:00 | 2022-05-06 17:47:24.041000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0941 | https://attack.mitre.org/mitigations/M0941 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.960000+00:00 | 2022-05-06 17:47:24.042000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0938 | https://attack.mitre.org/mitigations/M0938 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.960000+00:00 | 2022-05-06 17:47:24.042000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0950 | https://attack.mitre.org/mitigations/M0950 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.961000+00:00 | 2022-05-06 17:47:24.043000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0937 | https://attack.mitre.org/mitigations/M0937 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.975000+00:00 | 2022-05-06 17:47:24.060000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0804 | https://attack.mitre.org/mitigations/M0804 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.962000+00:00 | 2022-05-06 17:47:24.044000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0935 | https://attack.mitre.org/mitigations/M0935 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.962000+00:00 | 2022-05-06 17:47:24.045000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0934 | https://attack.mitre.org/mitigations/M0934 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.963000+00:00 | 2022-05-06 17:47:24.046000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0805 | https://attack.mitre.org/mitigations/M0805 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.965000+00:00 | 2022-05-06 17:47:24.048000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0806 | https://attack.mitre.org/mitigations/M0806 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.965000+00:00 | 2022-05-06 17:47:24.048000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0816 | https://attack.mitre.org/mitigations/M0816 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.965000+00:00 | 2022-05-06 17:47:24.048000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0932 | https://attack.mitre.org/mitigations/M0932 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.975000+00:00 | 2022-05-06 17:47:24.060000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0807 | https://attack.mitre.org/mitigations/M0807 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.966000+00:00 | 2022-05-06 17:47:24.049000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0931 | https://attack.mitre.org/mitigations/M0931 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.967000+00:00 | 2022-05-06 17:47:24.051000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0930 | https://attack.mitre.org/mitigations/M0930 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.967000+00:00 | 2022-05-06 17:47:24.051000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0928 | https://attack.mitre.org/mitigations/M0928 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.967000+00:00 | 2022-05-06 17:47:24.051000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0809 | https://attack.mitre.org/mitigations/M0809 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.969000+00:00 | 2022-05-06 17:47:24.053000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0810 | https://attack.mitre.org/mitigations/M0810 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.969000+00:00 | 2022-05-06 17:47:24.053000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0927 | https://attack.mitre.org/mitigations/M0927 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.969000+00:00 | 2022-05-06 17:47:24.053000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0926 | https://attack.mitre.org/mitigations/M0926 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.970000+00:00 | 2022-05-06 17:47:24.054000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0811 | https://attack.mitre.org/mitigations/M0811 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.970000+00:00 | 2022-05-06 17:47:24.054000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0922 | https://attack.mitre.org/mitigations/M0922 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.970000+00:00 | 2022-05-06 17:47:24.054000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0944 | https://attack.mitre.org/mitigations/M0944 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.970000+00:00 | 2022-05-06 17:47:24.055000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0924 | https://attack.mitre.org/mitigations/M0924 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.971000+00:00 | 2022-05-06 17:47:24.055000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0921 | https://attack.mitre.org/mitigations/M0921 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.971000+00:00 | 2022-05-06 17:47:24.055000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0920 | https://attack.mitre.org/mitigations/M0920 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.972000+00:00 | 2022-05-06 17:47:24.056000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0812 | https://attack.mitre.org/mitigations/M0812 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.972000+00:00 | 2022-05-06 17:47:24.057000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0954 | https://attack.mitre.org/mitigations/M0954 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.972000+00:00 | 2022-05-06 17:47:24.057000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0813 | https://attack.mitre.org/mitigations/M0813 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.972000+00:00 | 2022-05-06 17:47:24.057000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0814 | https://attack.mitre.org/mitigations/M0814 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.973000+00:00 | 2022-05-06 17:47:24.058000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0817 | https://attack.mitre.org/mitigations/M0817 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.973000+00:00 | 2022-05-06 17:47:24.058000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0919 | https://attack.mitre.org/mitigations/M0919 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.973000+00:00 | 2022-05-06 17:47:24.058000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0951 | https://attack.mitre.org/mitigations/M0951 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.974000+00:00 | 2022-05-06 17:47:24.059000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0918 | https://attack.mitre.org/mitigations/M0918 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.974000+00:00 | 2022-05-06 17:47:24.059000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0917 | https://attack.mitre.org/mitigations/M0917 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.974000+00:00 | 2022-05-06 17:47:24.059000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0916 | https://attack.mitre.org/mitigations/M0916 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 22:02:03.974000+00:00 | 2022-05-06 17:47:24.060000+00:00 |
external_references[0]['url'] | https://attack.mitre.org/Mitigation/M0815 | https://attack.mitre.org/mitigations/M0815 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-23T15:48:38.011975Z | 2022-05-11T16:22:58.802094Z |
created | 2022-04-23T15:48:38.011975Z | 2022-05-11T16:22:58.802094Z |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-23T15:48:38.012144Z | 2022-05-11T16:22:58.802589Z |
created | 2022-04-23T15:48:38.012144Z | 2022-05-11T16:22:58.802589Z |
Current version: 1.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Initial construction of a WMI object, such as a filter, cons | t | 1 | Queried domain name system (DNS) registry data highlighting |
> | umer, subscription, binding, or provider (ex: Sysmon EIDs 19 | > | current domain to IP address resolutions (ex: dig/nslookup q | ||
> | -21) | > | ueries) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False | |
revoked | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_domains | [] |
STIX Field | Old value | New Value |
---|---|---|
description | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21) | Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries) |
modified | 2022-03-30T14:26:51.804Z | 2022-05-02T23:19:55.148Z |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-23T15:48:38.012201Z | 2022-05-11T16:22:58.802647Z |
created | 2022-04-23T15:48:38.012201Z | 2022-05-11T16:22:58.802647Z |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-23T15:48:38.012159Z | 2022-05-11T16:22:58.802606Z |
created | 2022-04-23T15:48:38.012159Z | 2022-05-11T16:22:58.802606Z |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-23T15:48:38.012181Z | 2022-05-11T16:22:58.802627Z |
created | 2022-04-23T15:48:38.012181Z | 2022-05-11T16:22:58.802627Z |