ATT&CK Changes Between v11.0 and v11.1

Key

New objects: ATT&CK objects which are only present in the new release.
Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
Object revocations: ATT&CK objects which are revoked by a different object.
Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
Object deletions: ATT&CK objects which are no longer found in the STIX data.

Additional formats

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

This JSON file contains the machine readble output used to create this page: changelog.json

Techniques

enterprise-attack

Minor Version Changes

[T1195.003] Supply Chain Compromise: Compromise Hardware Supply Chain

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

DS0013: Sensor Health (Host Status)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_data_sources		['Sensor Health: Host Status']
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2020-03-23 12:51:45.475000+00:00	2022-04-28 16:05:10.755000+00:00
x_mitre_version	1.0	1.1

[T1195.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

DS0022: File (File Metadata)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_data_sources		['File: File Metadata']

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 20:10:09.368000+00:00	2022-04-28 16:03:59.172000+00:00
x_mitre_version	1.0	1.1

[T1195.002] Supply Chain Compromise: Compromise Software Supply Chain

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

DS0022: File (File Metadata)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_data_sources		['File: File Metadata']

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 20:10:59.465000+00:00	2022-04-28 16:04:36.636000+00:00
x_mitre_version	1.0	1.1

[T1027.005] Obfuscated Files or Information: Indicator Removal from Tools

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

DS0015: Application Log (Application Log Content)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_data_sources		['Application Log: Application Log Content']
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2020-03-29 21:03:09.766000+00:00	2022-04-28 16:07:48.062000+00:00
x_mitre_version	1.0	1.1

Other Version Changes

[T1212] Exploitation for Credential Access

Current version: 1.4

Version changed from: 1.1 → 1.4

New Detections:

DS0002: User Account (User Account Authentication)
DS0009: Process (Process Creation)
DS0015: Application Log (Application Log Content)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_data_sources		['Application Log: Application Log Content', 'User Account: User Account Authentication', 'Process: Process Creation']
x_mitre_deprecated		False
x_mitre_is_subtechnique		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2020-03-25 18:51:01.070000+00:00	2022-04-28 16:06:49.447000+00:00
external_references[1]['source_name']	Technet MS14-068	ADSecurity Detecting Forged Tickets
external_references[1]['description']	Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.	Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.
external_references[1]['url']	https://technet.microsoft.com/en-us/library/security/ms14-068.aspx	https://adsecurity.org/?p=1515
external_references[2]['source_name']	ADSecurity Detecting Forged Tickets	Technet MS14-068
external_references[2]['description']	Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.	Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
external_references[2]['url']	https://adsecurity.org/?p=1515	https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
x_mitre_version	1.1	1.4

[T1211] Exploitation for Defense Evasion

Current version: 1.3

Version changed from: 1.1 → 1.3

New Detections:

DS0009: Process (Process Creation)
DS0015: Application Log (Application Log Content)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_data_sources		['Process: Process Creation', 'Application Log: Application Log Content']
x_mitre_deprecated		False
x_mitre_is_subtechnique		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2020-03-29 20:00:46.900000+00:00	2022-04-28 16:10:16.632000+00:00
x_mitre_version	1.1	1.3

[T1200] Hardware Additions

Current version: 1.6

Version changed from: 1.3 → 1.6

New Detections:

DS0015: Application Log (Application Log Content)
DS0016: Drive (Drive Creation)
DS0029: Network Traffic (Network Traffic Flow)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_data_sources		['Application Log: Application Log Content', 'Drive: Drive Creation', 'Network Traffic: Network Traffic Flow']

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 17:12:28.626000+00:00	2022-04-28 16:09:12.782000+00:00
x_mitre_version	1.3	1.6

[T1195] Supply Chain Compromise

Current version: 1.5

Version changed from: 1.3 → 1.5

New Detections:

DS0013: Sensor Health (Host Status)
DS0022: File (File Metadata)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_data_sources		['File: File Metadata', 'Sensor Health: Host Status']

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 20:09:21.256000+00:00	2022-04-28 16:03:22.870000+00:00
x_mitre_version	1.3	1.5

Patches

[T1134] Access Token Manipulation

Current version: 2.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False
external_references		Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.
external_references		CAPEC-633

dictionary_item_removed
STIX Field	Old value	New Value
external_references	CAPEC-633
external_references	Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.

values_changed
STIX Field	Old value	New Value
modified	2021-10-17 14:51:49.334000+00:00	2022-05-03 02:14:43.557000+00:00
external_references[1]['source_name']	capec	BlackHat Atkinson Winchester Token Manipulation
external_references[1]['url']	https://capec.mitre.org/data/definitions/633.html	https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf
external_references[2]['source_name']	Pentestlab Token Manipulation	Microsoft Command-line Logging
external_references[2]['description']	netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.	Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.
external_references[2]['url']	https://pentestlab.blog/2017/04/03/token-manipulation/	https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
external_references[3]['source_name']	Microsoft Command-line Logging	Microsoft LogonUser
external_references[3]['description']	Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.	Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
external_references[3]['url']	https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing	https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx
external_references[4]['source_name']	Microsoft LogonUser	Microsoft DuplicateTokenEx
external_references[4]['url']	https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx	https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx
external_references[5]['source_name']	Microsoft DuplicateTokenEx	Microsoft ImpersonateLoggedOnUser
external_references[5]['url']	https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx	https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx
external_references[6]['source_name']	Microsoft ImpersonateLoggedOnUser	Pentestlab Token Manipulation
external_references[6]['description']	Microsoft TechNet. (n.d.). Retrieved April 25, 2017.	netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.
external_references[6]['url']	https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx	https://pentestlab.blog/2017/04/03/token-manipulation/
external_references[7]['source_name']	BlackHat Atkinson Winchester Token Manipulation	capec
external_references[7]['url']	https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf	https://capec.mitre.org/data/definitions/633.html
x_mitre_data_sources[0]	Active Directory: Active Directory Object Modification	User Account: User Account Metadata
x_mitre_data_sources[1]	Command: Command Execution	Process: OS API Execution
x_mitre_data_sources[2]	Process: Process Creation	Process: Process Metadata
x_mitre_data_sources[3]	Process: Process Metadata	Process: Process Creation
x_mitre_data_sources[4]	Process: OS API Execution	Command: Command Execution
x_mitre_data_sources[5]	User Account: User Account Metadata	Active Directory: Active Directory Object Modification
x_mitre_defense_bypassed[1]	System access controls	Heuristic Detection
x_mitre_defense_bypassed[2]	File system access controls	System Access Controls
x_mitre_defense_bypassed[3]	Heuristic Detection	Host Forensic Analysis

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_defense_bypassed	Host forensic analysis

[T1553.006] Subvert Trust Controls: Code Signing Policy Modification

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['Administrator']

values_changed
STIX Field	Old value	New Value
modified	2021-04-26 15:41:39.155000+00:00	2022-05-05 05:00:03.480000+00:00
external_references[1]['source_name']	Microsoft DSE June 2017	Apple Disable SIP
external_references[1]['description']	Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021.	Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021.
external_references[1]['url']	https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN	https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection
external_references[2]['source_name']	Apple Disable SIP	F-Secure BlackEnergy 2014
external_references[2]['description']	Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021.	F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
external_references[2]['url']	https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection	https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
external_references[3]['source_name']	Microsoft Unsigned Driver Apr 2017	FireEye HIKIT Rootkit Part 2
external_references[3]['description']	Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021.	Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.
external_references[3]['url']	https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test	https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html
external_references[4]['source_name']	Microsoft TESTSIGNING Feb 2021	Microsoft Unsigned Driver Apr 2017
external_references[4]['description']	Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021.	Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021.
external_references[4]['url']	https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option	https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test
external_references[5]['source_name']	FireEye HIKIT Rootkit Part 2	Microsoft DSE June 2017
external_references[5]['description']	Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.	Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021.
external_references[5]['url']	https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html	https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN
external_references[6]['source_name']	GitHub Turla Driver Loader	Microsoft TESTSIGNING Feb 2021
external_references[6]['description']	TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.	Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021.
external_references[6]['url']	https://github.com/hfiref0x/TDL	https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option
external_references[7]['source_name']	F-Secure BlackEnergy 2014	Unit42 AcidBox June 2020
external_references[7]['description']	F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.	Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.
external_references[7]['url']	https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf	https://unit42.paloaltonetworks.com/acidbox-rare-malware/
external_references[8]['source_name']	Unit42 AcidBox June 2020	GitHub Turla Driver Loader
external_references[8]['description']	Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.	TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.
external_references[8]['url']	https://unit42.paloaltonetworks.com/acidbox-rare-malware/	https://github.com/hfiref0x/TDL
x_mitre_data_sources[0]	Windows Registry: Windows Registry Key Modification	Command: Command Execution
x_mitre_data_sources[2]	Command: Command Execution	Windows Registry: Windows Registry Key Modification

iterable_item_added
STIX Field	Old value	New Value
x_mitre_defense_bypassed		Application Control

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_defense_bypassed	Application control

[T1574.002] Hijack Execution Flow: DLL Side-Loading

Current version: 2.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
external_references		Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020.
external_references		CAPEC-641

dictionary_item_removed
STIX Field	Old value	New Value
external_references	CAPEC-641
external_references	Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020.

values_changed
STIX Field	Old value	New Value
modified	2021-04-26 18:31:34.954000+00:00	2022-05-05 04:07:48.912000+00:00
external_references[1]['source_name']	capec	FireEye DLL Side-Loading
external_references[1]['url']	https://capec.mitre.org/data/definitions/641.html	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
external_references[2]['source_name']	FireEye DLL Side-Loading	capec
external_references[2]['url']	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf	https://capec.mitre.org/data/definitions/641.html
x_mitre_data_sources[0]	Process: Process Creation	File: File Modification
x_mitre_data_sources[1]	Module: Module Load	File: File Creation
x_mitre_data_sources[2]	File: File Creation	Module: Module Load
x_mitre_data_sources[3]	File: File Modification	Process: Process Creation
x_mitre_defense_bypassed[1]	Application control	Application Control

[T1140] Deobfuscate/Decode Files or Information

Current version: 1.1

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2020-07-09 14:42:23.122000+00:00	2022-05-05 04:05:42.508000+00:00
external_references[1]['source_name']	Malwarebytes Targeted Attack against Saudi Arabia	Volexity PowerDuke November 2016
external_references[1]['description']	Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.	Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
external_references[1]['url']	https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/	https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
external_references[2]['source_name']	Carbon Black Obfuscation Sept 2016	Malwarebytes Targeted Attack against Saudi Arabia
external_references[2]['description']	Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.	Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.
external_references[2]['url']	https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/	https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/
external_references[3]['source_name']	Volexity PowerDuke November 2016	Carbon Black Obfuscation Sept 2016
external_references[3]['description']	Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.	Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
external_references[3]['url']	https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/	https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/
x_mitre_data_sources[0]	Script: Script Execution	File: File Modification
x_mitre_data_sources[2]	File: File Modification	Script: Script Execution
x_mitre_defense_bypassed[1]	Host intrusion prevention systems	Host Intrusion Prevention Systems
x_mitre_defense_bypassed[2]	Signature-based detection	Signature-based Detection
x_mitre_defense_bypassed[3]	Network intrusion detection system	Network Intrusion Detection System

[T1098.005] Account Manipulation: Device Registration

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-20 16:44:02.983000+00:00	2022-04-25 16:26:53.204000+00:00
x_mitre_data_sources[0]	User Account: User Account Modification	Application Log: Application Log Content
x_mitre_data_sources[2]	Application Log: Application Log Content	User Account: User Account Modification

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Mike Moran

[T1574.004] Hijack Execution Flow: Dylib Hijacking

Current version: 2.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
external_references		Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.
external_references		CAPEC-471

dictionary_item_removed
STIX Field	Old value	New Value
external_references	CAPEC-471
external_references	Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021.

values_changed
STIX Field	Old value	New Value
modified	2021-04-27 20:19:15.212000+00:00	2022-05-05 04:08:30.203000+00:00
external_references[1]['source_name']	capec	MalwareUnicorn macOS Dylib Injection MachO
external_references[1]['url']	https://capec.mitre.org/data/definitions/471.html	https://malwareunicorn.org/workshops/macos_dylib_injection.html#5
external_references[2]['source_name']	Wardle Dylib Hijack Vulnerable Apps	Apple Developer Doco Archive Run-Path
external_references[2]['description']	Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.	Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021.
external_references[2]['url']	https://objective-see.com/blog/blog_0x46.html	https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html
external_references[4]['source_name']	Github EmpireProject HijackScanner	Writing Bad Malware for OSX
external_references[4]['description']	Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.	Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.
external_references[4]['url']	https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py	https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
external_references[5]['source_name']	Github EmpireProject CreateHijacker Dylib	Wardle Dylib Hijack Vulnerable Apps
external_references[5]['description']	Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.	Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.
external_references[5]['url']	https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py	https://objective-see.com/blog/blog_0x46.html
external_references[6]['source_name']	Writing Bad Malware for OSX	wardle artofmalware volume1
external_references[6]['description']	Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.	Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021.
external_references[6]['url']	https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf	https://taomm.org/vol1/pdfs.html
external_references[7]['source_name']	wardle artofmalware volume1	Github EmpireProject HijackScanner
external_references[7]['description']	Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021.	Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.
external_references[7]['url']	https://taomm.org/vol1/pdfs.html	https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py
external_references[8]['source_name']	MalwareUnicorn macOS Dylib Injection MachO	Github EmpireProject CreateHijacker Dylib
external_references[8]['description']	Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.	Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.
external_references[8]['url']	https://malwareunicorn.org/workshops/macos_dylib_injection.html#5	https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
external_references[9]['source_name']	Apple Developer Doco Archive Run-Path	capec
external_references[9]['url']	https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html	https://capec.mitre.org/data/definitions/471.html
x_mitre_defense_bypassed[0]	Application control	Application Control

iterable_item_added
STIX Field	Old value	New Value
x_mitre_data_sources		Module: Module Load

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_data_sources	Module: Module Load

[T1480.001] Execution Guardrails: Environmental Keying

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2021-06-09 18:53:58.159000+00:00	2022-05-04 14:52:51.290000+00:00
external_references[1]['source_name']	EK Clueless Agents	Proofpoint Router Malvertising
external_references[1]['description']	Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019.	Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019.
external_references[1]['url']	https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf	https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices
external_references[3]['source_name']	Proofpoint Router Malvertising	Ebowla: Genetic Malware
external_references[3]['description']	Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019.	Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019.
external_references[3]['url']	https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices	https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf
external_references[4]['source_name']	EK Impeding Malware Analysis	EK Clueless Agents
external_references[4]['description']	Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.	Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019.
external_references[4]['url']	https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf	https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf
external_references[5]['source_name']	Environmental Keyed HTA	EK Impeding Malware Analysis
external_references[5]['description']	Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019.	Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.
external_references[5]['url']	https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/	https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf
external_references[6]['source_name']	Ebowla: Genetic Malware	Demiguise Guardrail Router Logo
external_references[6]['description']	Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019.	Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.
external_references[6]['url']	https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf	https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js
external_references[7]['source_name']	Demiguise Guardrail Router Logo	Environmental Keyed HTA
external_references[7]['description']	Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.	Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019.
external_references[7]['url']	https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js	https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/
x_mitre_data_sources[0]	Process: Process Creation	Command: Command Execution
x_mitre_data_sources[1]	Command: Command Execution	Process: Process Creation
x_mitre_defense_bypassed[1]	Host forensic analysis	Host Forensic Analysis
x_mitre_defense_bypassed[2]	Signature-based detection	Signature-based Detection
x_mitre_defense_bypassed[3]	Static file analysis	Static File Analysis

[T1480] Execution Guardrails

Current version: 1.1

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2021-06-09 18:53:58.471000+00:00	2022-05-03 02:39:29.314000+00:00
external_references[1]['source_name']	FireEye Kevin Mandia Guardrails	FireEye Outlook Dec 2019
external_references[1]['description']	Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019.	McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.
external_references[1]['url']	https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/	https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
external_references[2]['source_name']	FireEye Outlook Dec 2019	FireEye Kevin Mandia Guardrails
external_references[2]['description']	McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.	Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019.
external_references[2]['url']	https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html	https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
x_mitre_data_sources[0]	Command: Command Execution	Process: Process Creation
x_mitre_data_sources[1]	Process: Process Creation	Command: Command Execution
x_mitre_defense_bypassed[1]	Host forensic analysis	Host Forensic Analysis
x_mitre_defense_bypassed[2]	Signature-based detection	Signature-based Detection
x_mitre_defense_bypassed[3]	Static file analysis	Static File Analysis

[T1553.001] Subvert Trust Controls: Gatekeeper Bypass

Current version: 1.1

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User', 'Administrator']

values_changed
STIX Field	Old value	New Value
modified	2021-10-14 21:18:30.629000+00:00	2022-05-05 04:58:34.172000+00:00
external_references[1]['source_name']	TheEclecticLightCompany apple notarization	theevilbit gatekeeper bypass 2021
external_references[1]['description']	How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.	Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021.
external_references[1]['url']	https://eclecticlight.co/2020/08/28/how-notarization-works/	https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/
external_references[2]['source_name']	Bypassing Gatekeeper	OceanLotus for OS X
external_references[2]['description']	Thomas Reed. (2016, March 31). Bypassing Apple's Gatekeeper. Retrieved July 5, 2017.	Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.
external_references[2]['url']	https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/	https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update
external_references[3]['source_name']	20 macOS Common Tools and Techniques	TheEclecticLightCompany Quarantine and the flag
external_references[3]['description']	Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.	hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.
external_references[3]['url']	https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/	https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/
external_references[4]['source_name']	TheEclecticLightCompany Quarantine and the flag	TheEclecticLightCompany apple notarization
external_references[4]['description']	hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.	How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.
external_references[4]['url']	https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/	https://eclecticlight.co/2020/08/28/how-notarization-works/
external_references[5]['source_name']	theevilbit gatekeeper bypass 2021	Methods of Mac Malware Persistence
external_references[5]['description']	Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021.	Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
external_references[5]['url']	https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/	https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
external_references[6]['source_name']	Methods of Mac Malware Persistence	20 macOS Common Tools and Techniques
external_references[6]['description']	Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.	Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
external_references[6]['url']	https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf	https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
external_references[8]['source_name']	OceanLotus for OS X	Bypassing Gatekeeper
external_references[8]['description']	Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.	Thomas Reed. (2016, March 31). Bypassing Apple's Gatekeeper. Retrieved July 5, 2017.
external_references[8]['url']	https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update	https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/
x_mitre_data_sources[0]	File: File Metadata	Process: Process Creation
x_mitre_data_sources[1]	Command: Command Execution	File: File Modification
x_mitre_data_sources[2]	File: File Modification	Command: Command Execution
x_mitre_data_sources[3]	Process: Process Creation	File: File Metadata
x_mitre_defense_bypassed[0]	Application control	Anti-virus
x_mitre_defense_bypassed[1]	Anti-virus	Application Control

[T1027.006] Obfuscated Files or Information: HTML Smuggling

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2021-10-18 12:03:12.510000+00:00	2022-05-04 15:06:14.630000+00:00
external_references[1]['source_name']	HTML Smuggling Menlo Security 2020	Outlflank HTML Smuggling 2018
external_references[1]['description']	Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.	Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.
external_references[1]['url']	https://www.menlosecurity.com/blog/new-attack-alert-duri	https://outflank.nl/blog/2018/08/14/html-smuggling-explained/
external_references[2]['source_name']	Outlflank HTML Smuggling 2018	MSTIC NOBELIUM May 2021
external_references[2]['description']	Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.	Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
external_references[2]['url']	https://outflank.nl/blog/2018/08/14/html-smuggling-explained/	https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
external_references[3]['source_name']	MSTIC NOBELIUM May 2021	HTML Smuggling Menlo Security 2020
external_references[3]['description']	Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.	Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.
external_references[3]['url']	https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/	https://www.menlosecurity.com/blog/new-attack-alert-duri
x_mitre_defense_bypassed[0]	Web content filters	Anti-virus
x_mitre_defense_bypassed[1]	Anti-virus	Web Content Filters
x_mitre_defense_bypassed[2]	Static file analysis	Static File Analysis

[T1574] Hijack Execution Flow

Current version: 1.2

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False

values_changed
STIX Field	Old value	New Value
modified	2022-03-18 14:48:33.512000+00:00	2022-05-05 04:07:01.191000+00:00
x_mitre_data_sources[0]	Command: Command Execution	Service: Service Metadata
x_mitre_data_sources[1]	Windows Registry: Windows Registry Key Modification	Module: Module Load
x_mitre_data_sources[2]	File: File Creation	Process: Process Creation
x_mitre_data_sources[4]	Process: Process Creation	File: File Creation
x_mitre_data_sources[5]	Module: Module Load	Windows Registry: Windows Registry Key Modification
x_mitre_data_sources[6]	Service: Service Metadata	Command: Command Execution
x_mitre_defense_bypassed[1]	Application control	Application Control

[T1202] Indirect Command Execution

Current version: 1.1

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2020-06-20 22:09:22.559000+00:00	2022-05-05 05:06:38.938000+00:00
external_references[1]['source_name']	VectorSec ForFiles Aug 2017	Evi1cg Forfiles Nov 2017
external_references[1]['description']	vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018.	Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018.
external_references[1]['url']	https://twitter.com/vector_sec/status/896049052642533376	https://twitter.com/Evi1cg/status/935027922397573120
external_references[2]['source_name']	Evi1cg Forfiles Nov 2017	RSA Forfiles Aug 2017
external_references[2]['description']	Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018.	Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018.
external_references[2]['url']	https://twitter.com/Evi1cg/status/935027922397573120	https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
external_references[3]['source_name']	RSA Forfiles Aug 2017	VectorSec ForFiles Aug 2017
external_references[3]['description']	Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018.	vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018.
external_references[3]['url']	https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe	https://twitter.com/vector_sec/status/896049052642533376
x_mitre_data_sources[0]	Command: Command Execution	Process: Process Creation
x_mitre_data_sources[1]	Process: Process Creation	Command: Command Execution
x_mitre_defense_bypassed[1]	Application control	Application Control

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_defense_bypassed	Application control by file name or path

[T1553.005] Subvert Trust Controls: Mark-of-the-Web Bypass

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-16 20:03:39.460000+00:00	2022-05-05 04:59:32.535000+00:00
x_mitre_data_sources[0]	File: File Metadata	File: File Creation
x_mitre_data_sources[1]	File: File Creation	File: File Metadata
x_mitre_defense_bypassed[0]	Anti-virus, Application control	Anti-virus

iterable_item_added
STIX Field	Old value	New Value
x_mitre_defense_bypassed		Application Control

[T1036] Masquerading

Current version: 1.4

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False
external_references		Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.
external_references		CAPEC-177

dictionary_item_removed
STIX Field	Old value	New Value
external_references	CAPEC-177
external_references	Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.

values_changed
STIX Field	Old value	New Value
modified	2021-10-18 13:24:52.973000+00:00	2022-05-05 04:56:08.978000+00:00
external_references[1]['source_name']	capec	Twitter ItsReallyNick Masquerading Update
external_references[1]['url']	https://capec.mitre.org/data/definitions/177.html	https://twitter.com/ItsReallyNick/status/1055321652777619457
external_references[2]['source_name']	LOLBAS Main Site	Elastic Masquerade Ball
external_references[2]['description']	LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.	Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.
external_references[2]['url']	https://lolbas-project.github.io/	http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf
external_references[3]['source_name']	Elastic Masquerade Ball	LOLBAS Main Site
external_references[3]['description']	Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.	LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.
external_references[3]['url']	http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf	https://lolbas-project.github.io/
external_references[4]['source_name']	Twitter ItsReallyNick Masquerading Update	capec
external_references[4]['url']	https://twitter.com/ItsReallyNick/status/1055321652777619457	https://capec.mitre.org/data/definitions/177.html
x_mitre_data_sources[0]	Process: Process Metadata	File: File Modification
x_mitre_data_sources[1]	Scheduled Job: Scheduled Job Modification	Service: Service Creation
x_mitre_data_sources[2]	Image: Image Metadata	Service: Service Metadata
x_mitre_data_sources[3]	Command: Command Execution	Scheduled Job: Scheduled Job Metadata
x_mitre_data_sources[5]	Scheduled Job: Scheduled Job Metadata	Command: Command Execution
x_mitre_data_sources[6]	Service: Service Metadata	Image: Image Metadata
x_mitre_data_sources[7]	Service: Service Creation	Scheduled Job: Scheduled Job Modification
x_mitre_data_sources[8]	File: File Modification	Process: Process Metadata
x_mitre_defense_bypassed[0]	Application control by file name or path	Application Control

[T1036.005] Masquerading: Match Legitimate Name or Location

Current version: 1.1

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
external_references		Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.
external_references		CAPEC-177

dictionary_item_removed
STIX Field	Old value	New Value
external_references	CAPEC-177
external_references	Docker. (n.d.). Docker Images. Retrieved April 6, 2021.

values_changed
STIX Field	Old value	New Value
modified	2021-04-20 19:23:37.762000+00:00	2022-05-05 04:56:50.197000+00:00
external_references[1]['source_name']	capec	Twitter ItsReallyNick Masquerading Update
external_references[1]['url']	https://capec.mitre.org/data/definitions/177.html	https://twitter.com/ItsReallyNick/status/1055321652777619457
external_references[2]['source_name']	Elastic Masquerade Ball	Docker Images
external_references[2]['description']	Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.	Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
external_references[2]['url']	http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf	https://docs.docker.com/engine/reference/commandline/images/
external_references[3]['source_name']	Twitter ItsReallyNick Masquerading Update	Elastic Masquerade Ball
external_references[3]['description']	Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.	Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.
external_references[3]['url']	https://twitter.com/ItsReallyNick/status/1055321652777619457	http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf
external_references[4]['source_name']	Docker Images	capec
external_references[4]['url']	https://docs.docker.com/engine/reference/commandline/images/	https://capec.mitre.org/data/definitions/177.html
x_mitre_data_sources[0]	File: File Metadata	Image: Image Metadata
x_mitre_data_sources[2]	Image: Image Metadata	File: File Metadata
x_mitre_defense_bypassed[0]	Application control by file name or path	Application Control

[T1599] Network Boundary Bridging

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 21:44:17.057000+00:00	2022-05-05 05:05:44.200000+00:00
x_mitre_data_sources[0]	Network Traffic: Network Traffic Content	Network Traffic: Network Traffic Flow
x_mitre_data_sources[1]	Network Traffic: Network Traffic Flow	Network Traffic: Network Traffic Content
x_mitre_defense_bypassed[0]	Router ACL	Firewall
x_mitre_defense_bypassed[1]	Firewall	System Access Controls

[T1027] Obfuscated Files or Information

Current version: 1.2

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False
external_references		Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
external_references		CAPEC-267

dictionary_item_removed
STIX Field	Old value	New Value
external_references	CAPEC-267
external_references	Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.

values_changed
STIX Field	Old value	New Value
modified	2022-03-11 16:45:38.033000+00:00	2022-05-05 05:08:05.584000+00:00
external_references[1]['source_name']	capec	Volexity PowerDuke November 2016
external_references[1]['url']	https://capec.mitre.org/data/definitions/267.html	https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
external_references[2]['source_name']	Volexity PowerDuke November 2016	GitHub Revoke-Obfuscation
external_references[2]['description']	Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.	Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.
external_references[2]['url']	https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/	https://github.com/danielbohannon/Revoke-Obfuscation
external_references[3]['source_name']	Linux/Cdorked.A We Live Security Analysis	FireEye Obfuscation June 2017
external_references[3]['description']	Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.	Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
external_references[3]['url']	https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/	https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
external_references[4]['source_name']	Carbon Black Obfuscation Sept 2016	FireEye Revoke-Obfuscation July 2017
external_references[4]['description']	Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.	Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.
external_references[4]['url']	https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/	https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf
external_references[5]['source_name']	FireEye Obfuscation June 2017	GitHub Office-Crackros Aug 2016
external_references[5]['description']	Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.	Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.
external_references[5]['url']	https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html	https://github.com/itsreallynick/office-crackros
external_references[6]['source_name']	FireEye Revoke-Obfuscation July 2017	Linux/Cdorked.A We Live Security Analysis
external_references[6]['description']	Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.	Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.
external_references[6]['url']	https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf	https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
external_references[7]['source_name']	PaloAlto EncodedCommand March 2017	Carbon Black Obfuscation Sept 2016
external_references[7]['description']	White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.	Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
external_references[7]['url']	https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/	https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/
external_references[8]['source_name']	GitHub Revoke-Obfuscation	PaloAlto EncodedCommand March 2017
external_references[8]['description']	Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.	White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.
external_references[8]['url']	https://github.com/danielbohannon/Revoke-Obfuscation	https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
external_references[9]['source_name']	GitHub Office-Crackros Aug 2016	capec
external_references[9]['url']	https://github.com/itsreallynick/office-crackros	https://capec.mitre.org/data/definitions/267.html
x_mitre_data_sources[0]	Process: Process Creation	Command: Command Execution
x_mitre_data_sources[1]	File: File Metadata	File: File Creation
x_mitre_data_sources[2]	File: File Creation	File: File Metadata
x_mitre_data_sources[3]	Command: Command Execution	Process: Process Creation
x_mitre_defense_bypassed[0]	Host forensic analysis	Host Forensic Analysis
x_mitre_defense_bypassed[1]	Signature-based detection	Signature-based Detection
x_mitre_defense_bypassed[2]	Host intrusion prevention systems	Host Intrusion Prevention Systems
x_mitre_defense_bypassed[3]	Application control	Application Control
x_mitre_defense_bypassed[4]	Log analysis	Log Analysis

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_defense_bypassed	Application control by file name or path

[T1134.004] Access Token Manipulation: Parent PID Spoofing

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2021-02-09 14:11:20.296000+00:00	2022-05-03 02:15:42.360000+00:00
external_references[1]['source_name']	DidierStevens SelectMyParent Nov 2009	XPNSec PPID Nov 2017
external_references[1]['description']	Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019.	Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019.
external_references[1]['url']	https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/	https://blog.xpnsec.com/becoming-system/
external_references[2]['source_name']	Microsoft UAC Nov 2018	CounterCept PPID Spoofing Dec 2018
external_references[2]['description']	Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019.	Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.
external_references[2]['url']	https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works	https://www.countercept.com/blog/detecting-parent-pid-spoofing/
external_references[3]['source_name']	CounterCept PPID Spoofing Dec 2018	Microsoft UAC Nov 2018
external_references[3]['description']	Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.	Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019.
external_references[3]['url']	https://www.countercept.com/blog/detecting-parent-pid-spoofing/	https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works
external_references[4]['source_name']	CTD PPID Spoofing Macro Mar 2019	Microsoft Process Creation Flags May 2018
external_references[4]['description']	Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019.	Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019.
external_references[4]['url']	https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/	https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags
external_references[5]['source_name']	XPNSec PPID Nov 2017	Secuirtyinbits Ataware3 May 2019
external_references[5]['description']	Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019.	Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.
external_references[5]['url']	https://blog.xpnsec.com/becoming-system/	https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3
external_references[6]['source_name']	Microsoft Process Creation Flags May 2018	DidierStevens SelectMyParent Nov 2009
external_references[6]['description']	Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019.	Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019.
external_references[6]['url']	https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags	https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/
external_references[7]['source_name']	Secuirtyinbits Ataware3 May 2019	CTD PPID Spoofing Macro Mar 2019
external_references[7]['description']	Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.	Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019.
external_references[7]['url']	https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3	https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/
x_mitre_data_sources[0]	Process: Process Creation	Process: OS API Execution
x_mitre_data_sources[2]	Process: OS API Execution	Process: Process Creation
x_mitre_defense_bypassed[1]	Host forensic analysis	Host Forensic Analysis

[T1574.007] Hijack Execution Flow: Path Interception by PATH Environment Variable

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2020-09-16 16:56:34.583000+00:00	2022-05-05 04:08:56.402000+00:00
x_mitre_data_sources[0]	File: File Modification	Process: Process Creation
x_mitre_data_sources[1]	File: File Creation	Windows Registry: Windows Registry Key Modification
x_mitre_data_sources[2]	Windows Registry: Windows Registry Key Modification	File: File Creation
x_mitre_data_sources[3]	Process: Process Creation	File: File Modification
x_mitre_defense_bypassed[0]	Application control	Application Control

[T1564.009] Hide Artifacts: Resource Forking

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2021-10-16 01:50:40.276000+00:00	2022-05-05 05:10:23.890000+00:00
external_references[1]['source_name']	macOS Hierarchical File System Overview	tau bundlore erika noerenberg 2020
external_references[1]['description']	Tenon. (n.d.). Retrieved October 12, 2021.	Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.
external_references[1]['url']	http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553	https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html
external_references[5]['source_name']	tau bundlore erika noerenberg 2020	macOS Hierarchical File System Overview
external_references[5]['description']	Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.	Tenon. (n.d.). Retrieved October 12, 2021.
external_references[5]['url']	https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html	http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553
x_mitre_data_sources[0]	File: File Metadata	Process: Process Creation
x_mitre_data_sources[1]	File: File Creation	Command: Command Execution
x_mitre_data_sources[2]	Command: Command Execution	File: File Creation
x_mitre_data_sources[3]	Process: Process Creation	File: File Metadata
x_mitre_defense_bypassed[0]	Notarization; Gatekeeper	Notarization

iterable_item_added
STIX Field	Old value	New Value
x_mitre_defense_bypassed		Gatekeeper

[T1014] Rootkit

Current version: 1.1

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False
external_references		Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.
external_references		CAPEC-552

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['Administrator', 'SYSTEM', 'root']
external_references	CAPEC-552
external_references	Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.

values_changed
STIX Field	Old value	New Value
modified	2020-06-20 22:29:55.496000+00:00	2022-05-05 05:09:39.723000+00:00
external_references[1]['source_name']	capec	CrowdStrike Linux Rootkit
external_references[1]['url']	https://capec.mitre.org/data/definitions/552.html	https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
external_references[2]['source_name']	Symantec Windows Rootkits	BlackHat Mac OSX Rootkit
external_references[2]['description']	Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.	Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.
external_references[2]['url']	https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf	http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf
external_references[3]['source_name']	Wikipedia Rootkit	Symantec Windows Rootkits
external_references[3]['description']	Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.	Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.
external_references[3]['url']	https://en.wikipedia.org/wiki/Rootkit	https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf
external_references[4]['source_name']	CrowdStrike Linux Rootkit	Wikipedia Rootkit
external_references[4]['description']	Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.	Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.
external_references[4]['url']	https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/	https://en.wikipedia.org/wiki/Rootkit
external_references[5]['source_name']	BlackHat Mac OSX Rootkit	capec
external_references[5]['url']	http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf	https://capec.mitre.org/data/definitions/552.html
x_mitre_data_sources[0]	File: File Modification	Firmware: Firmware Modification
x_mitre_data_sources[2]	Firmware: Firmware Modification	File: File Modification
x_mitre_defense_bypassed[0]	File monitoring	Anti-virus
x_mitre_defense_bypassed[1]	Host intrusion prevention systems	File Monitoring
x_mitre_defense_bypassed[2]	Application control	Host Intrusion Prevention Systems
x_mitre_defense_bypassed[3]	Signature-based detection	Application Control
x_mitre_defense_bypassed[4]	System access controls	Signature-based Detection
x_mitre_defense_bypassed[5]	Application control by file name or path	System Access Controls

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_defense_bypassed	Anti-virus

[T1553.003] Subvert Trust Controls: SIP and Trust Provider Hijacking

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['SYSTEM', 'Administrator']

values_changed
STIX Field	Old value	New Value
modified	2021-02-09 15:58:04.719000+00:00	2022-05-05 04:58:58.214000+00:00
external_references[1]['source_name']	Microsoft Authenticode	Entrust Enable CAPI2 Aug 2017
external_references[1]['description']	Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018.	Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018.
external_references[1]['url']	https://msdn.microsoft.com/library/ms537359.aspx	http://www.entrust.net/knowledge-base/technote.cfm?tn=8165
external_references[2]['source_name']	Microsoft WinVerifyTrust	GitHub SIP POC Sept 2017
external_references[2]['description']	Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018.	Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018.
external_references[2]['url']	https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx	https://github.com/mattifestation/PoCSubjectInterfacePackage
external_references[4]['source_name']	EduardosBlog SIPs July 2008	Microsoft Catalog Files and Signatures April 2017
external_references[4]['description']	Navarro, E. (2008, July 11). SIP’s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018.	Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018.
external_references[4]['url']	https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/	https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files
external_references[5]['source_name']	Microsoft Catalog Files and Signatures April 2017	Microsoft Audit Registry July 2012
external_references[5]['description']	Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018.	Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018.
external_references[5]['url']	https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files	https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)
external_references[6]['source_name']	GitHub SIP POC Sept 2017	Microsoft Registry Auditing Aug 2016
external_references[6]['description']	Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018.	Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018.
external_references[6]['url']	https://github.com/mattifestation/PoCSubjectInterfacePackage	https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)
external_references[7]['source_name']	Entrust Enable CAPI2 Aug 2017	Microsoft Authenticode
external_references[7]['description']	Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018.	Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018.
external_references[7]['url']	http://www.entrust.net/knowledge-base/technote.cfm?tn=8165	https://msdn.microsoft.com/library/ms537359.aspx
external_references[8]['source_name']	Microsoft Registry Auditing Aug 2016	Microsoft WinVerifyTrust
external_references[8]['description']	Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018.	Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018.
external_references[8]['url']	https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)	https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx
external_references[9]['source_name']	Microsoft Audit Registry July 2012	EduardosBlog SIPs July 2008
external_references[9]['description']	Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018.	Navarro, E. (2008, July 11). SIP’s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018.
external_references[9]['url']	https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)	https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/
x_mitre_data_sources[0]	Module: Module Load	File: File Modification
x_mitre_data_sources[2]	File: File Modification	Module: Module Load

iterable_item_added
STIX Field	Old value	New Value
x_mitre_defense_bypassed		Application Control

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_defense_bypassed	Application control

[T1574.011] Hijack Execution Flow: Services Registry Permissions Weakness

Current version: 1.1

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
external_references		@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.
external_references		CAPEC-478

dictionary_item_removed
STIX Field	Old value	New Value
external_references	CAPEC-478
external_references	Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.

values_changed
STIX Field	Old value	New Value
modified	2021-10-14 23:52:52.058000+00:00	2022-05-05 04:53:45.640000+00:00
external_references[1]['source_name']	capec	Tweet Registry Perms Weakness
external_references[1]['url']	https://capec.mitre.org/data/definitions/478.html	https://twitter.com/r0wdy_/status/936365549553991680
external_references[2]['source_name']	Registry Key Security	insecure_reg_perms
external_references[2]['description']	Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.	Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.
external_references[2]['url']	https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN	https://itm4n.github.io/windows-registry-rpceptmapper-eop/
external_references[3]['source_name']	malware_hides_service	Kansa Service related collectors
external_references[3]['description']	Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.	Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.
external_references[3]['url']	https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/	https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html
external_references[4]['source_name']	Kansa Service related collectors	malware_hides_service
external_references[4]['description']	Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.	Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.
external_references[4]['url']	https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html	https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/
external_references[5]['source_name']	Tweet Registry Perms Weakness	Autoruns for Windows
external_references[5]['description']	@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.	Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.
external_references[5]['url']	https://twitter.com/r0wdy_/status/936365549553991680	https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
external_references[6]['source_name']	microsoft_services_registry_tree	Registry Key Security
external_references[6]['description']	Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021.	Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.
external_references[6]['url']	https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree	https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN
external_references[7]['source_name']	insecure_reg_perms	microsoft_services_registry_tree
external_references[7]['description']	Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.	Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021.
external_references[7]['url']	https://itm4n.github.io/windows-registry-rpceptmapper-eop/	https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
external_references[9]['source_name']	Autoruns for Windows	capec
external_references[9]['url']	https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns	https://capec.mitre.org/data/definitions/478.html
x_mitre_data_sources[0]	Windows Registry: Windows Registry Key Modification	Command: Command Execution
x_mitre_data_sources[1]	Service: Service Modification	Process: Process Creation
x_mitre_data_sources[2]	Process: Process Creation	Service: Service Modification
x_mitre_data_sources[3]	Command: Command Execution	Windows Registry: Windows Registry Key Modification
x_mitre_defense_bypassed[0]	Application control	Application Control

[T1553] Subvert Trust Controls

Current version: 1.1

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False

values_changed
STIX Field	Old value	New Value
modified	2022-03-24 14:12:38.264000+00:00	2022-05-05 05:04:52.387000+00:00
external_references[1]['source_name']	SpectorOps Subverting Trust Sept 2017	SpectorOps Code Signing Dec 2017
external_references[1]['description']	Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.	Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.
external_references[1]['url']	https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf	https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
external_references[2]['source_name']	Securelist Digital Certificates	SpectorOps Subverting Trust Sept 2017
external_references[2]['description']	Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.	Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.
external_references[2]['url']	https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/	https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
external_references[3]['source_name']	Symantec Digital Certificates	Securelist Digital Certificates
external_references[3]['description']	Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.	Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.
external_references[3]['url']	http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates	https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/
external_references[4]['source_name']	SpectorOps Code Signing Dec 2017	Symantec Digital Certificates
external_references[4]['description']	Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.	Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.
external_references[4]['url']	https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec	http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates
x_mitre_data_sources[0]	File: File Modification	File: File Metadata
x_mitre_data_sources[1]	Windows Registry: Windows Registry Key Creation	Process: Process Creation
x_mitre_data_sources[2]	Command: Command Execution	Module: Module Load
x_mitre_data_sources[4]	Module: Module Load	Command: Command Execution
x_mitre_data_sources[5]	Process: Process Creation	Windows Registry: Windows Registry Key Creation
x_mitre_data_sources[6]	File: File Metadata	File: File Modification

iterable_item_added
STIX Field	Old value	New Value
x_mitre_defense_bypassed		Application Control

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_defense_bypassed	Application control
x_mitre_defense_bypassed	Process whitelisting

[T1127] Trusted Developer Utilities Proxy Execution

Current version: 1.2

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2021-10-15 23:57:08.312000+00:00	2022-05-05 05:00:37.443000+00:00
external_references[1]['source_name']	engima0x3 DNX Bypass	Exploit Monday WinDbg
external_references[1]['description']	Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017.	Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017.
external_references[1]['url']	https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/	http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
external_references[2]['source_name']	engima0x3 RCSI Bypass	LOLBAS Tracker
external_references[2]['description']	Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017.	LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.
external_references[2]['url']	https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/	https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
external_references[3]['source_name']	Exploit Monday WinDbg	engima0x3 RCSI Bypass
external_references[3]['description']	Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017.	Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017.
external_references[3]['url']	http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html	https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
external_references[4]['source_name']	LOLBAS Tracker	engima0x3 DNX Bypass
external_references[4]['description']	LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.	Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017.
external_references[4]['url']	https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/	https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
x_mitre_data_sources[0]	Process: Process Creation	Command: Command Execution
x_mitre_data_sources[1]	Command: Command Execution	Process: Process Creation
x_mitre_defense_bypassed[0]	Application control	Application Control

[T1078] Valid Accounts

Current version: 2.4

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False
external_references		Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.
external_references		CAPEC-560

dictionary_item_removed
STIX Field	Old value	New Value
external_references	CAPEC-560
external_references	Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.

values_changed
STIX Field	Old value	New Value
modified	2022-04-01 15:20:44.039000+00:00	2022-05-05 04:55:21.981000+00:00
external_references[1]['source_name']	capec	CISA MFA PrintNightmare
external_references[1]['url']	https://capec.mitre.org/data/definitions/560.html	https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
external_references[2]['source_name']	CISA MFA PrintNightmare	TechNet Credential Theft
external_references[2]['description']	Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.	Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
external_references[2]['url']	https://www.cisa.gov/uscert/ncas/alerts/aa22-074a	https://technet.microsoft.com/en-us/library/dn535501.aspx
external_references[3]['source_name']	TechNet Credential Theft	TechNet Audit Policy
external_references[3]['description']	Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.	Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.
external_references[3]['url']	https://technet.microsoft.com/en-us/library/dn535501.aspx	https://technet.microsoft.com/en-us/library/dn487457.aspx
external_references[4]['source_name']	TechNet Audit Policy	capec
external_references[4]['url']	https://technet.microsoft.com/en-us/library/dn487457.aspx	https://capec.mitre.org/data/definitions/560.html
x_mitre_data_sources[0]	Logon Session: Logon Session Metadata	Logon Session: Logon Session Creation
x_mitre_data_sources[2]	Logon Session: Logon Session Creation	Logon Session: Logon Session Metadata
x_mitre_defense_bypassed[1]	Host intrusion prevention systems	Anti-virus
x_mitre_defense_bypassed[2]	Network intrusion detection system	Host Intrusion Prevention Systems
x_mitre_defense_bypassed[3]	Application control	Network Intrusion Detection System
x_mitre_defense_bypassed[4]	System access controls	Application Control
x_mitre_defense_bypassed[5]	Anti-virus	System Access Controls

[T1220] XSL Script Processing

Current version: 1.2

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_is_subtechnique		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2021-02-09 15:07:00.842000+00:00	2022-05-05 05:04:14.238000+00:00
external_references[1]['source_name']	Microsoft XSLT Script Mar 2017	Reaqta MSXSL Spearphishing MAR 2018
external_references[1]['description']	Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using . Retrieved July 3, 2018.	Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018.
external_references[1]['url']	https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script	https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
external_references[2]['source_name']	Microsoft msxsl.exe	Twitter SquiblyTwo Detection APR 2018
external_references[2]['description']	Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018.	Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018.
external_references[2]['url']	https://www.microsoft.com/download/details.aspx?id=21714	https://twitter.com/dez_/status/986614411711442944
external_references[3]['source_name']	Penetration Testing Lab MSXSL July 2017	LOLBAS Wmic
external_references[3]['description']	netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved July 3, 2018.	LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
external_references[3]['url']	https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/	https://lolbas-project.github.io/lolbas/Binaries/Wmic/
external_references[4]['source_name']	Reaqta MSXSL Spearphishing MAR 2018	Microsoft msxsl.exe
external_references[4]['description']	Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018.	Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018.
external_references[4]['url']	https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/	https://www.microsoft.com/download/details.aspx?id=21714
external_references[5]['source_name']	XSL Bypass Mar 2019	Penetration Testing Lab MSXSL July 2017
external_references[5]['description']	Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to Proxy Code Execution. Retrieved August 2, 2019.	netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved July 3, 2018.
external_references[5]['url']	https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75	https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
external_references[6]['source_name']	LOLBAS Wmic	XSL Bypass Mar 2019
external_references[6]['description']	LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.	Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to Proxy Code Execution. Retrieved August 2, 2019.
external_references[6]['url']	https://lolbas-project.github.io/lolbas/Binaries/Wmic/	https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
external_references[7]['source_name']	Twitter SquiblyTwo Detection APR 2018	Microsoft XSLT Script Mar 2017
external_references[7]['description']	Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018.	Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using . Retrieved July 3, 2018.
external_references[7]['url']	https://twitter.com/dez_/status/986614411711442944	https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
x_mitre_data_sources[0]	Module: Module Load	Process: Process Creation
x_mitre_data_sources[1]	Process: Process Creation	Module: Module Load
x_mitre_defense_bypassed[1]	Application control	Digital Certificate Validation
x_mitre_defense_bypassed[2]	Digital Certificate Validation	Application Control

ics-attack

Patches

[T0800] Activate Firmware Update Mode

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.828000+00:00	2022-05-06 17:47:23.886000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0800	https://attack.mitre.org/techniques/T0800

[T0878] Alarm Suppression

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.830000+00:00	2022-05-06 17:47:23.889000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0878	https://attack.mitre.org/techniques/T0878
x_mitre_platforms[2]	Device Configuration/Parameters	Device Configuration/Parameters

[T0802] Automated Collection

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.830000+00:00	2022-05-06 17:47:23.889000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0802	https://attack.mitre.org/techniques/T0802

[T0803] Block Command Message

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.832000+00:00	2022-05-06 17:47:23.891000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0803	https://attack.mitre.org/techniques/T0803
x_mitre_platforms[1]	Device Configuration/Parameters	Device Configuration/Parameters

[T0804] Block Reporting Message

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.834000+00:00	2022-05-06 17:47:23.892000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0804	https://attack.mitre.org/techniques/T0804

[T0805] Block Serial COM

Current version: 1.0

New Detections:

DS0029: Network Traffic (Network Connection Creation)
DS0029: Network Traffic (Network Traffic Flow)

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.834000+00:00	2022-05-06 17:47:23.892000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0805	https://attack.mitre.org/techniques/T0805
x_mitre_data_sources[0]	Network Traffic: Network Traffic Flow [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic: Network Connection Creation	Network Traffic: Network Traffic Flow

iterable_item_added
STIX Field	Old value	New Value
x_mitre_data_sources		Network Traffic: Network Connection Creation

[T0806] Brute Force I/O

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.834000+00:00	2022-05-06 17:47:23.893000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0806	https://attack.mitre.org/techniques/T0806

[T0858] Change Operating Mode

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.838000+00:00	2022-05-06 17:47:23.897000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0858	https://attack.mitre.org/techniques/T0858

[T0807] Command-Line Interface

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.839000+00:00	2022-05-06 17:47:23.898000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0807	https://attack.mitre.org/techniques/T0807
x_mitre_platforms[1]	Data Historian	Data Historian
x_mitre_platforms[2]	Field Controller/RTU/PLC/IED	Field Controller/RTU/PLC/IED
x_mitre_platforms[3]	Human-Machine Interface	Human-Machine Interface
x_mitre_platforms[4]	Input/Output Server	Input/Output Server

[T0885] Commonly Used Port

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.840000+00:00	2022-05-06 17:47:23.898000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0885	https://attack.mitre.org/techniques/T0885

[T0884] Connection Proxy

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.841000+00:00	2022-05-06 17:47:23.900000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0884	https://attack.mitre.org/techniques/T0884

[T0879] Damage to Property

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.844000+00:00	2022-05-06 17:47:23.903000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0879	https://attack.mitre.org/techniques/T0879

[T0809] Data Destruction

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.845000+00:00	2022-05-06 17:47:23.904000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0809	https://attack.mitre.org/techniques/T0809

[T0811] Data from Information Repositories

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.846000+00:00	2022-05-06 17:47:23.905000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0811	https://attack.mitre.org/techniques/T0811

[T0812] Default Credentials

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.847000+00:00	2022-05-06 17:47:23.906000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0812	https://attack.mitre.org/techniques/T0812

[T0813] Denial of Control

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.849000+00:00	2022-05-06 17:47:23.908000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T813	https://attack.mitre.org/techniques/T0813

[T0814] Denial of Service

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.851000+00:00	2022-05-06 17:47:23.911000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0814	https://attack.mitre.org/techniques/T0814

[T0815] Denial of View

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.853000+00:00	2022-05-06 17:47:23.912000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0815	https://attack.mitre.org/techniques/T0815

[T0868] Detect Operating Mode

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.856000+00:00	2022-05-06 17:47:23.916000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0868	https://attack.mitre.org/techniques/T0868

[T0816] Device Restart/Shutdown

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.856000+00:00	2022-05-06 17:47:23.917000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0816	https://attack.mitre.org/techniques/T0816

[T0817] Drive-by Compromise

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.858000+00:00	2022-05-06 17:47:23.918000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0817	https://attack.mitre.org/techniques/T0817

[T0871] Execution through API

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.858000+00:00	2022-05-06 17:47:23.918000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0871	https://attack.mitre.org/techniques/T0871

[T0819] Exploit Public-Facing Application

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.858000+00:00	2022-05-06 17:47:23.919000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0819	https://attack.mitre.org/techniques/T0819

[T0820] Exploitation for Evasion

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.859000+00:00	2022-05-06 17:47:23.919000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0820	https://attack.mitre.org/techniques/T0820

[T0890] Exploitation for Privilege Escalation

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.860000+00:00	2022-05-06 17:47:23.920000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0890	https://attack.mitre.org/techniques/T0890
x_mitre_platforms[1]	Safety Instrumented System/Protection Relay	Safety Instrumented System/Protection Relay

[T0866] Exploitation of Remote Services

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.861000+00:00	2022-05-06 17:47:23.922000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0866	https://attack.mitre.org/techniques/T0866

[T0822] External Remote Services

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.863000+00:00	2022-05-06 17:47:23.923000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0822	https://attack.mitre.org/techniques/T0822

[T0823] Graphical User Interface

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.864000+00:00	2022-05-06 17:47:23.924000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0823	https://attack.mitre.org/techniques/T0823

[T0874] Hooking

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.865000+00:00	2022-05-06 17:47:23.926000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0874	https://attack.mitre.org/techniques/T0874

[T0877] I/O Image

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.866000+00:00	2022-05-06 17:47:23.927000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0877	https://attack.mitre.org/techniques/T0877

[T0872] Indicator Removal on Host

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.866000+00:00	2022-05-06 17:47:23.927000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0872	https://attack.mitre.org/techniques/T0872

[T0883] Internet Accessible Device

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.869000+00:00	2022-05-06 17:47:23.930000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0883	https://attack.mitre.org/techniques/T0883
x_mitre_platforms[1]	Data Historian	Data Historian
x_mitre_platforms[2]	Field Controller/RTU/PLC/IED	Field Controller/RTU/PLC/IED
x_mitre_platforms[3]	Human-Machine Interface	Human-Machine Interface
x_mitre_platforms[4]	Input/Output Server	Input/Output Server
x_mitre_platforms[5]	Safety Instrumented System/Protection Relay	Safety Instrumented System/Protection Relay

[T0867] Lateral Tool Transfer

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.870000+00:00	2022-05-06 17:47:23.932000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0867	https://attack.mitre.org/techniques/T0867

[T0826] Loss of Availability

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.872000+00:00	2022-05-06 17:47:23.934000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0826	https://attack.mitre.org/techniques/T0826

[T0827] Loss of Control

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.874000+00:00	2022-05-06 17:47:23.936000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0827	https://attack.mitre.org/techniques/T0827

[T0828] Loss of Productivity and Revenue

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.876000+00:00	2022-05-06 17:47:23.938000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0828	https://attack.mitre.org/techniques/T0828

[T0837] Loss of Protection

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.877000+00:00	2022-05-06 17:47:23.938000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0837	https://attack.mitre.org/techniques/T0837

[T0880] Loss of Safety

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.877000+00:00	2022-05-06 17:47:23.939000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0880	https://attack.mitre.org/techniques/T0880

[T0829] Loss of View

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.879000+00:00	2022-05-06 17:47:23.940000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0829	https://attack.mitre.org/techniques/T0829

[T0830] Man in the Middle

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.880000+00:00	2022-05-06 17:47:23.942000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0830	https://attack.mitre.org/techniques/T0830

[T0835] Manipulate I/O Image

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.881000+00:00	2022-05-06 17:47:23.943000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T835	https://attack.mitre.org/techniques/T0835

[T0831] Manipulation of Control

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.883000+00:00	2022-05-06 17:47:23.945000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0831	https://attack.mitre.org/techniques/T0831

[T0832] Manipulation of View

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.885000+00:00	2022-05-06 17:47:23.947000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0832	https://attack.mitre.org/techniques/T0832

[T0849] Masquerading

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.885000+00:00	2022-05-06 17:47:23.947000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0849	https://attack.mitre.org/techniques/T0849

[T0838] Modify Alarm Settings

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.886000+00:00	2022-05-06 17:47:23.949000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0838	https://attack.mitre.org/techniques/T0838

[T0821] Modify Controller Tasking

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.887000+00:00	2022-05-06 17:47:23.950000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0821	https://attack.mitre.org/techniques/T0821

[T0836] Modify Parameter

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.888000+00:00	2022-05-06 17:47:23.952000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0836	https://attack.mitre.org/techniques/T0836

[T0889] Modify Program

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.889000+00:00	2022-05-06 17:47:23.953000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0889	https://attack.mitre.org/techniques/T0889

[T0839] Module Firmware

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.890000+00:00	2022-05-06 17:47:23.954000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0839	https://attack.mitre.org/techniques/T0839

[T0801] Monitor Process State

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.890000+00:00	2022-05-06 17:47:23.955000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0801	https://attack.mitre.org/techniques/T0801

[T0834] Native API

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.891000+00:00	2022-05-06 17:47:23.956000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0834	https://attack.mitre.org/techniques/T0834

[T0840] Network Connection Enumeration

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.892000+00:00	2022-05-06 17:47:23.957000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0840	https://attack.mitre.org/techniques/T0840

[T0842] Network Sniffing

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.893000+00:00	2022-05-06 17:47:23.958000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0842	https://attack.mitre.org/techniques/T0842

[T0861] Point & Tag Identification

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.894000+00:00	2022-05-06 17:47:23.960000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0861	https://attack.mitre.org/techniques/T0861

[T0843] Program Download

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.894000+00:00	2022-05-06 17:47:23.960000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0843	https://attack.mitre.org/techniques/T0843

[T0845] Program Upload

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.894000+00:00	2022-05-06 17:47:23.960000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0845	https://attack.mitre.org/techniques/T0845

[T0873] Project File Infection

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.896000+00:00	2022-05-06 17:47:23.963000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0873	https://attack.mitre.org/techniques/T0873

[T0886] Remote Services

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.899000+00:00	2022-05-06 17:47:23.967000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0886	https://attack.mitre.org/techniques/T0886

[T0846] Remote System Discovery

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.900000+00:00	2022-05-06 17:47:23.968000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0846	https://attack.mitre.org/techniques/T0846

[T0888] Remote System Information Discovery

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.900000+00:00	2022-05-06 17:47:23.968000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0888	https://attack.mitre.org/techniques/T0888

[T0847] Replication Through Removable Media

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.904000+00:00	2022-05-06 17:47:23.973000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0847	https://attack.mitre.org/techniques/T0847

[T0848] Rogue Master

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.906000+00:00	2022-05-06 17:47:23.975000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0848	https://attack.mitre.org/techniques/T0848

[T0851] Rootkit

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.907000+00:00	2022-05-06 17:47:23.976000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0851	https://attack.mitre.org/techniques/T0851

[T0852] Screen Capture

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.908000+00:00	2022-05-06 17:47:23.976000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0852	https://attack.mitre.org/techniques/T0852

[T0853] Scripting

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.908000+00:00	2022-05-06 17:47:23.977000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0853	https://attack.mitre.org/techniques/T0853

[T0881] Service Stop

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.909000+00:00	2022-05-06 17:47:23.978000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0881	https://attack.mitre.org/techniques/T0881

[T0865] Spearphishing Attachment

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.911000+00:00	2022-05-06 17:47:23.980000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0865	https://attack.mitre.org/techniques/T0865

[T0856] Spoof Reporting Message

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.912000+00:00	2022-05-06 17:47:23.981000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0856	https://attack.mitre.org/techniques/T0856

[T0869] Standard Application Layer Protocol

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.912000+00:00	2022-05-06 17:47:23.981000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0869	https://attack.mitre.org/techniques/T0869

[T0862] Supply Chain Compromise

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.914000+00:00	2022-05-06 17:47:23.983000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0862	https://attack.mitre.org/techniques/T0862
x_mitre_platforms[1]	Data Historian	Data Historian
x_mitre_platforms[2]	Field Controller/RTU/PLC/IED	Field Controller/RTU/PLC/IED
x_mitre_platforms[3]	Human-Machine Interface	Human-Machine Interface
x_mitre_platforms[4]	Input/Output Server	Input/Output Server
x_mitre_platforms[5]	Safety Instrumented System/Protection Relay	Safety Instrumented System/Protection Relay

[T0857] System Firmware

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.915000+00:00	2022-05-06 17:47:23.984000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0857	https://attack.mitre.org/techniques/T0857

[T0882] Theft of Operational Information

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.916000+00:00	2022-05-06 17:47:23.985000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0882	https://attack.mitre.org/techniques/T0882

[T0864] Transient Cyber Asset

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.920000+00:00	2022-05-06 17:47:23.989000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0864	https://attack.mitre.org/techniques/T0864

[T0855] Unauthorized Command Message

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.918000+00:00	2022-05-06 17:47:23.987000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0855	https://attack.mitre.org/techniques/T0855

[T0863] User Execution

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.921000+00:00	2022-05-06 17:47:23.991000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0863	https://attack.mitre.org/techniques/T0863

[T0859] Valid Accounts

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.922000+00:00	2022-05-06 17:47:23.992000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0859	https://attack.mitre.org/techniques/T0859

[T0860] Wireless Compromise

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.925000+00:00	2022-05-06 17:47:23.995000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0860	https://attack.mitre.org/techniques/T0860
x_mitre_platforms[1]	Field Controller/RTU/PLC/IED	Field Controller/RTU/PLC/IED
x_mitre_platforms[2]	Input/Output Server	Input/Output Server

[T0887] Wireless Sniffing

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.927000+00:00	2022-05-06 17:47:23.997000+00:00
external_references[0]['url']	https://attack.mitre.org/Technique/T0887	https://attack.mitre.org/techniques/T0887

Software

enterprise-attack

Patches

[S0667] Chrommme

Current version: 1.0

	Old Description			New Description
t	1	[Chrommme](https://attack.mitre.org/software/S0667) is a bac	t	1	[Chrommme](https://attack.mitre.org/software/S0667) is a bac
	>	kdoor tool, written using the Microsoft Foundation Class (MF		>	kdoor tool written using the Microsoft Foundation Class (MFC
	>	C) framework, that has infrastructure overlaps with [Gelsemi		>	) framework that was first reported in June 2021; security r
	>	um](https://attack.mitre.org/software/S0666).(Citation: ESET		>	esearchers noted infrastructure overlaps with [Gelsemium](ht
	>	Gelsemium June 2021)		>	tps://attack.mitre.org/software/S0666) malware.(Citation: ES
				>	ET Gelsemium June 2021)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2021-12-01 18:55:30.931000+00:00	2022-05-04 22:38:46.222000+00:00
description	[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool, written using the Microsoft Foundation Class (MFC) framework, that has infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666).(Citation: ESET Gelsemium June 2021)	[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666) malware.(Citation: ESET Gelsemium June 2021)

[S0666] Gelsemium

Current version: 1.0

	Old Description			New Description
t	1	[Gelsemium](https://attack.mitre.org/software/S0666) is a mo	t	1	[Gelsemium](https://attack.mitre.org/software/S0666) is a mo
	>	dular malware comprised of dropper (Gelsemine), loader (Gels		>	dular malware comprised of a dropper (Gelsemine), a loader (
	>	enicine), and main (Gelsevirine) plug ins that has been used		>	Gelsenicine), and main (Gelsevirine) plug-ins written using
	>	by the [Gelsemium](https://attack.mitre.org/groups/G0141) g		>	the Microsoft Foundation Class (MFC) framework. [Gelsemium](
	>	roup since at least 2014.(Citation: ESET Gelsemium June 2021		>	https://attack.mitre.org/software/S0666) has been used by th
	>	)		>	e Gelsemium group since at least 2014.(Citation: ESET Gelsem
				>	ium June 2021)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2021-12-01 18:28:21.437000+00:00	2022-05-06 19:37:01.617000+00:00
description	[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of dropper (Gelsemine), loader (Gelsenicine), and main (Gelsevirine) plug ins that has been used by the [Gelsemium](https://attack.mitre.org/groups/G0141) group since at least 2014.(Citation: ESET Gelsemium June 2021)	[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021)

ics-attack

Patches

[S1000] ACAD/Medre.A

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.937000+00:00	2022-05-06 17:47:24.008000+00:00
external_references[0]['url']	https://attack.mitre.org/Software/S0018	https://attack.mitre.org/software/S0018

[S1006] PLC-Blaster

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.944000+00:00	2022-05-06 17:47:24.022000+00:00
external_references[0]['url']	https://attack.mitre.org/Software/S0009	https://attack.mitre.org/software/S0009

[S1009] Triton

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.950000+00:00	2022-05-06 17:47:24.030000+00:00
external_references[0]['url']	https://attack.mitre.org/Software/S0013	https://attack.mitre.org/software/S0013

[S1010] VPNFilter

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.951000+00:00	2022-05-06 17:47:24.032000+00:00
external_references[0]['url']	https://attack.mitre.org/Software/S0002	https://attack.mitre.org/software/S0002

Groups

enterprise-attack

Patches

[G0094] Kimsuky

Current version: 3.1

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2022-03-23 18:54:26.218000+00:00	2022-04-25 12:25:09.059000+00:00
external_references[1]['source_name']	Kimsuky	Thallium
external_references[1]['description']	(Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021)	(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)
external_references[2]['source_name']	STOLEN PENCIL	Black Banshee
external_references[2]['description']	(Citation: Netscout Stolen Pencil Dec 2018)	(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)
external_references[3]['source_name']	Thallium	STOLEN PENCIL
external_references[3]['description']	(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)	(Citation: Netscout Stolen Pencil Dec 2018)
external_references[4]['source_name']	Black Banshee	Kimsuky
external_references[4]['description']	(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)	(Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021)
external_references[6]['source_name']	EST Kimsuky April 2019	AhnLab Kimsuky Kabar Cobra Feb 2019
external_references[6]['description']	Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.	AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.
external_references[6]['url']	https://blog.alyac.co.kr/2234	https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdf
external_references[7]['source_name']	BRI Kimsuky April 2019	EST Kimsuky April 2019
external_references[7]['description']	BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.	Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
external_references[7]['url']	https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/	https://blog.alyac.co.kr/2234
external_references[8]['source_name']	Cybereason Kimsuky November 2020	Netscout Stolen Pencil Dec 2018
external_references[8]['description']	Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.	ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
external_references[8]['url']	https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite	https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/
external_references[9]['source_name']	Malwarebytes Kimsuky June 2021	BRI Kimsuky April 2019
external_references[9]['description']	Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.	BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.
external_references[9]['url']	https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/	https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/
external_references[10]['source_name']	CISA AA20-301A Kimsuky	Zdnet Kimsuky Dec 2018
external_references[10]['description']	CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.	Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
external_references[10]['url']	https://us-cert.cisa.gov/ncas/alerts/aa20-301a	https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/
external_references[11]['source_name']	Netscout Stolen Pencil Dec 2018	CISA AA20-301A Kimsuky
external_references[11]['description']	ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.	CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
external_references[11]['url']	https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/	https://us-cert.cisa.gov/ncas/alerts/aa20-301a
external_references[12]['source_name']	EST Kimsuky SmokeScreen April 2019	Cybereason Kimsuky November 2020
external_references[12]['description']	ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021.	Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
external_references[12]['url']	https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf	https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
external_references[13]['source_name']	AhnLab Kimsuky Kabar Cobra Feb 2019	EST Kimsuky SmokeScreen April 2019
external_references[13]['description']	AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.	ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021.
external_references[13]['url']	https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdf	https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf
external_references[14]['source_name']	Securelist Kimsuky Sept 2013	Malwarebytes Kimsuky June 2021
external_references[14]['description']	Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.	Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
external_references[14]['url']	https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/	https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
external_references[15]['source_name']	Zdnet Kimsuky Dec 2018	Securelist Kimsuky Sept 2013
external_references[15]['description']	Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.	Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
external_references[15]['url']	https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/	https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Dongwook Kim, KISA

Deprecations

[G0141] Gelsemium

Current version: 1.0

Description: [Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		True

values_changed
STIX Field	Old value	New Value
modified	2021-12-02 14:15:49.640000+00:00	2022-05-04 22:15:12.759000+00:00
description	[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in Eastern Asia and the Middle East.(Citation: ESET Gelsemium June 2021)	[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)

ics-attack

Patches

[G1000] ALLANITE

Current version: 1.0

	Old Description			New Description
t	1	[ALLANITE](https://attack.mitre.org/groups/G0009) is a suspe	t	1	[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspe
	>	cted Russian cyber espionage group, that has primarily targe		>	cted Russian cyber espionage group, that has primarily targe
	>	ted the electric utility sector within the United States and		>	ted the electric utility sector within the United States and
	>	United Kingdom. The group's tactics and techniques are repo		>	United Kingdom. The group's tactics and techniques are repo
	>	rtedly similar to [Dragonfly](https://attack.mitre.org/group		>	rtedly similar to [Dragonfly](https://attack.mitre.org/group
	>	s/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G		>	s/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G
	>	0006), although [ALLANITE](https://attack.mitre.org/groups/G		>	0035), although [ALLANITE](https://attack.mitre.org/groups/G
	>	0009)s technical capabilities have not exhibited disruptive		>	1000)s technical capabilities have not exhibited disruptive
	>	or destructive abilities. It has been suggested that the gro		>	or destructive abilities. It has been suggested that the gro
	>	up maintains a presence in ICS for the purpose of gaining un		>	up maintains a presence in ICS for the purpose of gaining un
	>	derstanding of processes and to maintain persistence. (Citat		>	derstanding of processes and to maintain persistence. (Citat
	>	ion: Dragos)		>	ion: Dragos)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_domains		['ics-attack']

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.928000+00:00	2022-05-06 17:47:23.998000+00:00
description	[ALLANITE](https://attack.mitre.org/groups/G0009) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G0006), although [ALLANITE](https://attack.mitre.org/groups/G0009)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)	[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)
external_references[0]['url']	https://attack.mitre.org/Group/G0009	https://attack.mitre.org/groups/G1000

[G1001] HEXANE

Current version: 1.0

	Old Description			New Description
t	1	[HEXANE](https://attack.mitre.org/groups/G0005) is a threat	t	1	[HEXANE](https://attack.mitre.org/groups/G1001) is a threat
	>	group that has targeted ICS organization within the oil & ga		>	group that has targeted ICS organization within the oil & ga
	>	s, and telecommunications sectors. Many of the targeted orga		>	s, and telecommunications sectors. Many of the targeted orga
	>	nizations have been located in the Middle East including Kuw		>	nizations have been located in the Middle East including Kuw
	>	ait. [HEXANE](https://attack.mitre.org/groups/G0005)'s targe		>	ait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targe
	>	ting of telecommunications has been speculated to be part of		>	ting of telecommunications has been speculated to be part of
	>	an effort to establish man-in-the-middle capabilities throu		>	an effort to establish man-in-the-middle capabilities throu
	>	ghout the region. [HEXANE](https://attack.mitre.org/groups/G		>	ghout the region. [HEXANE](https://attack.mitre.org/groups/G
	>	0005)'s TTPs appear similar to [APT33](https://attack.mitre.		>	1001)'s TTPs appear similar to [APT33](https://attack.mitre.
	>	org/groups/G0003) and [OilRig](https://attack.mitre.org/grou		>	org/groups/G0003) and [OilRig](https://attack.mitre.org/grou
	>	ps/G0010) but due to differences in victims and tools it is		>	ps/G0010) but due to differences in victims and tools it is
	>	tracked as a separate entity. (Citation: Dragos)		>	tracked as a separate entity. (Citation: Dragos)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_domains		['ics-attack']

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.931000+00:00	2022-05-06 17:47:24.002000+00:00
description	[HEXANE](https://attack.mitre.org/groups/G0005) is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. [HEXANE](https://attack.mitre.org/groups/G0005)'s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. [HEXANE](https://attack.mitre.org/groups/G0005)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0003) and [OilRig](https://attack.mitre.org/groups/G0010) but due to differences in victims and tools it is tracked as a separate entity. (Citation: Dragos)	[HEXANE](https://attack.mitre.org/groups/G1001) is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0003) and [OilRig](https://attack.mitre.org/groups/G0010) but due to differences in victims and tools it is tracked as a separate entity. (Citation: Dragos)
external_references[0]['url']	https://attack.mitre.org/Group/G0005	https://attack.mitre.org/groups/G1001

Mitigations

ics-attack

Patches

[M0801] Access Management

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.953000+00:00	2022-05-06 17:47:24.034000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0801	https://attack.mitre.org/mitigations/M0801

[M0936] Account Use Policies

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.953000+00:00	2022-05-06 17:47:24.034000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0936	https://attack.mitre.org/mitigations/M0936

[M0915] Active Directory Configuration

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.954000+00:00	2022-05-06 17:47:24.035000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0915	https://attack.mitre.org/mitigations/M0915

[M0949] Antivirus/Antimalware

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.955000+00:00	2022-05-06 17:47:24.036000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0949	https://attack.mitre.org/mitigations/M0949

[M0913] Application Developer Guidance

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.955000+00:00	2022-05-06 17:47:24.036000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0913	https://attack.mitre.org/mitigations/M0913

[M0948] Application Isolation and Sandboxing

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.955000+00:00	2022-05-06 17:47:24.036000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0948	https://attack.mitre.org/mitigations/M0948

[M0947] Audit

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.955000+00:00	2022-05-06 17:47:24.037000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0947	https://attack.mitre.org/mitigations/M0947

[M0800] Authorization Enforcement

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.957000+00:00	2022-05-06 17:47:24.038000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0800	https://attack.mitre.org/mitigations/M0800

[M0946] Boot Integrity

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.957000+00:00	2022-05-06 17:47:24.038000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0946	https://attack.mitre.org/mitigations/M0946

[M0945] Code Signing

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.957000+00:00	2022-05-06 17:47:24.039000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0945	https://attack.mitre.org/mitigations/M0945

[M0802] Communication Authenticity

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.958000+00:00	2022-05-06 17:47:24.039000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0802	https://attack.mitre.org/mitigations/M0802

[M0953] Data Backup

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.959000+00:00	2022-05-06 17:47:24.040000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0953	https://attack.mitre.org/mitigations/M0953

[M0803] Data Loss Prevention

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.959000+00:00	2022-05-06 17:47:24.040000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0803	https://attack.mitre.org/mitigations/M0803

[M0942] Disable or Remove Feature or Program

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.959000+00:00	2022-05-06 17:47:24.041000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0942	https://attack.mitre.org/mitigations/M0942

[M0808] Encrypt Network Traffic

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.959000+00:00	2022-05-06 17:47:24.041000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0808	https://attack.mitre.org/mitigations/M0808

[M0941] Encrypt Sensitive Information

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.960000+00:00	2022-05-06 17:47:24.041000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0941	https://attack.mitre.org/mitigations/M0941

[M0938] Execution Prevention

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.960000+00:00	2022-05-06 17:47:24.042000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0938	https://attack.mitre.org/mitigations/M0938

[M0950] Exploit Protection

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.960000+00:00	2022-05-06 17:47:24.042000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0950	https://attack.mitre.org/mitigations/M0950

[M0937] Filter Network Traffic

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.961000+00:00	2022-05-06 17:47:24.043000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0937	https://attack.mitre.org/mitigations/M0937

[M0804] Human User Authentication

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.975000+00:00	2022-05-06 17:47:24.060000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0804	https://attack.mitre.org/mitigations/M0804

[M0935] Limit Access to Resource Over Network

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.962000+00:00	2022-05-06 17:47:24.044000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0935	https://attack.mitre.org/mitigations/M0935

[M0934] Limit Hardware Installation

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.962000+00:00	2022-05-06 17:47:24.045000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0934	https://attack.mitre.org/mitigations/M0934

[M0805] Mechanical Protection Layers

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.963000+00:00	2022-05-06 17:47:24.046000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0805	https://attack.mitre.org/mitigations/M0805

[M0806] Minimize Wireless Signal Propagation

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.965000+00:00	2022-05-06 17:47:24.048000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0806	https://attack.mitre.org/mitigations/M0806

[M0816] Mitigation Limited or Not Effective

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.965000+00:00	2022-05-06 17:47:24.048000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0816	https://attack.mitre.org/mitigations/M0816

[M0932] Multi-factor Authentication

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.965000+00:00	2022-05-06 17:47:24.048000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0932	https://attack.mitre.org/mitigations/M0932

[M0807] Network Allowlists

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.975000+00:00	2022-05-06 17:47:24.060000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0807	https://attack.mitre.org/mitigations/M0807

[M0931] Network Intrusion Prevention

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.966000+00:00	2022-05-06 17:47:24.049000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0931	https://attack.mitre.org/mitigations/M0931

[M0930] Network Segmentation

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.967000+00:00	2022-05-06 17:47:24.051000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0930	https://attack.mitre.org/mitigations/M0930

[M0928] Operating System Configuration

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.967000+00:00	2022-05-06 17:47:24.051000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0928	https://attack.mitre.org/mitigations/M0928

[M0809] Operational Information Confidentiality

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.967000+00:00	2022-05-06 17:47:24.051000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0809	https://attack.mitre.org/mitigations/M0809

[M0810] Out-of-Band Communications Channel

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.969000+00:00	2022-05-06 17:47:24.053000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0810	https://attack.mitre.org/mitigations/M0810

[M0927] Password Policies

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.969000+00:00	2022-05-06 17:47:24.053000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0927	https://attack.mitre.org/mitigations/M0927

[M0926] Privileged Account Management

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.969000+00:00	2022-05-06 17:47:24.053000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0926	https://attack.mitre.org/mitigations/M0926

[M0811] Redundancy of Service

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.970000+00:00	2022-05-06 17:47:24.054000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0811	https://attack.mitre.org/mitigations/M0811

[M0922] Restrict File and Directory Permissions

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.970000+00:00	2022-05-06 17:47:24.054000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0922	https://attack.mitre.org/mitigations/M0922

[M0944] Restrict Library Loading

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.970000+00:00	2022-05-06 17:47:24.054000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0944	https://attack.mitre.org/mitigations/M0944

[M0924] Restrict Registry Permissions

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.970000+00:00	2022-05-06 17:47:24.055000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0924	https://attack.mitre.org/mitigations/M0924

[M0921] Restrict Web-Based Content

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.971000+00:00	2022-05-06 17:47:24.055000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0921	https://attack.mitre.org/mitigations/M0921

[M0920] SSL/TLS Inspection

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.971000+00:00	2022-05-06 17:47:24.055000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0920	https://attack.mitre.org/mitigations/M0920

[M0812] Safety Instrumented Systems

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.972000+00:00	2022-05-06 17:47:24.056000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0812	https://attack.mitre.org/mitigations/M0812

[M0954] Software Configuration

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.972000+00:00	2022-05-06 17:47:24.057000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0954	https://attack.mitre.org/mitigations/M0954

[M0813] Software Process and Device Authentication

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.972000+00:00	2022-05-06 17:47:24.057000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0813	https://attack.mitre.org/mitigations/M0813

[M0814] Static Network Configuration

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.972000+00:00	2022-05-06 17:47:24.057000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0814	https://attack.mitre.org/mitigations/M0814

[M0817] Supply Chain Management

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.973000+00:00	2022-05-06 17:47:24.058000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0817	https://attack.mitre.org/mitigations/M0817

[M0919] Threat Intelligence Program

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.973000+00:00	2022-05-06 17:47:24.058000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0919	https://attack.mitre.org/mitigations/M0919

[M0951] Update Software

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.973000+00:00	2022-05-06 17:47:24.058000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0951	https://attack.mitre.org/mitigations/M0951

[M0918] User Account Management

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.974000+00:00	2022-05-06 17:47:24.059000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0918	https://attack.mitre.org/mitigations/M0918

[M0917] User Training

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.974000+00:00	2022-05-06 17:47:24.059000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0917	https://attack.mitre.org/mitigations/M0917

[M0916] Vulnerability Scanning

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.974000+00:00	2022-05-06 17:47:24.059000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0916	https://attack.mitre.org/mitigations/M0916

[M0815] Watchdog Timers

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 22:02:03.974000+00:00	2022-05-06 17:47:24.060000+00:00
external_references[0]['url']	https://attack.mitre.org/Mitigation/M0815	https://attack.mitre.org/mitigations/M0815

Data Sources

ics-attack

Patches

[DS0039] Assets

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-23T15:48:38.011975Z	2022-05-11T16:22:58.802094Z
created	2022-04-23T15:48:38.011975Z	2022-05-11T16:22:58.802094Z

[DS0040] Operational Databases

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-23T15:48:38.012144Z	2022-05-11T16:22:58.802589Z
created	2022-04-23T15:48:38.012144Z	2022-05-11T16:22:58.802589Z

Data Components

enterprise-attack

Patches

Domain Name: Active DNS

Current version: 1.0

	Old Description			New Description
t	1	Initial construction of a WMI object, such as a filter, cons	t	1	Queried domain name system (DNS) registry data highlighting
	>	umer, subscription, binding, or provider (ex: Sysmon EIDs 19		>	current domain to IP address resolutions (ex: dig/nslookup q
	>	-21)		>	ueries)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_deprecated		False
revoked		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_domains	[]

values_changed
STIX Field	Old value	New Value
description	Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)	Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)
modified	2022-03-30T14:26:51.804Z	2022-05-02T23:19:55.148Z

ics-attack

Patches

Operational Databases: Device Alarm

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-23T15:48:38.012201Z	2022-05-11T16:22:58.802647Z
created	2022-04-23T15:48:38.012201Z	2022-05-11T16:22:58.802647Z

Operational Databases: Process History/Live Data

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-23T15:48:38.012159Z	2022-05-11T16:22:58.802606Z
created	2022-04-23T15:48:38.012159Z	2022-05-11T16:22:58.802606Z

Operational Databases: Process/Event Alarm

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-23T15:48:38.012181Z	2022-05-11T16:22:58.802627Z
created	2022-04-23T15:48:38.012181Z	2022-05-11T16:22:58.802627Z