ATT&CK Changes Between v11.0 and v11.1

Key

Colors for description field
Added
Changed
Deleted

Additional formats

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

This JSON file contains the machine readble output used to create this page: changelog.json

Techniques

enterprise-attack

Minor Version Changes

[T1195.003] Supply Chain Compromise: Compromise Hardware Supply Chain

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_data_sources['Sensor Health: Host Status']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-23 12:51:45.475000+00:002022-04-28 16:05:10.755000+00:00
x_mitre_version1.01.1

[T1195.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_data_sources['File: File Metadata']
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 20:10:09.368000+00:002022-04-28 16:03:59.172000+00:00
x_mitre_version1.01.1

[T1195.002] Supply Chain Compromise: Compromise Software Supply Chain

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_data_sources['File: File Metadata']
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 20:10:59.465000+00:002022-04-28 16:04:36.636000+00:00
x_mitre_version1.01.1

[T1027.005] Obfuscated Files or Information: Indicator Removal from Tools

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_data_sources['Application Log: Application Log Content']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-29 21:03:09.766000+00:002022-04-28 16:07:48.062000+00:00
x_mitre_version1.01.1
Other Version Changes

[T1212] Exploitation for Credential Access

Current version: 1.4

Version changed from: 1.1 → 1.4

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_data_sources['Application Log: Application Log Content', 'User Account: User Account Authentication', 'Process: Process Creation']
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2020-03-25 18:51:01.070000+00:002022-04-28 16:06:49.447000+00:00
external_references[1]['source_name']Technet MS14-068ADSecurity Detecting Forged Tickets
external_references[1]['description']Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.
external_references[1]['url']https://technet.microsoft.com/en-us/library/security/ms14-068.aspxhttps://adsecurity.org/?p=1515
external_references[2]['source_name']ADSecurity Detecting Forged TicketsTechnet MS14-068
external_references[2]['description']Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
external_references[2]['url']https://adsecurity.org/?p=1515https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
x_mitre_version1.11.4

[T1211] Exploitation for Defense Evasion

Current version: 1.3

Version changed from: 1.1 → 1.3

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_data_sources['Process: Process Creation', 'Application Log: Application Log Content']
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2020-03-29 20:00:46.900000+00:002022-04-28 16:10:16.632000+00:00
x_mitre_version1.11.3

[T1200] Hardware Additions

Current version: 1.6

Version changed from: 1.3 → 1.6

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_data_sources['Application Log: Application Log Content', 'Drive: Drive Creation', 'Network Traffic: Network Traffic Flow']
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 17:12:28.626000+00:002022-04-28 16:09:12.782000+00:00
x_mitre_version1.31.6

[T1195] Supply Chain Compromise

Current version: 1.5

Version changed from: 1.3 → 1.5

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_data_sources['File: File Metadata', 'Sensor Health: Host Status']
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 20:09:21.256000+00:002022-04-28 16:03:22.870000+00:00
x_mitre_version1.31.5
Patches

[T1134] Access Token Manipulation

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
external_referencesAtkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.
external_referencesCAPEC-633
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-633
external_referencesAtkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.
values_changed
STIX FieldOld valueNew Value
modified2021-10-17 14:51:49.334000+00:002022-05-03 02:14:43.557000+00:00
external_references[1]['source_name']capecBlackHat Atkinson Winchester Token Manipulation
external_references[1]['url']https://capec.mitre.org/data/definitions/633.htmlhttps://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf
external_references[2]['source_name']Pentestlab Token ManipulationMicrosoft Command-line Logging
external_references[2]['description']netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.
external_references[2]['url']https://pentestlab.blog/2017/04/03/token-manipulation/https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
external_references[3]['source_name']Microsoft Command-line LoggingMicrosoft LogonUser
external_references[3]['description']Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
external_references[3]['url']https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditinghttps://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx
external_references[4]['source_name']Microsoft LogonUserMicrosoft DuplicateTokenEx
external_references[4]['url']https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspxhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx
external_references[5]['source_name']Microsoft DuplicateTokenExMicrosoft ImpersonateLoggedOnUser
external_references[5]['url']https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspxhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx
external_references[6]['source_name']Microsoft ImpersonateLoggedOnUserPentestlab Token Manipulation
external_references[6]['description']Microsoft TechNet. (n.d.). Retrieved April 25, 2017.netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.
external_references[6]['url']https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspxhttps://pentestlab.blog/2017/04/03/token-manipulation/
external_references[7]['source_name']BlackHat Atkinson Winchester Token Manipulationcapec
external_references[7]['url']https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdfhttps://capec.mitre.org/data/definitions/633.html
x_mitre_data_sources[0]Active Directory: Active Directory Object ModificationUser Account: User Account Metadata
x_mitre_data_sources[1]Command: Command ExecutionProcess: OS API Execution
x_mitre_data_sources[2]Process: Process CreationProcess: Process Metadata
x_mitre_data_sources[3]Process: Process MetadataProcess: Process Creation
x_mitre_data_sources[4]Process: OS API ExecutionCommand: Command Execution
x_mitre_data_sources[5]User Account: User Account MetadataActive Directory: Active Directory Object Modification
x_mitre_defense_bypassed[1]System access controlsHeuristic Detection
x_mitre_defense_bypassed[2]File system access controlsSystem Access Controls
x_mitre_defense_bypassed[3]Heuristic DetectionHost Forensic Analysis
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_defense_bypassedHost forensic analysis

[T1553.006] Subvert Trust Controls: Code Signing Policy Modification

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator']
values_changed
STIX FieldOld valueNew Value
modified2021-04-26 15:41:39.155000+00:002022-05-05 05:00:03.480000+00:00
external_references[1]['source_name']Microsoft DSE June 2017Apple Disable SIP
external_references[1]['description']Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021.Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021.
external_references[1]['url']https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDNhttps://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection
external_references[2]['source_name']Apple Disable SIPF-Secure BlackEnergy 2014
external_references[2]['description']Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021.F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
external_references[2]['url']https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protectionhttps://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
external_references[3]['source_name']Microsoft Unsigned Driver Apr 2017FireEye HIKIT Rootkit Part 2
external_references[3]['description']Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021.Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.
external_references[3]['url']https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-testhttps://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html
external_references[4]['source_name']Microsoft TESTSIGNING Feb 2021Microsoft Unsigned Driver Apr 2017
external_references[4]['description']Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021.Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021.
external_references[4]['url']https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-optionhttps://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test
external_references[5]['source_name']FireEye HIKIT Rootkit Part 2Microsoft DSE June 2017
external_references[5]['description']Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021.
external_references[5]['url']https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.htmlhttps://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN
external_references[6]['source_name']GitHub Turla Driver LoaderMicrosoft TESTSIGNING Feb 2021
external_references[6]['description']TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021.
external_references[6]['url']https://github.com/hfiref0x/TDLhttps://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option
external_references[7]['source_name']F-Secure BlackEnergy 2014Unit42 AcidBox June 2020
external_references[7]['description']F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.
external_references[7]['url']https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdfhttps://unit42.paloaltonetworks.com/acidbox-rare-malware/
external_references[8]['source_name']Unit42 AcidBox June 2020GitHub Turla Driver Loader
external_references[8]['description']Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.
external_references[8]['url']https://unit42.paloaltonetworks.com/acidbox-rare-malware/https://github.com/hfiref0x/TDL
x_mitre_data_sources[0]Windows Registry: Windows Registry Key ModificationCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionWindows Registry: Windows Registry Key Modification
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_defense_bypassedApplication Control
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_defense_bypassedApplication control

[T1574.002] Hijack Execution Flow: DLL Side-Loading

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
external_referencesAmanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020.
external_referencesCAPEC-641
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-641
external_referencesAmanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020.
values_changed
STIX FieldOld valueNew Value
modified2021-04-26 18:31:34.954000+00:002022-05-05 04:07:48.912000+00:00
external_references[1]['source_name']capecFireEye DLL Side-Loading
external_references[1]['url']https://capec.mitre.org/data/definitions/641.htmlhttps://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
external_references[2]['source_name']FireEye DLL Side-Loadingcapec
external_references[2]['url']https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdfhttps://capec.mitre.org/data/definitions/641.html
x_mitre_data_sources[0]Process: Process CreationFile: File Modification
x_mitre_data_sources[1]Module: Module LoadFile: File Creation
x_mitre_data_sources[2]File: File CreationModule: Module Load
x_mitre_data_sources[3]File: File ModificationProcess: Process Creation
x_mitre_defense_bypassed[1]Application controlApplication Control

[T1140] Deobfuscate/Decode Files or Information

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2020-07-09 14:42:23.122000+00:002022-05-05 04:05:42.508000+00:00
external_references[1]['source_name']Malwarebytes Targeted Attack against Saudi ArabiaVolexity PowerDuke November 2016
external_references[1]['description']Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
external_references[1]['url']https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
external_references[2]['source_name']Carbon Black Obfuscation Sept 2016Malwarebytes Targeted Attack against Saudi Arabia
external_references[2]['description']Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.
external_references[2]['url']https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/
external_references[3]['source_name']Volexity PowerDuke November 2016Carbon Black Obfuscation Sept 2016
external_references[3]['description']Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
external_references[3]['url']https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/
x_mitre_data_sources[0]Script: Script ExecutionFile: File Modification
x_mitre_data_sources[2]File: File ModificationScript: Script Execution
x_mitre_defense_bypassed[1]Host intrusion prevention systemsHost Intrusion Prevention Systems
x_mitre_defense_bypassed[2]Signature-based detectionSignature-based Detection
x_mitre_defense_bypassed[3]Network intrusion detection systemNetwork Intrusion Detection System

[T1098.005] Account Manipulation: Device Registration

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:44:02.983000+00:002022-04-25 16:26:53.204000+00:00
x_mitre_data_sources[0]User Account: User Account ModificationApplication Log: Application Log Content
x_mitre_data_sources[2]Application Log: Application Log ContentUser Account: User Account Modification
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsMike Moran

[T1574.004] Hijack Execution Flow: Dylib Hijacking

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
external_referencesAmanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.
external_referencesCAPEC-471
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-471
external_referencesApple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021.
values_changed
STIX FieldOld valueNew Value
modified2021-04-27 20:19:15.212000+00:002022-05-05 04:08:30.203000+00:00
external_references[1]['source_name']capecMalwareUnicorn macOS Dylib Injection MachO
external_references[1]['url']https://capec.mitre.org/data/definitions/471.htmlhttps://malwareunicorn.org/workshops/macos_dylib_injection.html#5
external_references[2]['source_name']Wardle Dylib Hijack Vulnerable AppsApple Developer Doco Archive Run-Path
external_references[2]['description']Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021.
external_references[2]['url']https://objective-see.com/blog/blog_0x46.htmlhttps://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html
external_references[4]['source_name']Github EmpireProject HijackScannerWriting Bad Malware for OSX
external_references[4]['description']Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.
external_references[4]['url']https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.pyhttps://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
external_references[5]['source_name']Github EmpireProject CreateHijacker DylibWardle Dylib Hijack Vulnerable Apps
external_references[5]['description']Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.
external_references[5]['url']https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.pyhttps://objective-see.com/blog/blog_0x46.html
external_references[6]['source_name']Writing Bad Malware for OSXwardle artofmalware volume1
external_references[6]['description']Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021.
external_references[6]['url']https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdfhttps://taomm.org/vol1/pdfs.html
external_references[7]['source_name']wardle artofmalware volume1Github EmpireProject HijackScanner
external_references[7]['description']Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021.Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.
external_references[7]['url']https://taomm.org/vol1/pdfs.htmlhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py
external_references[8]['source_name']MalwareUnicorn macOS Dylib Injection MachOGithub EmpireProject CreateHijacker Dylib
external_references[8]['description']Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.
external_references[8]['url']https://malwareunicorn.org/workshops/macos_dylib_injection.html#5https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
external_references[9]['source_name']Apple Developer Doco Archive Run-Pathcapec
external_references[9]['url']https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.htmlhttps://capec.mitre.org/data/definitions/471.html
x_mitre_defense_bypassed[0]Application controlApplication Control
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesModule: Module Load
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesModule: Module Load

[T1480.001] Execution Guardrails: Environmental Keying

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-06-09 18:53:58.159000+00:002022-05-04 14:52:51.290000+00:00
external_references[1]['source_name']EK Clueless AgentsProofpoint Router Malvertising
external_references[1]['description']Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019.Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019.
external_references[1]['url']https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdfhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices
external_references[3]['source_name']Proofpoint Router MalvertisingEbowla: Genetic Malware
external_references[3]['description']Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019.Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019.
external_references[3]['url']https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-deviceshttps://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf
external_references[4]['source_name']EK Impeding Malware AnalysisEK Clueless Agents
external_references[4]['description']Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019.
external_references[4]['url']https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdfhttps://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf
external_references[5]['source_name']Environmental Keyed HTAEK Impeding Malware Analysis
external_references[5]['description']Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019.Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.
external_references[5]['url']https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf
external_references[6]['source_name']Ebowla: Genetic MalwareDemiguise Guardrail Router Logo
external_references[6]['description']Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019.Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.
external_references[6]['url']https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdfhttps://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js
external_references[7]['source_name']Demiguise Guardrail Router LogoEnvironmental Keyed HTA
external_references[7]['description']Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019.
external_references[7]['url']https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.jshttps://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/
x_mitre_data_sources[0]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[1]Command: Command ExecutionProcess: Process Creation
x_mitre_defense_bypassed[1]Host forensic analysisHost Forensic Analysis
x_mitre_defense_bypassed[2]Signature-based detectionSignature-based Detection
x_mitre_defense_bypassed[3]Static file analysisStatic File Analysis

[T1480] Execution Guardrails

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-06-09 18:53:58.471000+00:002022-05-03 02:39:29.314000+00:00
external_references[1]['source_name']FireEye Kevin Mandia GuardrailsFireEye Outlook Dec 2019
external_references[1]['description']Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019.McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.
external_references[1]['url']https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
external_references[2]['source_name']FireEye Outlook Dec 2019FireEye Kevin Mandia Guardrails
external_references[2]['description']McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019.
external_references[2]['url']https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.htmlhttps://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
x_mitre_data_sources[0]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[1]Process: Process CreationCommand: Command Execution
x_mitre_defense_bypassed[1]Host forensic analysisHost Forensic Analysis
x_mitre_defense_bypassed[2]Signature-based detectionSignature-based Detection
x_mitre_defense_bypassed[3]Static file analysisStatic File Analysis

[T1553.001] Subvert Trust Controls: Gatekeeper Bypass

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator']
values_changed
STIX FieldOld valueNew Value
modified2021-10-14 21:18:30.629000+00:002022-05-05 04:58:34.172000+00:00
external_references[1]['source_name']TheEclecticLightCompany apple notarization theevilbit gatekeeper bypass 2021
external_references[1]['description']How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021.
external_references[1]['url']https://eclecticlight.co/2020/08/28/how-notarization-works/https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/
external_references[2]['source_name']Bypassing GatekeeperOceanLotus for OS X
external_references[2]['description']Thomas Reed. (2016, March 31). Bypassing Apple's Gatekeeper. Retrieved July 5, 2017.Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.
external_references[2]['url']https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update
external_references[3]['source_name']20 macOS Common Tools and TechniquesTheEclecticLightCompany Quarantine and the flag
external_references[3]['description']Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.
external_references[3]['url']https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/
external_references[4]['source_name']TheEclecticLightCompany Quarantine and the flagTheEclecticLightCompany apple notarization
external_references[4]['description']hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.
external_references[4]['url']https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/https://eclecticlight.co/2020/08/28/how-notarization-works/
external_references[5]['source_name']theevilbit gatekeeper bypass 2021Methods of Mac Malware Persistence
external_references[5]['description']Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021.Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
external_references[5]['url']https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
external_references[6]['source_name']Methods of Mac Malware Persistence20 macOS Common Tools and Techniques
external_references[6]['description']Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
external_references[6]['url']https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdfhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
external_references[8]['source_name']OceanLotus for OS XBypassing Gatekeeper
external_references[8]['description']Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.Thomas Reed. (2016, March 31). Bypassing Apple's Gatekeeper. Retrieved July 5, 2017.
external_references[8]['url']https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-updatehttps://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/
x_mitre_data_sources[0]File: File MetadataProcess: Process Creation
x_mitre_data_sources[1]Command: Command ExecutionFile: File Modification
x_mitre_data_sources[2]File: File ModificationCommand: Command Execution
x_mitre_data_sources[3]Process: Process CreationFile: File Metadata
x_mitre_defense_bypassed[0]Application controlAnti-virus
x_mitre_defense_bypassed[1]Anti-virusApplication Control

[T1027.006] Obfuscated Files or Information: HTML Smuggling

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-10-18 12:03:12.510000+00:002022-05-04 15:06:14.630000+00:00
external_references[1]['source_name']HTML Smuggling Menlo Security 2020Outlflank HTML Smuggling 2018
external_references[1]['description']Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.
external_references[1]['url']https://www.menlosecurity.com/blog/new-attack-alert-durihttps://outflank.nl/blog/2018/08/14/html-smuggling-explained/
external_references[2]['source_name']Outlflank HTML Smuggling 2018MSTIC NOBELIUM May 2021
external_references[2]['description']Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
external_references[2]['url']https://outflank.nl/blog/2018/08/14/html-smuggling-explained/https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
external_references[3]['source_name']MSTIC NOBELIUM May 2021HTML Smuggling Menlo Security 2020
external_references[3]['description']Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.
external_references[3]['url']https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/https://www.menlosecurity.com/blog/new-attack-alert-duri
x_mitre_defense_bypassed[0]Web content filtersAnti-virus
x_mitre_defense_bypassed[1]Anti-virusWeb Content Filters
x_mitre_defense_bypassed[2]Static file analysisStatic File Analysis

[T1574] Hijack Execution Flow

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-18 14:48:33.512000+00:002022-05-05 04:07:01.191000+00:00
x_mitre_data_sources[0]Command: Command ExecutionService: Service Metadata
x_mitre_data_sources[1]Windows Registry: Windows Registry Key ModificationModule: Module Load
x_mitre_data_sources[2]File: File CreationProcess: Process Creation
x_mitre_data_sources[4]Process: Process CreationFile: File Creation
x_mitre_data_sources[5]Module: Module LoadWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[6]Service: Service MetadataCommand: Command Execution
x_mitre_defense_bypassed[1]Application controlApplication Control

[T1202] Indirect Command Execution

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2020-06-20 22:09:22.559000+00:002022-05-05 05:06:38.938000+00:00
external_references[1]['source_name']VectorSec ForFiles Aug 2017Evi1cg Forfiles Nov 2017
external_references[1]['description']vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018.Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018.
external_references[1]['url']https://twitter.com/vector_sec/status/896049052642533376https://twitter.com/Evi1cg/status/935027922397573120
external_references[2]['source_name']Evi1cg Forfiles Nov 2017RSA Forfiles Aug 2017
external_references[2]['description']Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018.Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018.
external_references[2]['url']https://twitter.com/Evi1cg/status/935027922397573120https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
external_references[3]['source_name']RSA Forfiles Aug 2017VectorSec ForFiles Aug 2017
external_references[3]['description']Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018.vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018.
external_references[3]['url']https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexehttps://twitter.com/vector_sec/status/896049052642533376
x_mitre_data_sources[0]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[1]Process: Process CreationCommand: Command Execution
x_mitre_defense_bypassed[1]Application controlApplication Control
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_defense_bypassedApplication control by file name or path

[T1553.005] Subvert Trust Controls: Mark-of-the-Web Bypass

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-16 20:03:39.460000+00:002022-05-05 04:59:32.535000+00:00
x_mitre_data_sources[0]File: File MetadataFile: File Creation
x_mitre_data_sources[1]File: File CreationFile: File Metadata
x_mitre_defense_bypassed[0]Anti-virus, Application controlAnti-virus
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_defense_bypassedApplication Control

[T1036] Masquerading

Current version: 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
external_referencesCarr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.
external_referencesCAPEC-177
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-177
external_referencesCarr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.
values_changed
STIX FieldOld valueNew Value
modified2021-10-18 13:24:52.973000+00:002022-05-05 04:56:08.978000+00:00
external_references[1]['source_name']capecTwitter ItsReallyNick Masquerading Update
external_references[1]['url']https://capec.mitre.org/data/definitions/177.htmlhttps://twitter.com/ItsReallyNick/status/1055321652777619457
external_references[2]['source_name']LOLBAS Main SiteElastic Masquerade Ball
external_references[2]['description']LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.
external_references[2]['url']https://lolbas-project.github.io/http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf
external_references[3]['source_name']Elastic Masquerade BallLOLBAS Main Site
external_references[3]['description']Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.
external_references[3]['url']http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdfhttps://lolbas-project.github.io/
external_references[4]['source_name']Twitter ItsReallyNick Masquerading Updatecapec
external_references[4]['url']https://twitter.com/ItsReallyNick/status/1055321652777619457https://capec.mitre.org/data/definitions/177.html
x_mitre_data_sources[0]Process: Process MetadataFile: File Modification
x_mitre_data_sources[1]Scheduled Job: Scheduled Job ModificationService: Service Creation
x_mitre_data_sources[2]Image: Image MetadataService: Service Metadata
x_mitre_data_sources[3]Command: Command ExecutionScheduled Job: Scheduled Job Metadata
x_mitre_data_sources[5]Scheduled Job: Scheduled Job MetadataCommand: Command Execution
x_mitre_data_sources[6]Service: Service MetadataImage: Image Metadata
x_mitre_data_sources[7]Service: Service CreationScheduled Job: Scheduled Job Modification
x_mitre_data_sources[8]File: File ModificationProcess: Process Metadata
x_mitre_defense_bypassed[0]Application control by file name or pathApplication Control

[T1036.005] Masquerading: Match Legitimate Name or Location

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
external_referencesCarr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.
external_referencesCAPEC-177
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-177
external_referencesDocker. (n.d.). Docker Images. Retrieved April 6, 2021.
values_changed
STIX FieldOld valueNew Value
modified2021-04-20 19:23:37.762000+00:002022-05-05 04:56:50.197000+00:00
external_references[1]['source_name']capecTwitter ItsReallyNick Masquerading Update
external_references[1]['url']https://capec.mitre.org/data/definitions/177.htmlhttps://twitter.com/ItsReallyNick/status/1055321652777619457
external_references[2]['source_name']Elastic Masquerade BallDocker Images
external_references[2]['description']Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
external_references[2]['url']http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdfhttps://docs.docker.com/engine/reference/commandline/images/
external_references[3]['source_name']Twitter ItsReallyNick Masquerading UpdateElastic Masquerade Ball
external_references[3]['description']Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.
external_references[3]['url']https://twitter.com/ItsReallyNick/status/1055321652777619457http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf
external_references[4]['source_name']Docker Imagescapec
external_references[4]['url']https://docs.docker.com/engine/reference/commandline/images/https://capec.mitre.org/data/definitions/177.html
x_mitre_data_sources[0]File: File MetadataImage: Image Metadata
x_mitre_data_sources[2]Image: Image MetadataFile: File Metadata
x_mitre_defense_bypassed[0]Application control by file name or pathApplication Control

[T1599] Network Boundary Bridging

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 21:44:17.057000+00:002022-05-05 05:05:44.200000+00:00
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[1]Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic Content
x_mitre_defense_bypassed[0]Router ACLFirewall
x_mitre_defense_bypassed[1]FirewallSystem Access Controls

[T1027] Obfuscated Files or Information

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
external_referencesAdair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
external_referencesCAPEC-267
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-267
external_referencesCarr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.
values_changed
STIX FieldOld valueNew Value
modified2022-03-11 16:45:38.033000+00:002022-05-05 05:08:05.584000+00:00
external_references[1]['source_name']capecVolexity PowerDuke November 2016
external_references[1]['url']https://capec.mitre.org/data/definitions/267.htmlhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
external_references[2]['source_name']Volexity PowerDuke November 2016GitHub Revoke-Obfuscation
external_references[2]['description']Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.
external_references[2]['url']https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/https://github.com/danielbohannon/Revoke-Obfuscation
external_references[3]['source_name']Linux/Cdorked.A We Live Security AnalysisFireEye Obfuscation June 2017
external_references[3]['description']Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
external_references[3]['url']https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
external_references[4]['source_name']Carbon Black Obfuscation Sept 2016FireEye Revoke-Obfuscation July 2017
external_references[4]['description']Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.
external_references[4]['url']https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf
external_references[5]['source_name']FireEye Obfuscation June 2017GitHub Office-Crackros Aug 2016
external_references[5]['description']Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.
external_references[5]['url']https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.htmlhttps://github.com/itsreallynick/office-crackros
external_references[6]['source_name']FireEye Revoke-Obfuscation July 2017Linux/Cdorked.A We Live Security Analysis
external_references[6]['description']Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.
external_references[6]['url']https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdfhttps://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
external_references[7]['source_name']PaloAlto EncodedCommand March 2017Carbon Black Obfuscation Sept 2016
external_references[7]['description']White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
external_references[7]['url']https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/
external_references[8]['source_name']GitHub Revoke-ObfuscationPaloAlto EncodedCommand March 2017
external_references[8]['description']Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.
external_references[8]['url']https://github.com/danielbohannon/Revoke-Obfuscationhttps://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
external_references[9]['source_name']GitHub Office-Crackros Aug 2016capec
external_references[9]['url']https://github.com/itsreallynick/office-crackroshttps://capec.mitre.org/data/definitions/267.html
x_mitre_data_sources[0]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[1]File: File MetadataFile: File Creation
x_mitre_data_sources[2]File: File CreationFile: File Metadata
x_mitre_data_sources[3]Command: Command ExecutionProcess: Process Creation
x_mitre_defense_bypassed[0]Host forensic analysisHost Forensic Analysis
x_mitre_defense_bypassed[1]Signature-based detectionSignature-based Detection
x_mitre_defense_bypassed[2]Host intrusion prevention systemsHost Intrusion Prevention Systems
x_mitre_defense_bypassed[3]Application controlApplication Control
x_mitre_defense_bypassed[4]Log analysisLog Analysis
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_defense_bypassedApplication control by file name or path

[T1134.004] Access Token Manipulation: Parent PID Spoofing

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 14:11:20.296000+00:002022-05-03 02:15:42.360000+00:00
external_references[1]['source_name']DidierStevens SelectMyParent Nov 2009XPNSec PPID Nov 2017
external_references[1]['description']Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019.Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019.
external_references[1]['url']https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/https://blog.xpnsec.com/becoming-system/
external_references[2]['source_name']Microsoft UAC Nov 2018CounterCept PPID Spoofing Dec 2018
external_references[2]['description']Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019.Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.
external_references[2]['url']https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-workshttps://www.countercept.com/blog/detecting-parent-pid-spoofing/
external_references[3]['source_name']CounterCept PPID Spoofing Dec 2018Microsoft UAC Nov 2018
external_references[3]['description']Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019.
external_references[3]['url']https://www.countercept.com/blog/detecting-parent-pid-spoofing/https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works
external_references[4]['source_name']CTD PPID Spoofing Macro Mar 2019Microsoft Process Creation Flags May 2018
external_references[4]['description']Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019.Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019.
external_references[4]['url']https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags
external_references[5]['source_name']XPNSec PPID Nov 2017Secuirtyinbits Ataware3 May 2019
external_references[5]['description']Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019.Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.
external_references[5]['url']https://blog.xpnsec.com/becoming-system/https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3
external_references[6]['source_name']Microsoft Process Creation Flags May 2018DidierStevens SelectMyParent Nov 2009
external_references[6]['description']Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019.Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019.
external_references[6]['url']https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flagshttps://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/
external_references[7]['source_name']Secuirtyinbits Ataware3 May 2019CTD PPID Spoofing Macro Mar 2019
external_references[7]['description']Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019.
external_references[7]['url']https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/
x_mitre_data_sources[0]Process: Process CreationProcess: OS API Execution
x_mitre_data_sources[2]Process: OS API ExecutionProcess: Process Creation
x_mitre_defense_bypassed[1]Host forensic analysisHost Forensic Analysis

[T1574.007] Hijack Execution Flow: Path Interception by PATH Environment Variable

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-09-16 16:56:34.583000+00:002022-05-05 04:08:56.402000+00:00
x_mitre_data_sources[0]File: File ModificationProcess: Process Creation
x_mitre_data_sources[1]File: File CreationWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[2]Windows Registry: Windows Registry Key ModificationFile: File Creation
x_mitre_data_sources[3]Process: Process CreationFile: File Modification
x_mitre_defense_bypassed[0]Application controlApplication Control

[T1564.009] Hide Artifacts: Resource Forking

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-10-16 01:50:40.276000+00:002022-05-05 05:10:23.890000+00:00
external_references[1]['source_name']macOS Hierarchical File System Overviewtau bundlore erika noerenberg 2020
external_references[1]['description']Tenon. (n.d.). Retrieved October 12, 2021.Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.
external_references[1]['url']http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html
external_references[5]['source_name']tau bundlore erika noerenberg 2020macOS Hierarchical File System Overview
external_references[5]['description']Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.Tenon. (n.d.). Retrieved October 12, 2021.
external_references[5]['url']https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.htmlhttp://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553
x_mitre_data_sources[0]File: File MetadataProcess: Process Creation
x_mitre_data_sources[1]File: File CreationCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionFile: File Creation
x_mitre_data_sources[3]Process: Process CreationFile: File Metadata
x_mitre_defense_bypassed[0]Notarization; GatekeeperNotarization
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_defense_bypassedGatekeeper

[T1014] Rootkit

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
external_referencesKurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.
external_referencesCAPEC-552
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator', 'SYSTEM', 'root']
external_referencesCAPEC-552
external_referencesPan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.
values_changed
STIX FieldOld valueNew Value
modified2020-06-20 22:29:55.496000+00:002022-05-05 05:09:39.723000+00:00
external_references[1]['source_name']capecCrowdStrike Linux Rootkit
external_references[1]['url']https://capec.mitre.org/data/definitions/552.htmlhttps://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
external_references[2]['source_name']Symantec Windows RootkitsBlackHat Mac OSX Rootkit
external_references[2]['description']Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.
external_references[2]['url']https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdfhttp://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf
external_references[3]['source_name']Wikipedia RootkitSymantec Windows Rootkits
external_references[3]['description']Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.
external_references[3]['url']https://en.wikipedia.org/wiki/Rootkithttps://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf
external_references[4]['source_name']CrowdStrike Linux RootkitWikipedia Rootkit
external_references[4]['description']Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.
external_references[4]['url']https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/https://en.wikipedia.org/wiki/Rootkit
external_references[5]['source_name']BlackHat Mac OSX Rootkitcapec
external_references[5]['url']http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdfhttps://capec.mitre.org/data/definitions/552.html
x_mitre_data_sources[0]File: File ModificationFirmware: Firmware Modification
x_mitre_data_sources[2]Firmware: Firmware ModificationFile: File Modification
x_mitre_defense_bypassed[0]File monitoringAnti-virus
x_mitre_defense_bypassed[1]Host intrusion prevention systemsFile Monitoring
x_mitre_defense_bypassed[2]Application controlHost Intrusion Prevention Systems
x_mitre_defense_bypassed[3]Signature-based detectionApplication Control
x_mitre_defense_bypassed[4]System access controlsSignature-based Detection
x_mitre_defense_bypassed[5]Application control by file name or pathSystem Access Controls
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_defense_bypassedAnti-virus

[T1553.003] Subvert Trust Controls: SIP and Trust Provider Hijacking

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['SYSTEM', 'Administrator']
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 15:58:04.719000+00:002022-05-05 04:58:58.214000+00:00
external_references[1]['source_name']Microsoft AuthenticodeEntrust Enable CAPI2 Aug 2017
external_references[1]['description']Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018.Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018.
external_references[1]['url']https://msdn.microsoft.com/library/ms537359.aspxhttp://www.entrust.net/knowledge-base/technote.cfm?tn=8165
external_references[2]['source_name']Microsoft WinVerifyTrustGitHub SIP POC Sept 2017
external_references[2]['description']Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018.Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018.
external_references[2]['url']https://msdn.microsoft.com/library/windows/desktop/aa388208.aspxhttps://github.com/mattifestation/PoCSubjectInterfacePackage
external_references[4]['source_name']EduardosBlog SIPs July 2008Microsoft Catalog Files and Signatures April 2017
external_references[4]['description']Navarro, E. (2008, July 11). SIP’s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018.Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018.
external_references[4]['url']https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files
external_references[5]['source_name']Microsoft Catalog Files and Signatures April 2017Microsoft Audit Registry July 2012
external_references[5]['description']Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018.Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018.
external_references[5]['url']https://docs.microsoft.com/windows-hardware/drivers/install/catalog-fileshttps://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)
external_references[6]['source_name']GitHub SIP POC Sept 2017Microsoft Registry Auditing Aug 2016
external_references[6]['description']Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018.Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018.
external_references[6]['url']https://github.com/mattifestation/PoCSubjectInterfacePackagehttps://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)
external_references[7]['source_name']Entrust Enable CAPI2 Aug 2017Microsoft Authenticode
external_references[7]['description']Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018.Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018.
external_references[7]['url']http://www.entrust.net/knowledge-base/technote.cfm?tn=8165https://msdn.microsoft.com/library/ms537359.aspx
external_references[8]['source_name']Microsoft Registry Auditing Aug 2016Microsoft WinVerifyTrust
external_references[8]['description']Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018.Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018.
external_references[8]['url']https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx
external_references[9]['source_name']Microsoft Audit Registry July 2012EduardosBlog SIPs July 2008
external_references[9]['description']Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018.Navarro, E. (2008, July 11). SIP’s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018.
external_references[9]['url']https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/
x_mitre_data_sources[0]Module: Module LoadFile: File Modification
x_mitre_data_sources[2]File: File ModificationModule: Module Load
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_defense_bypassedApplication Control
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_defense_bypassedApplication control

[T1574.011] Hijack Execution Flow: Services Registry Permissions Weakness

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
external_references@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.
external_referencesCAPEC-478
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-478
external_referencesMark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.
values_changed
STIX FieldOld valueNew Value
modified2021-10-14 23:52:52.058000+00:002022-05-05 04:53:45.640000+00:00
external_references[1]['source_name']capecTweet Registry Perms Weakness
external_references[1]['url']https://capec.mitre.org/data/definitions/478.htmlhttps://twitter.com/r0wdy_/status/936365549553991680
external_references[2]['source_name']Registry Key Securityinsecure_reg_perms
external_references[2]['description']Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.
external_references[2]['url']https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDNhttps://itm4n.github.io/windows-registry-rpceptmapper-eop/
external_references[3]['source_name']malware_hides_serviceKansa Service related collectors
external_references[3]['description']Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.
external_references[3]['url']https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html
external_references[4]['source_name']Kansa Service related collectorsmalware_hides_service
external_references[4]['description']Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.
external_references[4]['url']https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.htmlhttps://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/
external_references[5]['source_name']Tweet Registry Perms WeaknessAutoruns for Windows
external_references[5]['description']@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.
external_references[5]['url']https://twitter.com/r0wdy_/status/936365549553991680https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
external_references[6]['source_name']microsoft_services_registry_treeRegistry Key Security
external_references[6]['description']Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021.Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.
external_references[6]['url']https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-treehttps://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN
external_references[7]['source_name']insecure_reg_permsmicrosoft_services_registry_tree
external_references[7]['description']Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021.
external_references[7]['url']https://itm4n.github.io/windows-registry-rpceptmapper-eop/https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
external_references[9]['source_name']Autoruns for Windowscapec
external_references[9]['url']https://docs.microsoft.com/en-us/sysinternals/downloads/autorunshttps://capec.mitre.org/data/definitions/478.html
x_mitre_data_sources[0]Windows Registry: Windows Registry Key ModificationCommand: Command Execution
x_mitre_data_sources[1]Service: Service ModificationProcess: Process Creation
x_mitre_data_sources[2]Process: Process CreationService: Service Modification
x_mitre_data_sources[3]Command: Command ExecutionWindows Registry: Windows Registry Key Modification
x_mitre_defense_bypassed[0]Application controlApplication Control

[T1553] Subvert Trust Controls

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-24 14:12:38.264000+00:002022-05-05 05:04:52.387000+00:00
external_references[1]['source_name']SpectorOps Subverting Trust Sept 2017SpectorOps Code Signing Dec 2017
external_references[1]['description']Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.
external_references[1]['url']https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdfhttps://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
external_references[2]['source_name']Securelist Digital CertificatesSpectorOps Subverting Trust Sept 2017
external_references[2]['description']Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.
external_references[2]['url']https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
external_references[3]['source_name']Symantec Digital CertificatesSecurelist Digital Certificates
external_references[3]['description']Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.
external_references[3]['url']http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificateshttps://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/
external_references[4]['source_name']SpectorOps Code Signing Dec 2017Symantec Digital Certificates
external_references[4]['description']Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.
external_references[4]['url']https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6echttp://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates
x_mitre_data_sources[0]File: File ModificationFile: File Metadata
x_mitre_data_sources[1]Windows Registry: Windows Registry Key CreationProcess: Process Creation
x_mitre_data_sources[2]Command: Command ExecutionModule: Module Load
x_mitre_data_sources[4]Module: Module LoadCommand: Command Execution
x_mitre_data_sources[5]Process: Process CreationWindows Registry: Windows Registry Key Creation
x_mitre_data_sources[6]File: File MetadataFile: File Modification
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_defense_bypassedApplication Control
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_defense_bypassedApplication control
x_mitre_defense_bypassedProcess whitelisting

[T1127] Trusted Developer Utilities Proxy Execution

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 23:57:08.312000+00:002022-05-05 05:00:37.443000+00:00
external_references[1]['source_name']engima0x3 DNX BypassExploit Monday WinDbg
external_references[1]['description']Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017.Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017.
external_references[1]['url']https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
external_references[2]['source_name']engima0x3 RCSI BypassLOLBAS Tracker
external_references[2]['description']Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017.LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.
external_references[2]['url']https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
external_references[3]['source_name']Exploit Monday WinDbgengima0x3 RCSI Bypass
external_references[3]['description']Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017.Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017.
external_references[3]['url']http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.htmlhttps://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
external_references[4]['source_name']LOLBAS Trackerengima0x3 DNX Bypass
external_references[4]['description']LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017.
external_references[4]['url']https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
x_mitre_data_sources[0]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[1]Command: Command ExecutionProcess: Process Creation
x_mitre_defense_bypassed[0]Application controlApplication Control

[T1078] Valid Accounts

Current version: 2.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
external_referencesCybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.
external_referencesCAPEC-560
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-560
external_referencesMicrosoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 15:20:44.039000+00:002022-05-05 04:55:21.981000+00:00
external_references[1]['source_name']capecCISA MFA PrintNightmare
external_references[1]['url']https://capec.mitre.org/data/definitions/560.htmlhttps://www.cisa.gov/uscert/ncas/alerts/aa22-074a
external_references[2]['source_name']CISA MFA PrintNightmareTechNet Credential Theft
external_references[2]['description']Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
external_references[2]['url']https://www.cisa.gov/uscert/ncas/alerts/aa22-074ahttps://technet.microsoft.com/en-us/library/dn535501.aspx
external_references[3]['source_name']TechNet Credential TheftTechNet Audit Policy
external_references[3]['description']Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.
external_references[3]['url']https://technet.microsoft.com/en-us/library/dn535501.aspxhttps://technet.microsoft.com/en-us/library/dn487457.aspx
external_references[4]['source_name']TechNet Audit Policycapec
external_references[4]['url']https://technet.microsoft.com/en-us/library/dn487457.aspxhttps://capec.mitre.org/data/definitions/560.html
x_mitre_data_sources[0]Logon Session: Logon Session MetadataLogon Session: Logon Session Creation
x_mitre_data_sources[2]Logon Session: Logon Session CreationLogon Session: Logon Session Metadata
x_mitre_defense_bypassed[1]Host intrusion prevention systemsAnti-virus
x_mitre_defense_bypassed[2]Network intrusion detection systemHost Intrusion Prevention Systems
x_mitre_defense_bypassed[3]Application controlNetwork Intrusion Detection System
x_mitre_defense_bypassed[4]System access controlsApplication Control
x_mitre_defense_bypassed[5]Anti-virusSystem Access Controls

[T1220] XSL Script Processing

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
x_mitre_is_subtechniqueFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 15:07:00.842000+00:002022-05-05 05:04:14.238000+00:00
external_references[1]['source_name']Microsoft XSLT Script Mar 2017Reaqta MSXSL Spearphishing MAR 2018
external_references[1]['description']Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using . Retrieved July 3, 2018.Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018.
external_references[1]['url']https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-scripthttps://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
external_references[2]['source_name']Microsoft msxsl.exeTwitter SquiblyTwo Detection APR 2018
external_references[2]['description']Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018.Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018.
external_references[2]['url']https://www.microsoft.com/download/details.aspx?id=21714https://twitter.com/dez_/status/986614411711442944
external_references[3]['source_name']Penetration Testing Lab MSXSL July 2017LOLBAS Wmic
external_references[3]['description']netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved July 3, 2018.LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
external_references[3]['url']https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/https://lolbas-project.github.io/lolbas/Binaries/Wmic/
external_references[4]['source_name']Reaqta MSXSL Spearphishing MAR 2018Microsoft msxsl.exe
external_references[4]['description']Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018.Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018.
external_references[4]['url']https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/https://www.microsoft.com/download/details.aspx?id=21714
external_references[5]['source_name']XSL Bypass Mar 2019Penetration Testing Lab MSXSL July 2017
external_references[5]['description']Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to Proxy Code Execution. Retrieved August 2, 2019.netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved July 3, 2018.
external_references[5]['url']https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
external_references[6]['source_name']LOLBAS WmicXSL Bypass Mar 2019
external_references[6]['description']LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to Proxy Code Execution. Retrieved August 2, 2019.
external_references[6]['url']https://lolbas-project.github.io/lolbas/Binaries/Wmic/https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
external_references[7]['source_name']Twitter SquiblyTwo Detection APR 2018Microsoft XSLT Script Mar 2017
external_references[7]['description']Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018.Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using . Retrieved July 3, 2018.
external_references[7]['url']https://twitter.com/dez_/status/986614411711442944https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
x_mitre_data_sources[0]Module: Module LoadProcess: Process Creation
x_mitre_data_sources[1]Process: Process CreationModule: Module Load
x_mitre_defense_bypassed[1]Application controlDigital Certificate Validation
x_mitre_defense_bypassed[2]Digital Certificate ValidationApplication Control

ics-attack

Patches

[T0800] Activate Firmware Update Mode

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.828000+00:002022-05-06 17:47:23.886000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0800https://attack.mitre.org/techniques/T0800

[T0878] Alarm Suppression

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.830000+00:002022-05-06 17:47:23.889000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0878https://attack.mitre.org/techniques/T0878
x_mitre_platforms[2] Device Configuration/ParametersDevice Configuration/Parameters

[T0802] Automated Collection

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.830000+00:002022-05-06 17:47:23.889000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0802https://attack.mitre.org/techniques/T0802

[T0803] Block Command Message

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.832000+00:002022-05-06 17:47:23.891000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0803https://attack.mitre.org/techniques/T0803
x_mitre_platforms[1] Device Configuration/ParametersDevice Configuration/Parameters

[T0804] Block Reporting Message

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.834000+00:002022-05-06 17:47:23.892000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0804https://attack.mitre.org/techniques/T0804

[T0805] Block Serial COM

Current version: 1.0

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.834000+00:002022-05-06 17:47:23.892000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0805https://attack.mitre.org/techniques/T0805
x_mitre_data_sources[0]Network Traffic: Network Traffic Flow [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic: Network Connection CreationNetwork Traffic: Network Traffic Flow
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Connection Creation

[T0806] Brute Force I/O

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.834000+00:002022-05-06 17:47:23.893000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0806https://attack.mitre.org/techniques/T0806

[T0858] Change Operating Mode

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.838000+00:002022-05-06 17:47:23.897000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0858https://attack.mitre.org/techniques/T0858

[T0807] Command-Line Interface

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.839000+00:002022-05-06 17:47:23.898000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0807https://attack.mitre.org/techniques/T0807
x_mitre_platforms[1] Data HistorianData Historian
x_mitre_platforms[2] Field Controller/RTU/PLC/IEDField Controller/RTU/PLC/IED
x_mitre_platforms[3] Human-Machine InterfaceHuman-Machine Interface
x_mitre_platforms[4] Input/Output ServerInput/Output Server

[T0885] Commonly Used Port

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.840000+00:002022-05-06 17:47:23.898000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0885https://attack.mitre.org/techniques/T0885

[T0884] Connection Proxy

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.841000+00:002022-05-06 17:47:23.900000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0884https://attack.mitre.org/techniques/T0884

[T0879] Damage to Property

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.844000+00:002022-05-06 17:47:23.903000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0879https://attack.mitre.org/techniques/T0879

[T0809] Data Destruction

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.845000+00:002022-05-06 17:47:23.904000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0809https://attack.mitre.org/techniques/T0809

[T0811] Data from Information Repositories

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.846000+00:002022-05-06 17:47:23.905000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0811https://attack.mitre.org/techniques/T0811

[T0812] Default Credentials

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.847000+00:002022-05-06 17:47:23.906000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0812https://attack.mitre.org/techniques/T0812

[T0813] Denial of Control

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.849000+00:002022-05-06 17:47:23.908000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T813https://attack.mitre.org/techniques/T0813

[T0814] Denial of Service

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.851000+00:002022-05-06 17:47:23.911000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0814https://attack.mitre.org/techniques/T0814

[T0815] Denial of View

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.853000+00:002022-05-06 17:47:23.912000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0815https://attack.mitre.org/techniques/T0815

[T0868] Detect Operating Mode

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.856000+00:002022-05-06 17:47:23.916000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0868https://attack.mitre.org/techniques/T0868

[T0816] Device Restart/Shutdown

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.856000+00:002022-05-06 17:47:23.917000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0816https://attack.mitre.org/techniques/T0816

[T0817] Drive-by Compromise

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.858000+00:002022-05-06 17:47:23.918000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0817https://attack.mitre.org/techniques/T0817

[T0871] Execution through API

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.858000+00:002022-05-06 17:47:23.918000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0871https://attack.mitre.org/techniques/T0871

[T0819] Exploit Public-Facing Application

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.858000+00:002022-05-06 17:47:23.919000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0819https://attack.mitre.org/techniques/T0819

[T0820] Exploitation for Evasion

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.859000+00:002022-05-06 17:47:23.919000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0820https://attack.mitre.org/techniques/T0820

[T0890] Exploitation for Privilege Escalation

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.860000+00:002022-05-06 17:47:23.920000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0890https://attack.mitre.org/techniques/T0890
x_mitre_platforms[1] Safety Instrumented System/Protection RelaySafety Instrumented System/Protection Relay

[T0866] Exploitation of Remote Services

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.861000+00:002022-05-06 17:47:23.922000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0866https://attack.mitre.org/techniques/T0866

[T0822] External Remote Services

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.863000+00:002022-05-06 17:47:23.923000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0822https://attack.mitre.org/techniques/T0822

[T0823] Graphical User Interface

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.864000+00:002022-05-06 17:47:23.924000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0823https://attack.mitre.org/techniques/T0823

[T0874] Hooking

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.865000+00:002022-05-06 17:47:23.926000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0874https://attack.mitre.org/techniques/T0874

[T0877] I/O Image

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.866000+00:002022-05-06 17:47:23.927000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0877https://attack.mitre.org/techniques/T0877

[T0872] Indicator Removal on Host

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.866000+00:002022-05-06 17:47:23.927000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0872https://attack.mitre.org/techniques/T0872

[T0883] Internet Accessible Device

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.869000+00:002022-05-06 17:47:23.930000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0883https://attack.mitre.org/techniques/T0883
x_mitre_platforms[1] Data HistorianData Historian
x_mitre_platforms[2] Field Controller/RTU/PLC/IEDField Controller/RTU/PLC/IED
x_mitre_platforms[3] Human-Machine InterfaceHuman-Machine Interface
x_mitre_platforms[4] Input/Output ServerInput/Output Server
x_mitre_platforms[5] Safety Instrumented System/Protection RelaySafety Instrumented System/Protection Relay

[T0867] Lateral Tool Transfer

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.870000+00:002022-05-06 17:47:23.932000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0867https://attack.mitre.org/techniques/T0867

[T0826] Loss of Availability

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.872000+00:002022-05-06 17:47:23.934000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0826https://attack.mitre.org/techniques/T0826

[T0827] Loss of Control

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.874000+00:002022-05-06 17:47:23.936000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0827https://attack.mitre.org/techniques/T0827

[T0828] Loss of Productivity and Revenue

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.876000+00:002022-05-06 17:47:23.938000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0828https://attack.mitre.org/techniques/T0828

[T0837] Loss of Protection

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.877000+00:002022-05-06 17:47:23.938000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0837https://attack.mitre.org/techniques/T0837

[T0880] Loss of Safety

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.877000+00:002022-05-06 17:47:23.939000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0880https://attack.mitre.org/techniques/T0880

[T0829] Loss of View

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.879000+00:002022-05-06 17:47:23.940000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0829https://attack.mitre.org/techniques/T0829

[T0830] Man in the Middle

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.880000+00:002022-05-06 17:47:23.942000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0830https://attack.mitre.org/techniques/T0830

[T0835] Manipulate I/O Image

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.881000+00:002022-05-06 17:47:23.943000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T835https://attack.mitre.org/techniques/T0835

[T0831] Manipulation of Control

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.883000+00:002022-05-06 17:47:23.945000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0831https://attack.mitre.org/techniques/T0831

[T0832] Manipulation of View

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.885000+00:002022-05-06 17:47:23.947000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0832https://attack.mitre.org/techniques/T0832

[T0849] Masquerading

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.885000+00:002022-05-06 17:47:23.947000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0849https://attack.mitre.org/techniques/T0849

[T0838] Modify Alarm Settings

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.886000+00:002022-05-06 17:47:23.949000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0838https://attack.mitre.org/techniques/T0838

[T0821] Modify Controller Tasking

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.887000+00:002022-05-06 17:47:23.950000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0821https://attack.mitre.org/techniques/T0821

[T0836] Modify Parameter

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.888000+00:002022-05-06 17:47:23.952000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0836https://attack.mitre.org/techniques/T0836

[T0889] Modify Program

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.889000+00:002022-05-06 17:47:23.953000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0889https://attack.mitre.org/techniques/T0889

[T0839] Module Firmware

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.890000+00:002022-05-06 17:47:23.954000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0839https://attack.mitre.org/techniques/T0839

[T0801] Monitor Process State

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.890000+00:002022-05-06 17:47:23.955000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0801https://attack.mitre.org/techniques/T0801

[T0834] Native API

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.891000+00:002022-05-06 17:47:23.956000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0834https://attack.mitre.org/techniques/T0834

[T0840] Network Connection Enumeration

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.892000+00:002022-05-06 17:47:23.957000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0840https://attack.mitre.org/techniques/T0840

[T0842] Network Sniffing

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.893000+00:002022-05-06 17:47:23.958000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0842https://attack.mitre.org/techniques/T0842

[T0861] Point & Tag Identification

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.894000+00:002022-05-06 17:47:23.960000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0861https://attack.mitre.org/techniques/T0861

[T0843] Program Download

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.894000+00:002022-05-06 17:47:23.960000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0843https://attack.mitre.org/techniques/T0843

[T0845] Program Upload

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.894000+00:002022-05-06 17:47:23.960000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0845https://attack.mitre.org/techniques/T0845

[T0873] Project File Infection

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.896000+00:002022-05-06 17:47:23.963000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0873https://attack.mitre.org/techniques/T0873

[T0886] Remote Services

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.899000+00:002022-05-06 17:47:23.967000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0886https://attack.mitre.org/techniques/T0886

[T0846] Remote System Discovery

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.900000+00:002022-05-06 17:47:23.968000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0846https://attack.mitre.org/techniques/T0846

[T0888] Remote System Information Discovery

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.900000+00:002022-05-06 17:47:23.968000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0888https://attack.mitre.org/techniques/T0888

[T0847] Replication Through Removable Media

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.904000+00:002022-05-06 17:47:23.973000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0847https://attack.mitre.org/techniques/T0847

[T0848] Rogue Master

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.906000+00:002022-05-06 17:47:23.975000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0848https://attack.mitre.org/techniques/T0848

[T0851] Rootkit

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.907000+00:002022-05-06 17:47:23.976000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0851https://attack.mitre.org/techniques/T0851

[T0852] Screen Capture

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.908000+00:002022-05-06 17:47:23.976000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0852https://attack.mitre.org/techniques/T0852

[T0853] Scripting

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.908000+00:002022-05-06 17:47:23.977000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0853https://attack.mitre.org/techniques/T0853

[T0881] Service Stop

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.909000+00:002022-05-06 17:47:23.978000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0881https://attack.mitre.org/techniques/T0881

[T0865] Spearphishing Attachment

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.911000+00:002022-05-06 17:47:23.980000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0865https://attack.mitre.org/techniques/T0865

[T0856] Spoof Reporting Message

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.912000+00:002022-05-06 17:47:23.981000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0856https://attack.mitre.org/techniques/T0856

[T0869] Standard Application Layer Protocol

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.912000+00:002022-05-06 17:47:23.981000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0869https://attack.mitre.org/techniques/T0869

[T0862] Supply Chain Compromise

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.914000+00:002022-05-06 17:47:23.983000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0862https://attack.mitre.org/techniques/T0862
x_mitre_platforms[1] Data HistorianData Historian
x_mitre_platforms[2] Field Controller/RTU/PLC/IEDField Controller/RTU/PLC/IED
x_mitre_platforms[3] Human-Machine InterfaceHuman-Machine Interface
x_mitre_platforms[4] Input/Output ServerInput/Output Server
x_mitre_platforms[5] Safety Instrumented System/Protection RelaySafety Instrumented System/Protection Relay

[T0857] System Firmware

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.915000+00:002022-05-06 17:47:23.984000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0857https://attack.mitre.org/techniques/T0857

[T0882] Theft of Operational Information

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.916000+00:002022-05-06 17:47:23.985000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0882https://attack.mitre.org/techniques/T0882

[T0864] Transient Cyber Asset

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.920000+00:002022-05-06 17:47:23.989000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0864https://attack.mitre.org/techniques/T0864

[T0855] Unauthorized Command Message

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.918000+00:002022-05-06 17:47:23.987000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0855https://attack.mitre.org/techniques/T0855

[T0863] User Execution

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.921000+00:002022-05-06 17:47:23.991000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0863https://attack.mitre.org/techniques/T0863

[T0859] Valid Accounts

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.922000+00:002022-05-06 17:47:23.992000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0859https://attack.mitre.org/techniques/T0859

[T0860] Wireless Compromise

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.925000+00:002022-05-06 17:47:23.995000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0860https://attack.mitre.org/techniques/T0860
x_mitre_platforms[1] Field Controller/RTU/PLC/IEDField Controller/RTU/PLC/IED
x_mitre_platforms[2] Input/Output ServerInput/Output Server

[T0887] Wireless Sniffing

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.927000+00:002022-05-06 17:47:23.997000+00:00
external_references[0]['url']https://attack.mitre.org/Technique/T0887https://attack.mitre.org/techniques/T0887

Software

enterprise-attack

Patches

[S0667] Chrommme

Current version: 1.0


Old Description
New Description
t1[Chrommme](https://attack.mitre.org/software/S0667) is a bact1[Chrommme](https://attack.mitre.org/software/S0667) is a bac
>kdoor tool, written using the Microsoft Foundation Class (MF>kdoor tool written using the Microsoft Foundation Class (MFC
>C) framework, that has infrastructure overlaps with [Gelsemi>) framework that was first reported in June 2021; security r
>um](https://attack.mitre.org/software/S0666).(Citation: ESET>esearchers noted infrastructure overlaps with [Gelsemium](ht
> Gelsemium June 2021)>tps://attack.mitre.org/software/S0666) malware.(Citation: ES
 >ET Gelsemium June 2021)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-12-01 18:55:30.931000+00:002022-05-04 22:38:46.222000+00:00
description[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool, written using the Microsoft Foundation Class (MFC) framework, that has infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666).(Citation: ESET Gelsemium June 2021)[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666) malware.(Citation: ESET Gelsemium June 2021)

[S0666] Gelsemium

Current version: 1.0


Old Description
New Description
t1[Gelsemium](https://attack.mitre.org/software/S0666) is a mot1[Gelsemium](https://attack.mitre.org/software/S0666) is a mo
>dular malware comprised of dropper (Gelsemine), loader (Gels>dular malware comprised of a dropper (Gelsemine), a loader (
>enicine), and main (Gelsevirine) plug ins that has been used>Gelsenicine), and main (Gelsevirine) plug-ins written using 
> by the [Gelsemium](https://attack.mitre.org/groups/G0141) g>the Microsoft Foundation Class (MFC) framework. [Gelsemium](
>roup since at least 2014.(Citation: ESET Gelsemium June 2021>https://attack.mitre.org/software/S0666) has been used by th
>)>e Gelsemium group since at least 2014.(Citation: ESET Gelsem
 >ium June 2021)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-12-01 18:28:21.437000+00:002022-05-06 19:37:01.617000+00:00
description[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of dropper (Gelsemine), loader (Gelsenicine), and main (Gelsevirine) plug ins that has been used by the [Gelsemium](https://attack.mitre.org/groups/G0141) group since at least 2014.(Citation: ESET Gelsemium June 2021)[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021)

ics-attack

Patches

[S1000] ACAD/Medre.A

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.937000+00:002022-05-06 17:47:24.008000+00:00
external_references[0]['url']https://attack.mitre.org/Software/S0018https://attack.mitre.org/software/S0018

[S1006] PLC-Blaster

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.944000+00:002022-05-06 17:47:24.022000+00:00
external_references[0]['url']https://attack.mitre.org/Software/S0009https://attack.mitre.org/software/S0009

[S1009] Triton

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.950000+00:002022-05-06 17:47:24.030000+00:00
external_references[0]['url']https://attack.mitre.org/Software/S0013https://attack.mitre.org/software/S0013

[S1010] VPNFilter

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.951000+00:002022-05-06 17:47:24.032000+00:00
external_references[0]['url']https://attack.mitre.org/Software/S0002https://attack.mitre.org/software/S0002

Groups

enterprise-attack

Patches

[G0094] Kimsuky

Current version: 3.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-23 18:54:26.218000+00:002022-04-25 12:25:09.059000+00:00
external_references[1]['source_name']KimsukyThallium
external_references[1]['description'](Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)
external_references[2]['source_name']STOLEN PENCILBlack Banshee
external_references[2]['description'](Citation: Netscout Stolen Pencil Dec 2018)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)
external_references[3]['source_name']ThalliumSTOLEN PENCIL
external_references[3]['description'](Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Netscout Stolen Pencil Dec 2018)
external_references[4]['source_name']Black BansheeKimsuky
external_references[4]['description'](Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021)
external_references[6]['source_name']EST Kimsuky April 2019AhnLab Kimsuky Kabar Cobra Feb 2019
external_references[6]['description']Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.
external_references[6]['url']https://blog.alyac.co.kr/2234https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdf
external_references[7]['source_name']BRI Kimsuky April 2019EST Kimsuky April 2019
external_references[7]['description']BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
external_references[7]['url']https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/https://blog.alyac.co.kr/2234
external_references[8]['source_name']Cybereason Kimsuky November 2020Netscout Stolen Pencil Dec 2018
external_references[8]['description']Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
external_references[8]['url']https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suitehttps://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/
external_references[9]['source_name']Malwarebytes Kimsuky June 2021BRI Kimsuky April 2019
external_references[9]['description']Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.
external_references[9]['url']https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/
external_references[10]['source_name']CISA AA20-301A KimsukyZdnet Kimsuky Dec 2018
external_references[10]['description']CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
external_references[10]['url']https://us-cert.cisa.gov/ncas/alerts/aa20-301ahttps://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/
external_references[11]['source_name']Netscout Stolen Pencil Dec 2018CISA AA20-301A Kimsuky
external_references[11]['description']ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
external_references[11]['url']https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/https://us-cert.cisa.gov/ncas/alerts/aa20-301a
external_references[12]['source_name']EST Kimsuky SmokeScreen April 2019Cybereason Kimsuky November 2020
external_references[12]['description']ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021.Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
external_references[12]['url']https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdfhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
external_references[13]['source_name']AhnLab Kimsuky Kabar Cobra Feb 2019EST Kimsuky SmokeScreen April 2019
external_references[13]['description']AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021.
external_references[13]['url']https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdfhttps://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf
external_references[14]['source_name']Securelist Kimsuky Sept 2013Malwarebytes Kimsuky June 2021
external_references[14]['description']Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
external_references[14]['url']https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
external_references[15]['source_name']Zdnet Kimsuky Dec 2018Securelist Kimsuky Sept 2013
external_references[15]['description']Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
external_references[15]['url']https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsDongwook Kim, KISA
Deprecations

[G0141] Gelsemium

Current version: 1.0

Description: [Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version2.1.0
x_mitre_deprecatedTrue
values_changed
STIX FieldOld valueNew Value
modified2021-12-02 14:15:49.640000+00:002022-05-04 22:15:12.759000+00:00
description[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in Eastern Asia and the Middle East.(Citation: ESET Gelsemium June 2021)[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)

ics-attack

Patches

[G1000] ALLANITE

Current version: 1.0


Old Description
New Description
t1[ALLANITE](https://attack.mitre.org/groups/G0009) is a suspet1[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspe
>cted Russian cyber espionage group, that has primarily targe>cted Russian cyber espionage group, that has primarily targe
>ted the electric utility sector within the United States and>ted the electric utility sector within the United States and
> United Kingdom. The group's tactics and techniques are repo> United Kingdom. The group's tactics and techniques are repo
>rtedly similar to [Dragonfly](https://attack.mitre.org/group>rtedly similar to [Dragonfly](https://attack.mitre.org/group
>s/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G>s/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G
>0006), although [ALLANITE](https://attack.mitre.org/groups/G>0035), although [ALLANITE](https://attack.mitre.org/groups/G
>0009)s technical capabilities have not exhibited disruptive >1000)s technical capabilities have not exhibited disruptive 
>or destructive abilities. It has been suggested that the gro>or destructive abilities. It has been suggested that the gro
>up maintains a presence in ICS for the purpose of gaining un>up maintains a presence in ICS for the purpose of gaining un
>derstanding of processes and to maintain persistence. (Citat>derstanding of processes and to maintain persistence. (Citat
>ion: Dragos)>ion: Dragos)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_domains['ics-attack']
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.928000+00:002022-05-06 17:47:23.998000+00:00
description[ALLANITE](https://attack.mitre.org/groups/G0009) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G0006), although [ALLANITE](https://attack.mitre.org/groups/G0009)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)
external_references[0]['url']https://attack.mitre.org/Group/G0009https://attack.mitre.org/groups/G1000

[G1001] HEXANE

Current version: 1.0


Old Description
New Description
t1[HEXANE](https://attack.mitre.org/groups/G0005) is a threat t1[HEXANE](https://attack.mitre.org/groups/G1001) is a threat 
>group that has targeted ICS organization within the oil & ga>group that has targeted ICS organization within the oil & ga
>s, and telecommunications sectors. Many of the targeted orga>s, and telecommunications sectors. Many of the targeted orga
>nizations have been located in the Middle East including Kuw>nizations have been located in the Middle East including Kuw
>ait. [HEXANE](https://attack.mitre.org/groups/G0005)'s targe>ait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targe
>ting of telecommunications has been speculated to be part of>ting of telecommunications has been speculated to be part of
> an effort to establish man-in-the-middle capabilities throu> an effort to establish man-in-the-middle capabilities throu
>ghout the region. [HEXANE](https://attack.mitre.org/groups/G>ghout the region. [HEXANE](https://attack.mitre.org/groups/G
>0005)'s TTPs appear similar to [APT33](https://attack.mitre.>1001)'s TTPs appear similar to [APT33](https://attack.mitre.
>org/groups/G0003) and [OilRig](https://attack.mitre.org/grou>org/groups/G0003) and [OilRig](https://attack.mitre.org/grou
>ps/G0010) but due to differences in victims and tools it is >ps/G0010) but due to differences in victims and tools it is 
>tracked as a separate entity. (Citation: Dragos)>tracked as a separate entity. (Citation: Dragos)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_domains['ics-attack']
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.931000+00:002022-05-06 17:47:24.002000+00:00
description[HEXANE](https://attack.mitre.org/groups/G0005) is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. [HEXANE](https://attack.mitre.org/groups/G0005)'s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. [HEXANE](https://attack.mitre.org/groups/G0005)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0003) and [OilRig](https://attack.mitre.org/groups/G0010) but due to differences in victims and tools it is tracked as a separate entity. (Citation: Dragos)[HEXANE](https://attack.mitre.org/groups/G1001) is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0003) and [OilRig](https://attack.mitre.org/groups/G0010) but due to differences in victims and tools it is tracked as a separate entity. (Citation: Dragos)
external_references[0]['url']https://attack.mitre.org/Group/G0005https://attack.mitre.org/groups/G1001

Mitigations

ics-attack

Patches

[M0801] Access Management

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.953000+00:002022-05-06 17:47:24.034000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0801https://attack.mitre.org/mitigations/M0801

[M0936] Account Use Policies

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.953000+00:002022-05-06 17:47:24.034000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0936https://attack.mitre.org/mitigations/M0936

[M0915] Active Directory Configuration

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.954000+00:002022-05-06 17:47:24.035000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0915https://attack.mitre.org/mitigations/M0915

[M0949] Antivirus/Antimalware

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.955000+00:002022-05-06 17:47:24.036000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0949https://attack.mitre.org/mitigations/M0949

[M0913] Application Developer Guidance

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.955000+00:002022-05-06 17:47:24.036000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0913https://attack.mitre.org/mitigations/M0913

[M0948] Application Isolation and Sandboxing

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.955000+00:002022-05-06 17:47:24.036000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0948https://attack.mitre.org/mitigations/M0948

[M0947] Audit

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.955000+00:002022-05-06 17:47:24.037000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0947https://attack.mitre.org/mitigations/M0947

[M0800] Authorization Enforcement

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.957000+00:002022-05-06 17:47:24.038000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0800https://attack.mitre.org/mitigations/M0800

[M0946] Boot Integrity

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.957000+00:002022-05-06 17:47:24.038000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0946https://attack.mitre.org/mitigations/M0946

[M0945] Code Signing

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.957000+00:002022-05-06 17:47:24.039000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0945https://attack.mitre.org/mitigations/M0945

[M0802] Communication Authenticity

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.958000+00:002022-05-06 17:47:24.039000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0802https://attack.mitre.org/mitigations/M0802

[M0953] Data Backup

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.959000+00:002022-05-06 17:47:24.040000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0953https://attack.mitre.org/mitigations/M0953

[M0803] Data Loss Prevention

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.959000+00:002022-05-06 17:47:24.040000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0803https://attack.mitre.org/mitigations/M0803

[M0942] Disable or Remove Feature or Program

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.959000+00:002022-05-06 17:47:24.041000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0942https://attack.mitre.org/mitigations/M0942

[M0808] Encrypt Network Traffic

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.959000+00:002022-05-06 17:47:24.041000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0808https://attack.mitre.org/mitigations/M0808

[M0941] Encrypt Sensitive Information

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.960000+00:002022-05-06 17:47:24.041000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0941https://attack.mitre.org/mitigations/M0941

[M0938] Execution Prevention

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.960000+00:002022-05-06 17:47:24.042000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0938https://attack.mitre.org/mitigations/M0938

[M0950] Exploit Protection

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.960000+00:002022-05-06 17:47:24.042000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0950https://attack.mitre.org/mitigations/M0950

[M0937] Filter Network Traffic

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.961000+00:002022-05-06 17:47:24.043000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0937https://attack.mitre.org/mitigations/M0937

[M0804] Human User Authentication

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.975000+00:002022-05-06 17:47:24.060000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0804https://attack.mitre.org/mitigations/M0804

[M0935] Limit Access to Resource Over Network

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.962000+00:002022-05-06 17:47:24.044000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0935https://attack.mitre.org/mitigations/M0935

[M0934] Limit Hardware Installation

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.962000+00:002022-05-06 17:47:24.045000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0934https://attack.mitre.org/mitigations/M0934

[M0805] Mechanical Protection Layers

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.963000+00:002022-05-06 17:47:24.046000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0805https://attack.mitre.org/mitigations/M0805

[M0806] Minimize Wireless Signal Propagation

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.965000+00:002022-05-06 17:47:24.048000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0806https://attack.mitre.org/mitigations/M0806

[M0816] Mitigation Limited or Not Effective

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.965000+00:002022-05-06 17:47:24.048000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0816https://attack.mitre.org/mitigations/M0816

[M0932] Multi-factor Authentication

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.965000+00:002022-05-06 17:47:24.048000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0932https://attack.mitre.org/mitigations/M0932

[M0807] Network Allowlists

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.975000+00:002022-05-06 17:47:24.060000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0807https://attack.mitre.org/mitigations/M0807

[M0931] Network Intrusion Prevention

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.966000+00:002022-05-06 17:47:24.049000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0931https://attack.mitre.org/mitigations/M0931

[M0930] Network Segmentation

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.967000+00:002022-05-06 17:47:24.051000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0930https://attack.mitre.org/mitigations/M0930

[M0928] Operating System Configuration

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.967000+00:002022-05-06 17:47:24.051000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0928https://attack.mitre.org/mitigations/M0928

[M0809] Operational Information Confidentiality

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.967000+00:002022-05-06 17:47:24.051000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0809https://attack.mitre.org/mitigations/M0809

[M0810] Out-of-Band Communications Channel

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.969000+00:002022-05-06 17:47:24.053000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0810https://attack.mitre.org/mitigations/M0810

[M0927] Password Policies

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.969000+00:002022-05-06 17:47:24.053000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0927https://attack.mitre.org/mitigations/M0927

[M0926] Privileged Account Management

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.969000+00:002022-05-06 17:47:24.053000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0926https://attack.mitre.org/mitigations/M0926

[M0811] Redundancy of Service

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.970000+00:002022-05-06 17:47:24.054000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0811https://attack.mitre.org/mitigations/M0811

[M0922] Restrict File and Directory Permissions

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.970000+00:002022-05-06 17:47:24.054000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0922https://attack.mitre.org/mitigations/M0922

[M0944] Restrict Library Loading

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.970000+00:002022-05-06 17:47:24.054000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0944https://attack.mitre.org/mitigations/M0944

[M0924] Restrict Registry Permissions

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.970000+00:002022-05-06 17:47:24.055000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0924https://attack.mitre.org/mitigations/M0924

[M0921] Restrict Web-Based Content

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.971000+00:002022-05-06 17:47:24.055000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0921https://attack.mitre.org/mitigations/M0921

[M0920] SSL/TLS Inspection

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.971000+00:002022-05-06 17:47:24.055000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0920https://attack.mitre.org/mitigations/M0920

[M0812] Safety Instrumented Systems

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.972000+00:002022-05-06 17:47:24.056000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0812https://attack.mitre.org/mitigations/M0812

[M0954] Software Configuration

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.972000+00:002022-05-06 17:47:24.057000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0954https://attack.mitre.org/mitigations/M0954

[M0813] Software Process and Device Authentication

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.972000+00:002022-05-06 17:47:24.057000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0813https://attack.mitre.org/mitigations/M0813

[M0814] Static Network Configuration

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.972000+00:002022-05-06 17:47:24.057000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0814https://attack.mitre.org/mitigations/M0814

[M0817] Supply Chain Management

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.973000+00:002022-05-06 17:47:24.058000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0817https://attack.mitre.org/mitigations/M0817

[M0919] Threat Intelligence Program

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.973000+00:002022-05-06 17:47:24.058000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0919https://attack.mitre.org/mitigations/M0919

[M0951] Update Software

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.973000+00:002022-05-06 17:47:24.058000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0951https://attack.mitre.org/mitigations/M0951

[M0918] User Account Management

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.974000+00:002022-05-06 17:47:24.059000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0918https://attack.mitre.org/mitigations/M0918

[M0917] User Training

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.974000+00:002022-05-06 17:47:24.059000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0917https://attack.mitre.org/mitigations/M0917

[M0916] Vulnerability Scanning

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.974000+00:002022-05-06 17:47:24.059000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0916https://attack.mitre.org/mitigations/M0916

[M0815] Watchdog Timers

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 22:02:03.974000+00:002022-05-06 17:47:24.060000+00:00
external_references[0]['url']https://attack.mitre.org/Mitigation/M0815https://attack.mitre.org/mitigations/M0815

Data Sources

ics-attack

Patches

[DS0039] Assets

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-23T15:48:38.011975Z2022-05-11T16:22:58.802094Z
created2022-04-23T15:48:38.011975Z2022-05-11T16:22:58.802094Z

[DS0040] Operational Databases

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-23T15:48:38.012144Z2022-05-11T16:22:58.802589Z
created2022-04-23T15:48:38.012144Z2022-05-11T16:22:58.802589Z

Data Components

enterprise-attack

Patches

Domain Name: Active DNS

Current version: 1.0


Old Description
New Description
t1Initial construction of a WMI object, such as a filter, const1Queried domain name system (DNS) registry data highlighting 
>umer, subscription, binding, or provider (ex: Sysmon EIDs 19>current domain to IP address resolutions (ex: dig/nslookup q
>-21)>ueries)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
revokedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_domains[]
values_changed
STIX FieldOld valueNew Value
descriptionInitial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)
modified2022-03-30T14:26:51.804Z2022-05-02T23:19:55.148Z

ics-attack

Patches

Operational Databases: Device Alarm

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-23T15:48:38.012201Z2022-05-11T16:22:58.802647Z
created2022-04-23T15:48:38.012201Z2022-05-11T16:22:58.802647Z

Operational Databases: Process History/Live Data

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-23T15:48:38.012159Z2022-05-11T16:22:58.802606Z
created2022-04-23T15:48:38.012159Z2022-05-11T16:22:58.802606Z

Operational Databases: Process/Event Alarm

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-23T15:48:38.012181Z2022-05-11T16:22:58.802627Z
created2022-04-23T15:48:38.012181Z2022-05-11T16:22:58.802627Z