ATT&CK Changes Between v12.1 and v13.0
Key
- New objects: ATT&CK objects which are only present in the new release.
- Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
- Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
- Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
- Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
- Object revocations: ATT&CK objects which are revoked by a different object.
- Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
- Object deletions: ATT&CK objects which are no longer found in the STIX data.
| Colors for description field |
|---|
| Added |
| Changed |
| Deleted |
|
Additional formats
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
This JSON file contains the machine readble output used to create this page: changelog.json
Techniques
enterprise-attack
New Techniques
[T1650] Acquire Access
Current version: 1.0
Description: Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022)
Footholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., [Web Shell](https://attack.mitre.org/techniques/T1505/003)) or established access via [External Remote Services](https://attack.mitre.org/techniques/T1133). In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.(Citation: Microsoft Ransomware as a Service)
By leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)
In some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a [Trusted Relationship](https://attack.mitre.org/techniques/T1199), [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111), or even [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195).
**Note:** while this technique is distinct from other behaviors such as [Purchase Technical Data](https://attack.mitre.org/techniques/T1597/002) and [Credentials](https://attack.mitre.org/techniques/T1589/001), they may often be used in conjunction (especially where the acquired foothold requires [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
[T1552.008] Unsecured Credentials: Chat Messages
Current version: 1.0
Description: Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
Rather than accessing the stored chat logs (i.e., [Credentials In Files](https://attack.mitre.org/techniques/T1552/001)), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation (Citation: Slack Security Risks).
[T1059.009] Command and Scripting Interpreter: Cloud API
Current version: 1.0
Description: Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: A), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006).
Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.
With proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.
[T1651] Cloud Administration Command
Current version: 1.0
Description: Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020)
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
[T1021.007] Remote Services: Cloud Services
Current version: 1.0
Description: Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.
Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., [Cloud API](https://attack.mitre.org/techniques/T1059/009)), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.
In some cases, adversaries may be able to authenticate to these services via [Application Access Token](https://attack.mitre.org/techniques/T1550/001) instead of a username and password.
[T1027.010] Obfuscated Files or Information: Command Obfuscation
Current version: 1.0
Description: Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`“Wor”+“d.Application”`), order and casing of characters (`rev <<<'dwssap/cte/ tac'`), globing (`mkdir -p '/tmp/:&$NiA'`), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)
Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete`).(Citation: Twitter Richard WMIC)
Tools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)
[T1652] Device Driver Discovery
Current version: 1.0
Description: Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
Many OS utilities may provide information about local device drivers, such as `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007)) may also be available in the Registry.(Citation: Microsoft Registry Drivers)
On Linux/macOS, device drivers (in the form of kernel modules) may be visible within `/dev` or using utilities such as `lsmod` and `modinfo`.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)
[T1567.003] Exfiltration Over Web Service: Exfiltration to Text Storage Sites
Current version: 1.0
Description: Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.
Text storage sites are often used to host malicious code for C2 communication (e.g., [Stage Capabilities](https://attack.mitre.org/techniques/T1608)), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)
**Note:** This is distinct from [Exfiltration to Code Repository](https://attack.mitre.org/techniques/T1567/001), which highlight access to code repositories via APIs.
[T1027.011] Obfuscated Files or Information: Fileless Storage
Current version: 1.0
Description: Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)
Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.
Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.
Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\System32\Wbem\Repository`) or Registry (e.g., `%SystemRoot%\System32\Config`) physical files.(Citation: Microsoft Fileless)
[T1583.008] Acquire Infrastructure: Malvertising
Current version: 1.0
Description: Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.
Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.(Citation: Masquerads-Guardio)(Citation: FBI-search) Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.(Citation: sentinelone-malvertising)
Malvertising may be used to support [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.(Citation: BBC-malvertising)
Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.(Citation: Masquerads-Guardio) Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.(Citation: spamhaus-malvertising)
[T1036.008] Masquerading: Masquerade File Type
Current version: 1.0
Description: Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`.
Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections.
Common non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.
Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)
[T1556.008] Modify Authentication Process: Network Provider DLL
Current version: 1.0
Description: Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify)
Adversaries can configure a malicious network provider DLL to receive credentials from `mpnotify.exe`.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the `NPLogonNotify()` function.(Citation: NPLogonNotify)
Adversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)
[T1562.011] Impair Defenses: Spoof Security Alerting
Current version: 1.0
Description: Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
Rather than or in addition to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses.
For example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.(Citation: BlackBasta)
Major Version Changes
[T1217] Browser Information Discovery
Current version: 2.0
Version changed from: 1.0 → 2.0
|
|
|---|
| t | Adversaries may enumerate browser bookmarks to learn more ab | t | Adversaries may enumerate information about browsers to lear |
| out compromised hosts. Browser bookmarks may reveal personal | | n more about compromised environments. Data saved by browser |
| information about users (ex: banking sites, interests, soci | | s (such as bookmarks, accounts, and browsing history) may re |
| al media, etc.) as well as details about internal network re | | veal a variety of personal information about users (e.g., ba |
| sources such as servers, tools/dashboards, or other related | | nking sites, relationships/interests, social media, etc.) as |
| infrastructure. Browser bookmarks may also highlight additi | | well as details about internal network resources such as se |
| onal targets after an adversary has access to valid credenti | | rvers, tools/dashboards, or other related infrastructure.(Ci |
| als, especially [Credentials In Files](https://attack.mitre. | | tation: Kaspersky Autofill) Browser information may also hi |
| org/techniques/T1552/001) associated with logins cached by a | | ghlight additional targets after an adversary has access to |
| browser. Specific storage locations vary based on platform | | valid credentials, especially [Credentials In Files](https:/ |
| and/or application, but browser bookmarks are typically sto | | /attack.mitre.org/techniques/T1552/001) associated with logi |
| red in local files/databases. | | ns cached by a browser. Specific storage locations vary bas |
| | | ed on platform and/or application, but browser information i |
| | | s typically stored in local files and databases (e.g., `%APP |
| | | DATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles) |
Dropped Mitigations:
- T1217: Browser Bookmark Discovery Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 16:06:07.367000+00:00 | 2023-04-16 14:24:40.625000+00:00 |
| name | Browser Bookmark Discovery | Browser Information Discovery |
| description | Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.
Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases. | Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
Browser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.
Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles) |
| x_mitre_version | 1.0 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Chrome Roaming Profiles', 'description': 'Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023.', 'url': 'https://support.google.com/chrome/a/answer/7349337'} |
| external_references | | {'source_name': 'Kaspersky Autofill', 'description': 'Golubev, S. (n.d.). How malware steals autofill data from browsers. Retrieved March 28, 2023.', 'url': 'https://www.kaspersky.com/blog/browser-data-theft/27871/'} |
| x_mitre_contributors | | Manikantan Srinivasan, NEC Corporation India |
| x_mitre_contributors | | Yinon Engelsman, Talon Cyber Security |
| x_mitre_contributors | | Yonatan Gotlib, Talon Cyber Security |
| x_mitre_data_sources | | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Command: Command Execution | |
Minor Version Changes
[T1548] Abuse Elevation Control Mechanism
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-21 19:01:25.043000+00:00 | 2023-04-21 12:35:07.744000+00:00 |
| x_mitre_data_sources[0] | Command: Command Execution | File: File Metadata |
| x_mitre_data_sources[1] | File: File Modification | Process: OS API Execution |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Modification | Process: Process Creation |
| x_mitre_data_sources[3] | Process: Process Metadata | Command: Command Execution |
| x_mitre_data_sources[4] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[5] | Process: OS API Execution | Process: Process Metadata |
| x_mitre_data_sources[6] | File: File Metadata | File: File Modification |
| x_mitre_version | 1.0 | 1.1 |
[T1546.008] Event Triggered Execution: Accessibility Features
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence. Retrieved April 28, 2020. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-558 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-13 20:37:30.048000+00:00 | 2023-04-21 12:33:18.602000+00:00 |
| external_references[1]['source_name'] | capec | Narrator Accessibility Abuse |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/558.html | https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html |
| x_mitre_data_sources[0] | File: File Modification | Command: Command Execution |
| x_mitre_data_sources[1] | File: File Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Modification | File: File Modification |
| x_mitre_data_sources[4] | Command: Command Execution | File: File Creation |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Narrator Accessibility Abuse', 'description': "Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence. Retrieved April 28, 2020.", 'url': 'https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html'} | |
[T1531] Account Access Removal
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may interrupt availability of system and network | t | Adversaries may interrupt availability of system and network |
| resources by inhibiting access to accounts utilized by legi | | resources by inhibiting access to accounts utilized by legi |
| timate users. Accounts may be deleted, locked, or manipulate | | timate users. Accounts may be deleted, locked, or manipulate |
| d (ex: changed credentials) to remove access to accounts. Ad | | d (ex: changed credentials) to remove access to accounts. Ad |
| versaries may also subsequently log off and/or perform a [Sy | | versaries may also subsequently log off and/or perform a [Sy |
| stem Shutdown/Reboot](https://attack.mitre.org/techniques/T1 | | stem Shutdown/Reboot](https://attack.mitre.org/techniques/T1 |
| 529) to set malicious changes into place.(Citation: CarbonBl | | 529) to set malicious changes into place.(Citation: CarbonBl |
| ack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) In W | | ack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) In W |
| indows, [Net](https://attack.mitre.org/software/S0039) utili | | indows, [Net](https://attack.mitre.org/software/S0039) utili |
| ty, <code>Set-LocalUser</code> and <code>Set-ADAccountPasswo | | ty, <code>Set-LocalUser</code> and <code>Set-ADAccountPasswo |
| rd</code> [PowerShell](https://attack.mitre.org/techniques/T | | rd</code> [PowerShell](https://attack.mitre.org/techniques/T |
| 1059/001) cmdlets may be used by adversaries to modify user | | 1059/001) cmdlets may be used by adversaries to modify user |
| accounts. In Linux, the <code>passwd</code> utility may be u | | accounts. In Linux, the <code>passwd</code> utility may be u |
| sed to change passwords. Accounts could also be disabled by | | sed to change passwords. Accounts could also be disabled by |
| Group Policy. Adversaries who use ransomware may first per | | Group Policy. Adversaries who use ransomware or similar at |
| form this and other Impact behaviors, such as [Data Destruct | | tacks may first perform this and other Impact behaviors, suc |
| ion](https://attack.mitre.org/techniques/T1485) and [Defacem | | h as [Data Destruction](https://attack.mitre.org/techniques/ |
| ent](https://attack.mitre.org/techniques/T1491), before comp | | T1485) and [Defacement](https://attack.mitre.org/techniques/ |
| leting the [Data Encrypted for Impact](https://attack.mitre. | | T1491), in order to impede incident response/recovery before |
| org/techniques/T1486) objective. | | completing the [Data Encrypted for Impact](https://attack.m |
| | | itre.org/techniques/T1486) objective. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Hubert Mank'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 22:57:27.449000+00:00 | 2023-03-22 20:39:15.680000+00:00 |
| description | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.
Adversaries who use ransomware may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.
Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | User Account: User Account Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | User Account: User Account Modification | |
[T1087] Account Discovery
Current version: 2.4
Version changed from: 2.3 → 2.4
|
|
|---|
| t | Adversaries may attempt to get a listing of accounts on a sy | t | Adversaries may attempt to get a listing of valid accounts, |
| stem or within an environment. This information can help adv | | usernames, or email addresses on a system or within a compro |
| ersaries determine which accounts exist to aid in follow-on | | mised environment. This information can help adversaries det |
| behavior. | | ermine which accounts exist, which can aid in follow-on beha |
| | | vior such as brute-forcing, spear-phishing attacks, or accou |
| | | nt takeovers (e.g., [Valid Accounts](https://attack.mitre.or |
| | | g/techniques/T1078)). Adversaries may use several methods t |
| | | o enumerate accounts, including abuse of existing tools, bui |
| | | lt-in commands, and potential misconfigurations that leak ac |
| | | count names and roles or permissions in the targeted environ |
| | | ment. For examples, cloud environments typically provide ea |
| | | sily accessible interfaces to obtain user lists. On hosts, a |
| | | dversaries can use default [PowerShell](https://attack.mitre |
| | | .org/techniques/T1059/001) and other command line functional |
| | | ity to identify accounts. Information about email addresses |
| | | and accounts may also be extracted by searching an infected |
| | | system’s files. |
Dropped Mitigations:
- T1087: Account Discovery Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-575 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-13 14:05:15.038000+00:00 | 2023-04-15 17:24:23.029000+00:00 |
| description | Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior. | Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files. |
| external_references[1]['source_name'] | capec | Elastic - Koadiac Detection with EQL |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/575.html | https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql |
| x_mitre_data_sources[0] | File: File Access | Process: Process Creation |
| x_mitre_data_sources[2] | Process: Process Creation | File: File Access |
| x_mitre_version | 2.3 | 2.4 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Elastic - Koadiac Detection with EQL', 'description': 'Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.', 'url': 'https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql'} | |
[T1098] Account Manipulation
Current version: 2.5
Version changed from: 2.4 → 2.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 15:50:24.811000+00:00 | 2023-04-12 23:29:30.966000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | Group: Group Modification | Command: Command Execution |
| x_mitre_data_sources[2] | Process: Process Creation | Active Directory: Active Directory Object Modification |
| x_mitre_data_sources[3] | Active Directory: Active Directory Object Modification | Group: Group Modification |
| x_mitre_data_sources[4] | Command: Command Execution | File: File Modification |
| x_mitre_data_sources[5] | File: File Modification | Process: Process Creation |
| x_mitre_version | 2.4 | 2.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Network |
[T1583] Acquire Infrastructure
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may buy, lease, or rent infrastructure that can | t | Adversaries may buy, lease, or rent infrastructure that can |
| be used during targeting. A wide variety of infrastructure e | | be used during targeting. A wide variety of infrastructure e |
| xists for hosting and orchestrating adversary operations. In | | xists for hosting and orchestrating adversary operations. In |
| frastructure solutions include physical or cloud servers, do | | frastructure solutions include physical or cloud servers, do |
| mains, and third-party web services.(Citation: TrendmicroHid | | mains, and third-party web services.(Citation: TrendmicroHid |
| eoutsLease) Additionally, botnets are available for rent or | | eoutsLease) Additionally, botnets are available for rent or |
| purchase. Use of these infrastructure solutions allows an a | | purchase. Use of these infrastructure solutions allows adve |
| dversary to stage, launch, and execute an operation. Solutio | | rsaries to stage, launch, and execute operations. Solutions |
| ns may help adversary operations blend in with traffic that | | may help adversary operations blend in with traffic that is |
| is seen as normal, such as contact to third-party web servic | | seen as normal, such as contacting third-party web services |
| es. Depending on the implementation, adversaries may use inf | | or acquiring infrastructure to support [Proxy](https://attac |
| rastructure that makes it difficult to physically tie back t | | k.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus |
| o them as well as utilize infrastructure that can be rapidly | | ) Depending on the implementation, adversaries may use infra |
| provisioned, modified, and shut down. | | structure that makes it difficult to physically tie back to |
| | | them as well as utilize infrastructure that can be rapidly p |
| | | rovisioned, modified, and shut down. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Shailesh Tiwary (Indian Army)'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 15:45:02.209000+00:00 | 2023-03-02 21:34:46.139000+00:00 |
| description | Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.
Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down. | Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.
Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down. |
| external_references[1]['source_name'] | TrendmicroHideoutsLease | amnesty_nso_pegasus |
| external_references[1]['description'] | Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017. | Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group’s Pegasus. Retrieved February 22, 2022. |
| external_references[1]['url'] | https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf | https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/ |
| external_references[2]['source_name'] | ThreatConnect Infrastructure Dec 2020 | Koczwara Beacon Hunting Sep 2021 |
| external_references[2]['description'] | ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. | Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. |
| external_references[2]['url'] | https://threatconnect.com/blog/infrastructure-research-hunting/ | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 |
| external_references[3]['source_name'] | Mandiant SCANdalous Jul 2020 | TrendmicroHideoutsLease |
| external_references[3]['description'] | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. | Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017. |
| external_references[3]['url'] | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation | https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf |
| external_references[4]['source_name'] | Koczwara Beacon Hunting Sep 2021 | Mandiant SCANdalous Jul 2020 |
| external_references[4]['description'] | Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. |
| external_references[4]['url'] | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation |
| x_mitre_data_sources[1] | Domain Name: Domain Registration | Domain Name: Active DNS |
| x_mitre_data_sources[4] | Domain Name: Active DNS | Domain Name: Domain Registration |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'ThreatConnect Infrastructure Dec 2020', 'description': 'ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.', 'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'} |
[T1098.001] Account Manipulation: Additional Cloud Credentials
Current version: 2.5
Version changed from: 2.4 → 2.5
|
|
|---|
| t | Adversaries may add adversary-controlled credentials to a cl | t | Adversaries may add adversary-controlled credentials to a cl |
| oud account to maintain persistent access to victim accounts | | oud account to maintain persistent access to victim accounts |
| and instances within the environment. For example, adversa | | and instances within the environment. For example, adversa |
| ries may add credentials for Service Principals and Applicat | | ries may add credentials for Service Principals and Applicat |
| ions in addition to existing legitimate credentials in Azure | | ions in addition to existing legitimate credentials in Azure |
| AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat | | AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat |
| ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide | | ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide |
| o) These credentials include both x509 keys and passwords.(C | | o) These credentials include both x509 keys and passwords.(C |
| itation: Microsoft SolarWinds Customer Guidance) With suffic | | itation: Microsoft SolarWinds Customer Guidance) With suffic |
| ient permissions, there are a variety of ways to add credent | | ient permissions, there are a variety of ways to add credent |
| ials including the Azure Portal, Azure command line interfac | | ials including the Azure Portal, Azure command line interfac |
| e, and Azure or Az PowerShell modules.(Citation: Demystifyin | | e, and Azure or Az PowerShell modules.(Citation: Demystifyin |
| g Azure AD Service Principals) In infrastructure-as-a-servi | | g Azure AD Service Principals) In infrastructure-as-a-servi |
| ce (IaaS) environments, after gaining access through [Cloud | | ce (IaaS) environments, after gaining access through [Cloud |
| Accounts](https://attack.mitre.org/techniques/T1078/004), ad | | Accounts](https://attack.mitre.org/techniques/T1078/004), ad |
| versaries may generate or import their own SSH keys using ei | | versaries may generate or import their own SSH keys using ei |
| ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</ | | ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</ |
| code> API in AWS or the <code>gcloud compute os-login ssh-ke | | code> API in AWS or the <code>gcloud compute os-login ssh-ke |
| ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi | | ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi |
| s allows persistent access to instances within the cloud env | | s allows persistent access to instances within the cloud env |
| ironment without further usage of the compromised cloud acco | | ironment without further usage of the compromised cloud acco |
| unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind | | unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind |
| the Scenes) Adversaries may also use the <code>CreateAcces | | the Scenes) Adversaries may also use the <code>CreateAcces |
| sKey</code> API in AWS or the <code>gcloud iam service-accou | | sKey</code> API in AWS or the <code>gcloud iam service-accou |
| nts keys create</code> command in GCP to add access keys to | | nts keys create</code> command in GCP to add access keys to |
| an account. If the target account has different permissions | | an account. If the target account has different permissions |
| from the requesting account, the adversary may also be able | | from the requesting account, the adversary may also be able |
| to escalate their privileges in the environment (i.e. [Cloud | | to escalate their privileges in the environment (i.e. [Cloud |
| Accounts](https://attack.mitre.org/techniques/T1078/004)).( | | Accounts](https://attack.mitre.org/techniques/T1078/004)).( |
| Citation: Rhino Security Labs AWS Privilege Escalation) | | Citation: Rhino Security Labs AWS Privilege Escalation) In |
| | | AWS environments, adversaries with the appropriate permissio |
| | | ns may also use the `sts:GetFederationToken` API call to cre |
| | | ate a temporary set of credentials tied to the permissions o |
| | | f the original user account. These credentials may remain va |
| | | lid for the duration of their lifetime even if the original |
| | | account’s API credentials are deactivated. (Citation: Crowds |
| | | trike AWS User Federation Persistence) |
Dropped Detections:
- DS0026: Active Directory (Active Directory Object Modification)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:20:47.020000+00:00 | 2023-04-12 21:30:31.151000+00:00 |
| description | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation) | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)
In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
(Citation: Crowdstrike AWS User Federation Persistence) |
| external_references[1]['source_name'] | Expel IO Evil in AWS | Crowdstrike AWS User Federation Persistence |
| external_references[1]['description'] | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. | Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023. |
| external_references[1]['url'] | https://expel.io/blog/finding-evil-in-aws/ | https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/ |
| external_references[2]['source_name'] | Demystifying Azure AD Service Principals | Expel IO Evil in AWS |
| external_references[2]['description'] | Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020. | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. |
| external_references[2]['url'] | https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/ | https://expel.io/blog/finding-evil-in-aws/ |
| external_references[3]['source_name'] | GCP SSH Key Add | Demystifying Azure AD Service Principals |
| external_references[3]['description'] | Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020. | Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020. |
| external_references[3]['url'] | https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add | https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/ |
| external_references[4]['source_name'] | Blue Cloud of Death Video | GCP SSH Key Add |
| external_references[4]['description'] | Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019. | Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020. |
| external_references[4]['url'] | https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815 | https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add |
| external_references[5]['source_name'] | Blue Cloud of Death | Blue Cloud of Death Video |
| external_references[5]['description'] | Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019. | Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019. |
| external_references[5]['url'] | https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1 | https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815 |
| external_references[6]['source_name'] | Microsoft SolarWinds Customer Guidance | Blue Cloud of Death |
| external_references[6]['description'] | MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. | Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019. |
| external_references[6]['url'] | https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ | https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1 |
| external_references[7]['source_name'] | Expel Behind the Scenes | Microsoft SolarWinds Customer Guidance |
| external_references[7]['description'] | S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020. | MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. |
| external_references[7]['url'] | https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/ | https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ |
| external_references[8]['source_name'] | Rhino Security Labs AWS Privilege Escalation | Expel Behind the Scenes |
| external_references[8]['description'] | Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022. | S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020. |
| external_references[8]['url'] | https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ | https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.4 | 2.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Rhino Security Labs AWS Privilege Escalation', 'description': 'Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.', 'url': 'https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/'} |
| x_mitre_contributors | | Dylan |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Active Directory: Active Directory Object Modification | |
[T1098.003] Account Manipulation: Additional Cloud Roles
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:21:19.955000+00:00 | 2023-04-14 22:48:50.142000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.1 | 2.2 |
[T1546.010] Event Triggered Execution: AppInit DLLs
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-10 18:29:31.076000+00:00 | 2023-04-21 12:33:45.568000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Windows Registry: Windows Registry Key Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Windows Registry: Windows Registry Key Modification | |
[T1550.001] Use Alternate Authentication Material: Application Access Token
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
|---|
| t | Adversaries may use stolen application access tokens to bypa | t | Adversaries may use stolen application access tokens to bypa |
| ss the typical authentication process and access restricted | | ss the typical authentication process and access restricted |
| accounts, information, or services on remote systems. These | | accounts, information, or services on remote systems. These |
| tokens are typically stolen from users or services and used | | tokens are typically stolen from users or services and used |
| in lieu of login credentials. Application access tokens are | | in lieu of login credentials. Application access tokens are |
| used to make authorized API requests on behalf of a user or | | used to make authorized API requests on behalf of a user or |
| service and are commonly used as a way to access resources | | service and are commonly used to access resources in cloud, |
| in cloud and container-based applications and software-as-a- | | container-based applications, and software-as-a-service (Sa |
| service (SaaS).(Citation: Auth0 - Why You Should Always Use | | aS).(Citation: Auth0 - Why You Should Always Use Access Toke |
| Access Tokens to Secure APIs Sept 2019) In AWS and GCP env | | ns to Secure APIs Sept 2019) OAuth is one commonly impleme |
| ironments, adversaries can trigger a request for a short-liv | | nted framework that issues tokens to users for access to sys |
| ed access token with the privileges of another user account. | | tems. These frameworks are used collaboratively to verify th |
| (Citation: Google Cloud Service Account Credentials)(Citatio | | e user and determine what actions the user is allowed to per |
| n: AWS Temporary Security Credentials) The adversary can the | | form. Once identity is established, the token allows actions |
| n use this token to request data or perform actions the orig | | to be authorized, without passing the actual credentials of |
| inal account could not. If permissions for this feature are | | the user. Therefore, compromise of the token can grant the |
| misconfigured – for example, by allowing all users to reques | | adversary access to resources of other sites through a malic |
| t a token for a particular account - an adversary may be abl | | ious application.(Citation: okta) For example, with a cloud |
| e to gain initial access to a Cloud Account or escalate thei | | -based email service, once an OAuth access token is granted |
| r privileges.(Citation: Rhino Security Labs Enumerating AWS | | to a malicious application, it can potentially gain long-ter |
| Roles) OAuth is one commonly implemented framework that iss | | m access to features of the user account if a "refresh" toke |
| ues tokens to users for access to systems. These frameworks | | n enabling background access is awarded.(Citation: Microsoft |
| are used collaboratively to verify the user and determine wh | | Identity Platform Access 2019) With an OAuth access token a |
| at actions the user is allowed to perform. Once identity is | | n adversary can use the user-granted REST API to perform fun |
| established, the token allows actions to be authorized, with | | ctions such as email searching and contact enumeration.(Cita |
| out passing the actual credentials of the user. Therefore, c | | tion: Staaldraad Phishing with OAuth 2017) Compromised acce |
| ompromise of the token can grant the adversary access to res | | ss tokens may be used as an initial step in compromising oth |
| ources of other sites through a malicious application.(Citat | | er services. For example, if a token grants access to a vict |
| ion: okta) For example, with a cloud-based email service on | | im’s primary email, the adversary may be able to extend acce |
| ce an OAuth access token is granted to a malicious applicati | | ss to all other services which the target subscribes by trig |
| on, it can potentially gain long-term access to features of | | gering forgotten password routines. In AWS and GCP environme |
| the user account if a "refresh" token enabling background ac | | nts, adversaries can trigger a request for a short-lived acc |
| cess is awarded.(Citation: Microsoft Identity Platform Acces | | ess token with the privileges of another user account.(Citat |
| s 2019) With an OAuth access token an adversary can use the | | ion: Google Cloud Service Account Credentials)(Citation: AWS |
| user-granted REST API to perform functions such as email sea | | Temporary Security Credentials) The adversary can then use |
| rching and contact enumeration.(Citation: Staaldraad Phishin | | this token to request data or perform actions the original a |
| g with OAuth 2017) Compromised access tokens may be used as | | ccount could not. If permissions for this feature are miscon |
| an initial step in compromising other services. For example | | figured – for example, by allowing all users to request a to |
| , if a token grants access to a victim’s primary email, the | | ken for a particular account - an adversary may be able to g |
| adversary may be able to extend access to all other services | | ain initial access to a Cloud Account or escalate their priv |
| which the target subscribes by triggering forgotten passwor | | ileges.(Citation: Rhino Security Labs Enumerating AWS Roles) |
| d routines. Direct API access through a token negates the ef | | Direct API access through a token negates the effectivenes |
| fectiveness of a second authentication factor and may be imm | | s of a second authentication factor and may be immune to int |
| une to intuitive countermeasures like changing passwords. Ac | | uitive countermeasures like changing passwords. For example |
| cess abuse over an API channel can be difficult to detect ev | | , in AWS environments, an adversary who compromises a user’s |
| en from the service provider end, as the access can still al | | AWS API credentials may be able to use the `sts:GetFederati |
| ign well with a legitimate workflow. | | onToken` API call to create a federated user session, which |
| | | will have the same permissions as the original user but may |
| | | persist even if the original user credentials are deactivate |
| | | d.(Citation: Crowdstrike AWS User Federation Persistence) Ad |
| | | ditionally, access abuse over an API channel can be difficul |
| | | t to detect even from the service provider end, as the acces |
| | | s can still align well with a legitimate workflow. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-593 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 17:01:05.286000+00:00 | 2023-04-15 00:29:43.297000+00:00 |
| description | Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.
Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019)
In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)
OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)
For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)
Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow. | Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.
Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019)
OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)
For example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)
Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)
Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user’s AWS API credentials may be able to use the `sts:GetFederationToken` API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow. |
| external_references[1]['source_name'] | Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019 | Crowdstrike AWS User Federation Persistence |
| external_references[1]['description'] | Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. | Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023. |
| external_references[1]['url'] | https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ | https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/ |
| external_references[2]['source_name'] | AWS Logging IAM Calls | Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019 |
| external_references[2]['description'] | AWS. (n.d.). Logging IAM and AWS STS API calls with AWS CloudTrail. Retrieved April 1, 2022. | Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. |
| external_references[2]['url'] | https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html | https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ |
| external_references[3]['source_name'] | AWS Temporary Security Credentials | AWS Logging IAM Calls |
| external_references[3]['description'] | AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022. | AWS. (n.d.). Logging IAM and AWS STS API calls with AWS CloudTrail. Retrieved April 1, 2022. |
| external_references[3]['url'] | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html | https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html |
| external_references[4]['source_name'] | Microsoft Identity Platform Access 2019 | AWS Temporary Security Credentials |
| external_references[4]['description'] | Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019. | AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html |
| external_references[5]['source_name'] | Google Cloud Service Account Credentials | Microsoft Identity Platform Access 2019 |
| external_references[5]['description'] | Google Cloud. (2022, March 31). Creating short-lived service account credentials. Retrieved April 1, 2022. | Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019. |
| external_references[5]['url'] | https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials | https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens |
| external_references[6]['source_name'] | GCP Monitoring Service Account Usage | Google Cloud Service Account Credentials |
| external_references[6]['description'] | Google Cloud. (2022, March 31). Monitor usage patterns for service accounts and keys . Retrieved April 1, 2022. | Google Cloud. (2022, March 31). Creating short-lived service account credentials. Retrieved April 1, 2022. |
| external_references[6]['url'] | https://cloud.google.com/iam/docs/service-account-monitoring | https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials |
| external_references[7]['source_name'] | okta | GCP Monitoring Service Account Usage |
| external_references[7]['description'] | okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019. | Google Cloud. (2022, March 31). Monitor usage patterns for service accounts and keys . Retrieved April 1, 2022. |
| external_references[7]['url'] | https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen | https://cloud.google.com/iam/docs/service-account-monitoring |
| external_references[8]['source_name'] | Rhino Security Labs Enumerating AWS Roles | okta |
| external_references[8]['description'] | Spencer Gietzen. (2018, August 8). Assume the Worst: Enumerating AWS Roles through ‘AssumeRole’. Retrieved April 1, 2022. | okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019. |
| external_references[8]['url'] | https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration | https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen |
| external_references[9]['source_name'] | Staaldraad Phishing with OAuth 2017 | Rhino Security Labs Enumerating AWS Roles |
| external_references[9]['description'] | Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019. | Spencer Gietzen. (2018, August 8). Assume the Worst: Enumerating AWS Roles through ‘AssumeRole’. Retrieved April 1, 2022. |
| external_references[9]['url'] | https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/ | https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration |
| external_references[10]['source_name'] | capec | Staaldraad Phishing with OAuth 2017 |
| external_references[10]['url'] | https://capec.mitre.org/data/definitions/593.html | https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Dylan |
[T1071] Application Layer Protocol
Current version: 2.1
Version changed from: 2.0 → 2.1
|
|
|---|
| t | Adversaries may communicate using application layer protocol | t | Adversaries may communicate using OSI application layer prot |
| s to avoid detection/network filtering by blending in with e | | ocols to avoid detection/network filtering by blending in wi |
| xisting traffic. Commands to the remote system, and often th | | th existing traffic. Commands to the remote system, and ofte |
| e results of those commands, will be embedded within the pro | | n the results of those commands, will be embedded within the |
| tocol traffic between the client and server. Adversaries m | | protocol traffic between the client and server. Adversari |
| ay utilize many different protocols, including those used fo | | es may utilize many different protocols, including those use |
| r web browsing, transferring files, electronic mail, or DNS. | | d for web browsing, transferring files, electronic mail, or |
| For connections that occur internally within an enclave (su | | DNS. For connections that occur internally within an enclave |
| ch as those between a proxy or pivot node and other nodes), | | (such as those between a proxy or pivot node and other node |
| commonly used protocols are SMB, SSH, or RDP. | | s), commonly used protocols are SMB, SSH, or RDP. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Duane Michael'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-21 16:35:45.986000+00:00 | 2023-04-11 14:35:41.468000+00:00 |
| description | Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. | Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_version | 2.0 | 2.1 |
[T1010] Application Window Discovery
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may attempt to get a listing of open application | t | Adversaries may attempt to get a listing of open application |
| windows. Window listings could convey information about how | | windows. Window listings could convey information about how |
| the system is used or give context to information collected | | the system is used.(Citation: Prevailion DarkWatchman 2021) |
| by a keylogger.(Citation: Prevailion DarkWatchman 2021) | | For example, information about application windows could be |
| | | used identify potential data to collect as well as identify |
| | | ing security tooling ([Security Software Discovery](https:// |
| | | attack.mitre.org/techniques/T1518/001)) to evade.(Citation: |
| | | ESET Grandoreiro April 2020) Adversaries typically abuse sy |
| | | stem features for this type of enumeration. For example, the |
| | | y may gather information through native system features such |
| | | as [Command and Scripting Interpreter](https://attack.mitre |
| | | .org/techniques/T1059) commands and [Native API](https://att |
| | | ack.mitre.org/techniques/T1106) functions. |
Dropped Mitigations:
- T1010: Application Window Discovery Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 02:07:41.751000+00:00 | 2023-04-15 16:46:04.776000+00:00 |
| description | Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.(Citation: Prevailion DarkWatchman 2021) | Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions. |
| external_references[1]['source_name'] | Prevailion DarkWatchman 2021 | ESET Grandoreiro April 2020 |
| external_references[1]['description'] | Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. | ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. |
| external_references[1]['url'] | https://www.prevailion.com/darkwatchman-new-fileless-techniques/ | https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Prevailion DarkWatchman 2021', 'description': 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.', 'url': 'https://www.prevailion.com/darkwatchman-new-fileless-techniques/'} |
| x_mitre_data_sources | | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Command: Command Execution | |
[T1560.001] Archive Collected Data: Archive via Utility
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may use utilities to compress and/or encrypt col | t | Adversaries may use utilities to compress and/or encrypt col |
| lected data prior to exfiltration. Many utilities include fu | | lected data prior to exfiltration. Many utilities include fu |
| nctionalities to compress, encrypt, or otherwise package dat | | nctionalities to compress, encrypt, or otherwise package dat |
| a into a format that is easier/more secure to transport. Ad | | a into a format that is easier/more secure to transport. Ad |
| versaries may abuse various utilities to compress or encrypt | | versaries may abuse various utilities to compress or encrypt |
| data before exfiltration. Some third party utilities may be | | data before exfiltration. Some third party utilities may be |
| preinstalled, such as <code>tar</code> on Linux and macOS o | | preinstalled, such as <code>tar</code> on Linux and macOS o |
| r <code>zip</code> on Windows systems. On Windows, <code>dia | | r <code>zip</code> on Windows systems. On Windows, <code>d |
| ntz</code> or <code> makecab</code> may be used to package c | | iantz</code> or <code> makecab</code> may be used to package |
| ollected files into a cabinet (.cab) file. <code>diantz</cod | | collected files into a cabinet (.cab) file. <code>diantz</c |
| e> may also be used to download and compress files from remo | | ode> may also be used to download and compress files from re |
| te locations (i.e. [Remote Data Staging](https://attack.mitr | | mote locations (i.e. [Remote Data Staging](https://attack.mi |
| e.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) A | | tre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) |
| dditionally, <code>xcopy</code> on Windows can copy files an | | <code>xcopy</code> on Windows can copy files and directorie |
| d directories with a variety of options. Adversaries may us | | s with a variety of options. Additionally, adversaries may u |
| e also third party utilities, such as 7-Zip, WinRAR, and Win | | se [certutil](https://attack.mitre.org/software/S0160) to Ba |
| Zip, to perform similar activities.(Citation: 7zip Homepage) | | se64 encode collected data before exfiltration. Adversarie |
| (Citation: WinRAR Homepage)(Citation: WinZip Homepage) | | s may use also third party utilities, such as 7-Zip, WinRAR, |
| | | and WinZip, to perform similar activities.(Citation: 7zip H |
| | | omepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepag |
| | | e) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 17:17:48.612000+00:00 | 2023-04-14 19:28:21.394000+00:00 |
| description | Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) Additionally, xcopy on Windows can copy files and directories with a variety of options.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage) | Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.
On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Command: Command Execution | File: File Creation |
| x_mitre_data_sources[2] | File: File Creation | Command: Command Execution |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Mark Wee |
[T1197] BITS Jobs
Current version: 1.4
Version changed from: 1.3 → 1.4
Dropped Mitigations:
- T1197: BITS Jobs Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-14 19:21:26.447000+00:00 | 2023-04-21 12:21:40.927000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Command: Command Execution | |
[T1110] Brute Force
Current version: 2.5
Version changed from: 2.4 → 2.5
Dropped Mitigations:
- T1110: Brute Force Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 21:28:49.481000+00:00 | 2023-04-14 23:03:34.362000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | User Account: User Account Authentication | Application Log: Application Log Content |
| x_mitre_data_sources[2] | Application Log: Application Log Content | User Account: User Account Authentication |
| x_mitre_version | 2.4 | 2.5 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/49.html', 'external_id': 'CAPEC-49'} | |
[T1612] Build Image on Host
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may build a container image directly on a host t | t | Adversaries may build a container image directly on a host t |
| o bypass defenses that monitor for the retrieval of maliciou | | o bypass defenses that monitor for the retrieval of maliciou |
| s images from a public registry. A remote <code>build</code> | | s images from a public registry. A remote <code>build</code> |
| request may be sent to the Docker API that includes a Docke | | request may be sent to the Docker API that includes a Docke |
| rfile that pulls a vanilla base image, such as alpine, from | | rfile that pulls a vanilla base image, such as alpine, from |
| a public or local registry and then builds a custom image up | | a public or local registry and then builds a custom image up |
| on it.(Citation: Docker Build Image) An adversary may take | | on it.(Citation: Docker Build Image) An adversary may take |
| advantage of that <code>build</code> API to build a custom i | | advantage of that <code>build</code> API to build a custom i |
| mage on the host that includes malware downloaded from their | | mage on the host that includes malware downloaded from their |
| C2 server, and then they then may utilize [Deploy Container | | C2 server, and then they may utilize [Deploy Container](htt |
| ](https://attack.mitre.org/techniques/T1610) using that cust | | ps://attack.mitre.org/techniques/T1610) using that custom im |
| om image.(Citation: Aqua Build Images on Hosts)(Citation: Aq | | age.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Se |
| ua Security Cloud Native Threat Report June 2021) If the bas | | curity Cloud Native Threat Report June 2021) If the base ima |
| e image is pulled from a public registry, defenses will like | | ge is pulled from a public registry, defenses will likely no |
| ly not detect the image as malicious since it’s a vanilla im | | t detect the image as malicious since it’s a vanilla image. |
| age. If the base image already resides in a local registry, | | If the base image already resides in a local registry, the p |
| the pull may be considered even less suspicious since the im | | ull may be considered even less suspicious since the image i |
| age is already in the environment. | | s already in the environment. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'root'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 13:04:00.946000+00:00 | 2023-04-15 16:22:09.807000+00:00 |
| description | Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. | Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. |
| external_references[1]['source_name'] | Docker Build Image | Aqua Build Images on Hosts |
| external_references[1]['description'] | Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021. | Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021. |
| external_references[1]['url'] | https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild | https://blog.aquasec.com/malicious-container-image-docker-container-host |
| external_references[2]['source_name'] | Aqua Build Images on Hosts | Docker Build Image |
| external_references[2]['description'] | Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021. | Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021. |
| external_references[2]['url'] | https://blog.aquasec.com/malicious-container-image-docker-container-host | https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[1] | Image: Image Creation | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Flow | Image: Image Creation |
| x_mitre_data_sources[3] | Network Traffic: Network Connection Creation | Network Traffic: Network Traffic Content |
| x_mitre_version | 1.2 | 1.3 |
[T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 15:11:20.036000+00:00 | 2023-04-21 12:35:39.112000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Command: Command Execution | |
[T1218.003] System Binary Proxy Execution: CMSTP
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 18:38:36.109000+00:00 | 2023-04-21 12:24:13.666000+00:00 |
| external_references[1]['source_name'] | Microsoft Connection Manager Oct 2009 | Twitter CMSTP Usage Jan 2018 |
| external_references[1]['description'] | Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018. | Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved April 11, 2018. |
| external_references[1]['url'] | https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10) | https://twitter.com/ItsReallyNick/status/958789644165894146 |
| external_references[2]['source_name'] | Twitter CMSTP Usage Jan 2018 | Microsoft Connection Manager Oct 2009 |
| external_references[2]['description'] | Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved April 11, 2018. | Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018. |
| external_references[2]['url'] | https://twitter.com/ItsReallyNick/status/958789644165894146 | https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10) |
| external_references[4]['source_name'] | Twitter CMSTP Jan 2018 | GitHub Ultimate AppLocker Bypass List |
| external_references[4]['description'] | Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved April 11, 2018. | Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018. |
| external_references[4]['url'] | https://twitter.com/NickTyrer/status/958450014111633408 | https://github.com/api0cradle/UltimateAppLockerByPassList |
| external_references[5]['source_name'] | GitHub Ultimate AppLocker Bypass List | Endurant CMSTP July 2018 |
| external_references[5]['description'] | Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018. | Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018. |
| external_references[5]['url'] | https://github.com/api0cradle/UltimateAppLockerByPassList | http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ |
| external_references[6]['source_name'] | Endurant CMSTP July 2018 | Twitter CMSTP Jan 2018 |
| external_references[6]['description'] | Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018. | Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved April 11, 2018. |
| external_references[6]['url'] | http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ | https://twitter.com/NickTyrer/status/958450014111633408 |
| x_mitre_version | 2.0 | 2.1 |
[T1070.003] Indicator Removal: Clear Command History
Current version: 1.4
Version changed from: 1.3 → 1.4
Dropped Mitigations:
- T1146: Clear Command History Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-01 21:58:56.496000+00:00 | 2023-04-07 17:20:44.770000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | File: File Modification | User Account: User Account Authentication |
| x_mitre_data_sources[1] | File: File Deletion | Command: Command Execution |
| x_mitre_data_sources[2] | User Account: User Account Authentication | File: File Deletion |
| x_mitre_data_sources[3] | Command: Command Execution | File: File Modification |
| x_mitre_version | 1.3 | 1.4 |
[T1070.008] Indicator Removal: Clear Mailbox Data
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may modify mail application data to remove evide | t | Adversaries may modify mail and mail application data to rem |
| nce of their activity. Email applications allow users and ot | | ove evidence of their activity. Email applications allow use |
| her programs to export and delete mailbox data via command l | | rs and other programs to export and delete mailbox data via |
| ine tools or use of APIs. Mail application data can be email | | command line tools or use of APIs. Mail application data can |
| s or logs generated by the application or operating system, | | be emails, email metadata, or logs generated by the applica |
| such as export requests. Adversaries may manipulate email | | tion or operating system, such as export requests. Adversa |
| mailbox data to remove logs and artifacts, such as evidence | | ries may manipulate emails and mailbox data to remove logs, |
| of [Phishing](https://attack.mitre.org/techniques/T1566)/[In | | artifacts, and metadata, such as evidence of [Phishing](http |
| ternal Spearphishing](https://attack.mitre.org/techniques/T1 | | s://attack.mitre.org/techniques/T1566)/[Internal Spearphishi |
| 534), [Email Collection](https://attack.mitre.org/techniques | | ng](https://attack.mitre.org/techniques/T1534), [Email Colle |
| /T1114), [Mail Protocols](https://attack.mitre.org/technique | | ction](https://attack.mitre.org/techniques/T1114), [Mail Pro |
| s/T1071/003) for command and control, or email-based exfiltr | | tocols](https://attack.mitre.org/techniques/T1071/003) for c |
| ation such as [Exfiltration Over Alternative Protocol](https | | ommand and control, or email-based exfiltration such as [Exf |
| ://attack.mitre.org/techniques/T1048). For example, to remov | | iltration Over Alternative Protocol](https://attack.mitre.or |
| e evidence on Exchange servers adversaries have used the <co | | g/techniques/T1048). For example, to remove evidence on Exch |
| de>ExchangePowerShell</code> [PowerShell](https://attack.mit | | ange servers adversaries have used the <code>ExchangePowerSh |
| re.org/techniques/T1059/001) module, including <code>Remove- | | ell</code> [PowerShell](https://attack.mitre.org/techniques/ |
| MailboxExportRequest</code> to remove evidence of mailbox ex | | T1059/001) module, including <code>Remove-MailboxExportReque |
| ports.(Citation: Volexity SolarWinds)(Citation: ExchangePowe | | st</code> to remove evidence of mailbox exports.(Citation: V |
| rShell Module) On Linux and macOS, adversaries may also dele | | olexity SolarWinds)(Citation: ExchangePowerShell Module) On |
| te emails through a command line utility called <code>mail</ | | Linux and macOS, adversaries may also delete emails through |
| code> or use [AppleScript](https://attack.mitre.org/techniq | | a command line utility called <code>mail</code> or use [App |
| ues/T1059/002) to interact with APIs on macOS.(Citation: Cyb | | leScript](https://attack.mitre.org/techniques/T1059/002) to |
| ereason Cobalt Kitty 2017)(Citation: mailx man page) | | interact with APIs on macOS.(Citation: Cybereason Cobalt Kit |
| | | ty 2017)(Citation: mailx man page) Adversaries may also rem |
| | | ove emails and metadata/headers indicative of spam or suspic |
| | | ious activity (for example, through the use of organization- |
| | | wide transport rules) to reduce the likelihood of malicious |
| | | emails being detected by security products.(Citation: Micros |
| | | oft OAuth Spam 2022) |
New Mitigations:
New Detections:
- DS0015: Application Log (Application Log Content)
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Liran Ravich, CardinalOps'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-17 17:41:43.552000+00:00 | 2023-04-12 20:56:32.743000+00:00 |
| description | Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page) | Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)
Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft OAuth Spam 2022', 'description': 'Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/'} |
| x_mitre_data_sources | | Process: Process Creation |
| x_mitre_data_sources | | Application Log: Application Log Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
[T1070.009] Indicator Removal: Clear Persistence
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may clear artifacts associated with previously e | t | Adversaries may clear artifacts associated with previously e |
| stablished persistence on a host system to remove evidence o | | stablished persistence on a host system to remove evidence o |
| f their activity. This may involve various actions, such as | | f their activity. This may involve various actions, such as |
| removing services, deleting executables, [Modify Registry](h | | removing services, deleting executables, [Modify Registry](h |
| ttps://attack.mitre.org/techniques/T1112), [Plist File Modif | | ttps://attack.mitre.org/techniques/T1112), [Plist File Modif |
| ication](https://attack.mitre.org/techniques/T1647), or othe | | ication](https://attack.mitre.org/techniques/T1647), or othe |
| r methods of cleanup to prevent defenders from collecting ev | | r methods of cleanup to prevent defenders from collecting ev |
| idence of their persistent presence.(Citation: Cylance Dust | | idence of their persistent presence.(Citation: Cylance Dust |
| Storm) In some instances, artifacts of persistence may also | | Storm) Adversaries may also delete accounts previously creat |
| be removed once an adversary’s persistence is executed in o | | ed to maintain persistence (i.e. [Create Account](https://at |
| rder to prevent errors with the new instance of the malware. | | tack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco A |
| (Citation: NCC Group Team9 June 2020) | | ttack 2022) In some instances, artifacts of persistence may |
| | | also be removed once an adversary’s persistence is executed |
| | | in order to prevent errors with the new instance of the mal |
| | | ware.(Citation: NCC Group Team9 June 2020) |
New Detections:
- DS0002: User Account (User Account Deletion)
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Gavin Knapp'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 23:40:32.055000+00:00 | 2023-04-11 22:30:01.227000+00:00 |
| description | Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm)
In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020) | Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020) |
| external_references[2]['source_name'] | NCC Group Team9 June 2020 | Talos - Cisco Attack 2022 |
| external_references[2]['description'] | Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. | Nick Biasini. (2022, August 10). Cisco Talos shares insights related to recent cyber attack on Cisco. Retrieved March 9, 2023. |
| external_references[2]['url'] | https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/ | https://blog.talosintelligence.com/recent-cyber-attack/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[7] | Windows Registry: Windows Registry Key Deletion | User Account: User Account Deletion |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'NCC Group Team9 June 2020', 'description': 'Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.', 'url': 'https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/'} |
| x_mitre_data_sources | | Command: Command Execution |
| x_mitre_data_sources | | Windows Registry: Windows Registry Key Deletion |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Command: Command Execution | |
[T1070.001] Indicator Removal: Clear Windows Event Logs
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may clear Windows Event Logs to hide the activit | t | Adversaries may clear Windows Event Logs to hide the activit |
| y of an intrusion. Windows Event Logs are a record of a comp | | y of an intrusion. Windows Event Logs are a record of a comp |
| uter's alerts and notifications. There are three system-defi | | uter's alerts and notifications. There are three system-defi |
| ned sources of events: System, Application, and Security, wi | | ned sources of events: System, Application, and Security, wi |
| th five event types: Error, Warning, Information, Success Au | | th five event types: Error, Warning, Information, Success Au |
| dit, and Failure Audit. The event logs can be cleared with | | dit, and Failure Audit. The event logs can be cleared with |
| the following utility commands: * <code>wevtutil cl system< | | the following utility commands: * <code>wevtutil cl system< |
| /code> * <code>wevtutil cl application</code> * <code>wevtut | | /code> * <code>wevtutil cl application</code> * <code>wevtut |
| il cl security</code> These logs may also be cleared throug | | il cl security</code> These logs may also be cleared throug |
| h other mechanisms, such as the event viewer GUI or [PowerSh | | h other mechanisms, such as the event viewer GUI or [PowerSh |
| ell](https://attack.mitre.org/techniques/T1059/001). | | ell](https://attack.mitre.org/techniques/T1059/001). For exa |
| | | mple, adversaries may use the PowerShell command <code>Remov |
| | | e-EventLog -LogName Security</code> to delete the Security E |
| | | ventLog and after reboot, disable future logging. Note: even |
| | | ts may still be generated and logged in the .evtx file betwe |
| | | en the time the command is run and the reboot.(Citation: dis |
| | | able_win_evt_logging) |
Dropped Mitigations:
- T1070: Indicator Removal on Host Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Lucas Heiligenstein'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 13:02:07.168000+00:00 | 2023-04-12 15:32:03.205000+00:00 |
| description | Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
The event logs can be cleared with the following utility commands:
* wevtutil cl system
* wevtutil cl application
* wevtutil cl security
These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). | Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
The event logs can be cleared with the following utility commands:
* wevtutil cl system
* wevtutil cl application
* wevtutil cl security
These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging) |
| external_references[1]['source_name'] | Microsoft Clear-EventLog | disable_win_evt_logging |
| external_references[1]['description'] | Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018. | Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022. |
| external_references[1]['url'] | https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog | https://ptylu.github.io/content/report/report.html?report=25 |
| external_references[2]['source_name'] | Microsoft EventLog.Clear | Microsoft Clear-EventLog |
| external_references[2]['description'] | Microsoft. (n.d.). EventLog.Clear Method (). Retrieved July 2, 2018. | Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018. |
| external_references[2]['url'] | https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx | https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog |
| external_references[3]['source_name'] | Microsoft wevtutil Oct 2017 | Microsoft EventLog.Clear |
| external_references[3]['description'] | Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018. | Microsoft. (n.d.). EventLog.Clear Method (). Retrieved July 2, 2018. |
| external_references[3]['url'] | https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil | https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: OS API Execution | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Process: OS API Execution |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft wevtutil Oct 2017', 'description': 'Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.', 'url': 'https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil'} |
[T1115] Clipboard Data
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may collect data stored in the clipboard from us | t | Adversaries may collect data stored in the clipboard from us |
| ers copying information within or between applications. In | | ers copying information within or between applications. Fo |
| Windows, Applications can access clipboard data by using th | | r example, on Windows adversaries can access clipboard data |
| e Windows API.(Citation: MSDN Clipboard) OSX provides a nati | | by using <code>clip.exe</code> or <code>Get-Clipboard</code> |
| ve command, <code>pbpaste</code>, to grab clipboard contents | | .(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citat |
| .(Citation: Operating with EmPyre) | | ion: CISA_AA21_200B) Additionally, adversaries may monitor t |
| | | hen replace users’ clipboard with their data (e.g., [Transmi |
| | | tted Data Manipulation](https://attack.mitre.org/techniques/ |
| | | T1565/002)).(Citation: mining_ruby_reversinglabs) macOS and |
| | | Linux also have commands, such as <code>pbpaste</code>, to |
| | | grab clipboard contents.(Citation: Operating with EmPyre) |
Dropped Mitigations:
- T1115: Clipboard Data Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | CISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-637 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-04-23 18:35:58.230000+00:00 | 2023-04-14 21:51:47.277000+00:00 |
| description | Adversaries may collect data stored in the clipboard from users copying information within or between applications.
In Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre) | Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)
macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre) |
| external_references[1]['source_name'] | capec | CISA_AA21_200B |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/637.html | https://www.cisa.gov/uscert/ncas/alerts/aa21-200b |
| external_references[2]['source_name'] | MSDN Clipboard | mining_ruby_reversinglabs |
| external_references[2]['description'] | Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016. | Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022. |
| external_references[2]['url'] | https://msdn.microsoft.com/en-us/library/ms649012 | https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems |
| external_references[3]['source_name'] | Operating with EmPyre | clip_win_server |
| external_references[3]['description'] | rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017. | Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022. |
| external_references[3]['url'] | https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363 | https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'MSDN Clipboard', 'description': 'Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.', 'url': 'https://msdn.microsoft.com/en-us/library/ms649012'} |
| external_references | | {'source_name': 'Operating with EmPyre', 'description': 'rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.', 'url': 'https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363'} |
[T1136.003] Create Account: Cloud Account
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may create a cloud account to maintain access to | t | Adversaries may create a cloud account to maintain access to |
| victim systems. With a sufficient level of access, such acc | | victim systems. With a sufficient level of access, such acc |
| ounts may be used to establish secondary credentialed access | | ounts may be used to establish secondary credentialed access |
| that does not require persistent remote access tools to be | | that does not require persistent remote access tools to be |
| deployed on the system.(Citation: Microsoft O365 Admin Roles | | deployed on the system.(Citation: Microsoft O365 Admin Roles |
| )(Citation: Microsoft Support O365 Add Another Admin, Octobe | | )(Citation: Microsoft Support O365 Add Another Admin, Octobe |
| r 2019)(Citation: AWS Create IAM User)(Citation: GCP Create | | r 2019)(Citation: AWS Create IAM User)(Citation: GCP Create |
| Cloud Identity Users)(Citation: Microsoft Azure AD Users) A | | Cloud Identity Users)(Citation: Microsoft Azure AD Users) A |
| dversaries may create accounts that only have access to spec | | dversaries may create accounts that only have access to spec |
| ific cloud services, which can reduce the chance of detectio | | ific cloud services, which can reduce the chance of detectio |
| n. | | n. Once an adversary has created a cloud account, they can |
| | | then manipulate that account to ensure persistence and allow |
| | | access to additional resources - for example, by adding [Ad |
| | | ditional Cloud Credentials](https://attack.mitre.org/techniq |
| | | ues/T1098/001) or assigning [Additional Cloud Roles](https:/ |
| | | /attack.mitre.org/techniques/T1098/003). |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-07 13:09:30.819000+00:00 | 2023-03-06 21:24:56.669000+00:00 |
| description | Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. | Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003). |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1078.004] Valid Accounts: Cloud Accounts
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
|---|
| t | Adversaries may obtain and abuse credentials of a cloud acco | t | Adversaries may obtain and abuse credentials of a cloud acco |
| unt as a means of gaining Initial Access, Persistence, Privi | | unt as a means of gaining Initial Access, Persistence, Privi |
| lege Escalation, or Defense Evasion. Cloud accounts are thos | | lege Escalation, or Defense Evasion. Cloud accounts are thos |
| e created and configured by an organization for use by users | | e created and configured by an organization for use by users |
| , remote support, services, or for administration of resourc | | , remote support, services, or for administration of resourc |
| es within a cloud service provider or SaaS application. In s | | es within a cloud service provider or SaaS application. In s |
| ome cases, cloud accounts may be federated with traditional | | ome cases, cloud accounts may be federated with traditional |
| identity management system, such as Window Active Directory. | | identity management systems, such as Windows Active Director |
| (Citation: AWS Identity Federation)(Citation: Google Federat | | y.(Citation: AWS Identity Federation)(Citation: Google Feder |
| ing GC)(Citation: Microsoft Deploying AD Federation) Compro | | ating GC)(Citation: Microsoft Deploying AD Federation) Comp |
| mised credentials for cloud accounts can be used to harvest | | romised credentials for cloud accounts can be used to harves |
| sensitive data from online storage accounts and databases. A | | t sensitive data from online storage accounts and databases. |
| ccess to cloud accounts can also be abused to gain Initial A | | Access to cloud accounts can also be abused to gain Initial |
| ccess to a network by abusing a [Trusted Relationship](https | | Access to a network by abusing a [Trusted Relationship](htt |
| ://attack.mitre.org/techniques/T1199). Similar to [Domain Ac | | ps://attack.mitre.org/techniques/T1199). Similar to [Domain |
| counts](https://attack.mitre.org/techniques/T1078/002), comp | | Accounts](https://attack.mitre.org/techniques/T1078/002), co |
| romise of federated cloud accounts may allow adversaries to | | mpromise of federated cloud accounts may allow adversaries t |
| more easily move laterally within an environment. Once a cl | | o more easily move laterally within an environment. Once a |
| oud account is compromised, an adversary may perform [Accoun | | cloud account is compromised, an adversary may perform [Acco |
| t Manipulation](https://attack.mitre.org/techniques/T1098) - | | unt Manipulation](https://attack.mitre.org/techniques/T1098) |
| for example, by adding [Additional Cloud Roles](https://att | | - for example, by adding [Additional Cloud Roles](https://a |
| ack.mitre.org/techniques/T1098/003) - to maintain persistenc | | ttack.mitre.org/techniques/T1098/003) - to maintain persiste |
| e and potentially escalate their privileges. | | nce and potentially escalate their privileges. |
New Mitigations:
- M1015: Active Directory Configuration
- M1036: Account Use Policies
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 20:23:33.894000+00:00 | 2023-03-21 13:17:14.441000+00:00 |
| description | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges. | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | User Account: User Account Authentication | Logon Session: Logon Session Creation |
| x_mitre_data_sources[2] | Logon Session: Logon Session Creation | User Account: User Account Authentication |
| x_mitre_version | 1.4 | 1.5 |
[T1069.003] Permission Groups Discovery: Cloud Groups
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may attempt to find cloud groups and permission | t | Adversaries may attempt to find cloud groups and permission |
| settings. The knowledge of cloud permission groups can help | | settings. The knowledge of cloud permission groups can help |
| adversaries determine the particular roles of users and grou | | adversaries determine the particular roles of users and grou |
| ps within an environment, as well as which users are associa | | ps within an environment, as well as which users are associa |
| ted with a particular group. With authenticated access ther | | ted with a particular group. With authenticated access ther |
| e are several tools that can be used to find permissions gro | | e are several tools that can be used to find permissions gro |
| ups. The <code>Get-MsolRole</code> PowerShell cmdlet can be | | ups. The <code>Get-MsolRole</code> PowerShell cmdlet can be |
| used to obtain roles and permissions groups for Exchange and | | used to obtain roles and permissions groups for Exchange and |
| Office 365 accounts (Citation: Microsoft Msolrole)(Citation | | Office 365 accounts (Citation: Microsoft Msolrole)(Citation |
| : GitHub Raindance). Azure CLI (AZ CLI) and the Google Clou | | : GitHub Raindance). Azure CLI (AZ CLI) and the Google Clou |
| d Identity Provider API also provide interfaces to obtain pe | | d Identity Provider API also provide interfaces to obtain pe |
| rmissions groups. The command <code>az ad user get-member-gr | | rmissions groups. The command <code>az ad user get-member-gr |
| oups</code> will list groups associated to a user account fo | | oups</code> will list groups associated to a user account fo |
| r Azure while the API endpoint <code>GET https://cloudidenti | | r Azure while the API endpoint <code>GET https://cloudidenti |
| ty.googleapis.com/v1/groups</code> lists group resources ava | | ty.googleapis.com/v1/groups</code> lists group resources ava |
| ilable to a user for Google.(Citation: Microsoft AZ CLI)(Cit | | ilable to a user for Google.(Citation: Microsoft AZ CLI)(Cit |
| ation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: | | ation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: |
| Google Cloud Identity API Documentation) Adversaries may at | | Google Cloud Identity API Documentation) In AWS, the command |
| tempt to list ACLs for objects to determine the owner and ot | | s `ListRolePolicies` and `ListAttachedRolePolicies` allow us |
| her accounts with access to the object, for example, via the | | ers to enumerate the policies attached to a role.(Citation: |
| AWS <code>GetBucketAcl</code> API (Citation: AWS Get Bucket | | Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022 |
| ACL). Using this information an adversary can target accoun | | ) Adversaries may attempt to list ACLs for objects to deter |
| ts with permissions to a given object or leverage accounts t | | mine the owner and other accounts with access to the object, |
| hey have already compromised to access the object. | | for example, via the AWS <code>GetBucketAcl</code> API (Cit |
| | | ation: AWS Get Bucket ACL). Using this information an advers |
| | | ary can target accounts with permissions to a given object o |
| | | r leverage accounts they have already compromised to access |
| | | the object. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 02:44:58.838000+00:00 | 2023-03-21 13:33:40.625000+00:00 |
| description | Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).
Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation)
Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object. | Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).
Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation) In AWS, the commands `ListRolePolicies` and `ListAttachedRolePolicies` allow users to enumerate the policies attached to a role.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)
Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object. |
| external_references[2]['source_name'] | Black Hills Red Teaming MS AD Azure, 2018 | Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022 |
| external_references[2]['description'] | Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019. | Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023. |
| external_references[2]['url'] | https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/ | https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ |
| external_references[3]['source_name'] | Google Cloud Identity API Documentation | Black Hills Red Teaming MS AD Azure, 2018 |
| external_references[3]['description'] | Google. (n.d.). Retrieved March 16, 2021. | Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019. |
| external_references[3]['url'] | https://cloud.google.com/identity/docs/reference/rest | https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/ |
| external_references[4]['source_name'] | Microsoft AZ CLI | Google Cloud Identity API Documentation |
| external_references[4]['description'] | Microsoft. (n.d.). az ad user. Retrieved October 6, 2019. | Google. (n.d.). Retrieved March 16, 2021. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest | https://cloud.google.com/identity/docs/reference/rest |
| external_references[5]['source_name'] | Microsoft Msolrole | Microsoft AZ CLI |
| external_references[5]['description'] | Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019. | Microsoft. (n.d.). az ad user. Retrieved October 6, 2019. |
| external_references[5]['url'] | https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0 | https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest |
| external_references[6]['source_name'] | GitHub Raindance | Microsoft Msolrole |
| external_references[6]['description'] | Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019. | Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019. |
| external_references[6]['url'] | https://github.com/True-Demon/raindance | https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Group: Group Enumeration | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Application Log: Application Log Content |
| x_mitre_data_sources[4] | Application Log: Application Log Content | Group: Group Enumeration |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'GitHub Raindance', 'description': 'Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.', 'url': 'https://github.com/True-Demon/raindance'} |
[T1552.005] Unsecured Credentials: Cloud Instance Metadata API
Current version: 1.4
Version changed from: 1.3 → 1.4
New Mitigations:
- M1035: Limit Access to Resource Over Network
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:37:23.589000+00:00 | 2023-03-21 13:56:27.910000+00:00 |
| external_references[2]['source_name'] | Krebs Capital One August 2019 | RedLock Instance Metadata API 2018 |
| external_references[2]['description'] | Krebs, B.. (2019, August 19). What We Can Learn from the Capital One Hack. Retrieved March 25, 2020. | Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019. |
| external_references[2]['url'] | https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/ | https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horse |
| external_references[3]['source_name'] | RedLock Instance Metadata API 2018 | Krebs Capital One August 2019 |
| external_references[3]['description'] | Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019. | Krebs, B.. (2019, August 19). What We Can Learn from the Capital One Hack. Retrieved March 25, 2020. |
| external_references[3]['url'] | https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horse | https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/ |
| x_mitre_version | 1.3 | 1.4 |
[T1526] Cloud Service Discovery
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | An adversary may attempt to enumerate the cloud services run | t | An adversary may attempt to enumerate the cloud services run |
| ning on a system after gaining access. These methods can dif | | ning on a system after gaining access. These methods can dif |
| fer from platform-as-a-service (PaaS), to infrastructure-as- | | fer from platform-as-a-service (PaaS), to infrastructure-as- |
| a-service (IaaS), or software-as-a-service (SaaS). Many serv | | a-service (IaaS), or software-as-a-service (SaaS). Many serv |
| ices exist throughout the various cloud providers and can in | | ices exist throughout the various cloud providers and can in |
| clude Continuous Integration and Continuous Delivery (CI/CD) | | clude Continuous Integration and Continuous Delivery (CI/CD) |
| , Lambda Functions, Azure AD, etc. Adversaries may attempt | | , Lambda Functions, Azure AD, etc. They may also include sec |
| to discover information about the services enabled througho | | urity services, such as AWS GuardDuty and Microsoft Defender |
| ut the environment. Azure tools and APIs, such as the Azure | | for Cloud, and logging services, such as AWS CloudTrail and |
| AD Graph API and Azure Resource Manager API, can enumerate r | | Google Cloud Audit Logs. Adversaries may attempt to discov |
| esources and services, including applications, management gr | | er information about the services enabled throughout the env |
| oups, resources and policy definitions, and their relationsh | | ironment. Azure tools and APIs, such as the Azure AD Graph A |
| ips that are accessible by an identity.(Citation: Azure - Re | | PI and Azure Resource Manager API, can enumerate resources a |
| source Manager API)(Citation: Azure AD Graph API) Stormspot | | nd services, including applications, management groups, reso |
| ter is an open source tool for enumerating and constructing | | urces and policy definitions, and their relationships that a |
| a graph for Azure resources and services, and Pacu is an ope | | re accessible by an identity.(Citation: Azure - Resource Man |
| n source AWS exploitation framework that supports several me | | ager API)(Citation: Azure AD Graph API) For example, Storms |
| thods for discovering cloud services.(Citation: Azure - Stor | | potter is an open source tool for enumerating and constructi |
| mspotter)(Citation: GitHub Pacu) | | ng a graph for Azure resources and services, and Pacu is an |
| | | open source AWS exploitation framework that supports several |
| | | methods for discovering cloud services.(Citation: Azure - S |
| | | tormspotter)(Citation: GitHub Pacu) Adversaries may use the |
| | | information gained to shape follow-on behaviors, such as ta |
| | | rgeting data or credentials from enumerated services or evad |
| | | ing identified defenses through [Disable or Modify Tools](ht |
| | | tps://attack.mitre.org/techniques/T1562/001) or [Disable Clo |
| | | ud Logs](https://attack.mitre.org/techniques/T1562/008). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-16 12:57:03.837000+00:00 | 2023-04-11 20:33:55.356000+00:00 |
| description | An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.
Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu) | An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008). |
| external_references[1]['source_name'] | Azure - Resource Manager API | Azure AD Graph API |
| external_references[1]['description'] | Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020. | Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/rest/api/resources/ | https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview |
| external_references[2]['source_name'] | Azure AD Graph API | Azure - Resource Manager API |
| external_references[2]['description'] | Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020. | Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview | https://docs.microsoft.com/en-us/rest/api/resources/ |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Thanabodi |
[T1059] Command and Scripting Interpreter
Current version: 2.4
Version changed from: 2.3 → 2.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 18:31:48.827000+00:00 | 2023-03-27 16:43:58.795000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[1] | Module: Module Load | Process: Process Creation |
| x_mitre_data_sources[3] | Script: Script Execution | Module: Module Load |
| x_mitre_data_sources[4] | Command: Command Execution | Script: Script Execution |
| x_mitre_version | 2.3 | 2.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Office 365 |
| x_mitre_platforms | | Azure AD |
| x_mitre_platforms | | IaaS |
| x_mitre_platforms | | Google Workspace |
[T1218.001] System Binary Proxy Execution: Compiled HTML File
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 18:59:36.836000+00:00 | 2023-04-21 12:23:17.694000+00:00 |
| external_references[1]['source_name'] | Microsoft HTML Help May 2018 | Microsoft CVE-2017-8625 Aug 2017 |
| external_references[1]['description'] | Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018. | Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018. |
| external_references[1]['url'] | https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625 |
| external_references[2]['source_name'] | Microsoft HTML Help ActiveX | Microsoft HTML Help May 2018 |
| external_references[2]['description'] | Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018. | Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018. |
| external_references[2]['url'] | https://msdn.microsoft.com/windows/desktop/ms644670 | https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk |
| external_references[4]['source_name'] | MsitPros CHM Aug 2017 | Microsoft HTML Help ActiveX |
| external_references[4]['description'] | Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018. | Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018. |
| external_references[4]['url'] | https://msitpros.com/?p=3909 | https://msdn.microsoft.com/windows/desktop/ms644670 |
| external_references[5]['source_name'] | Microsoft CVE-2017-8625 Aug 2017 | MsitPros CHM Aug 2017 |
| external_references[5]['description'] | Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018. | Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018. |
| external_references[5]['url'] | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625 | https://msitpros.com/?p=3909 |
| x_mitre_version | 2.0 | 2.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
[T1546.015] Event Triggered Execution: Component Object Model Hijacking
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-10 18:19:44.750000+00:00 | 2023-04-21 12:34:29.402000+00:00 |
| external_references[1]['source_name'] | Microsoft Component Object Model | Elastic COM Hijacking |
| external_references[1]['description'] | Microsoft. (n.d.). The Component Object Model. Retrieved August 18, 2016. | Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting Persistence & Evasion with the COM. Retrieved September 15, 2016. |
| external_references[1]['url'] | https://msdn.microsoft.com/library/ms694363.aspx | https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com |
| external_references[3]['source_name'] | Elastic COM Hijacking | Microsoft Component Object Model |
| external_references[3]['description'] | Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting Persistence & Evasion with the COM. Retrieved September 15, 2016. | Microsoft. (n.d.). The Component Object Model. Retrieved August 18, 2016. |
| external_references[3]['url'] | https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com | https://msdn.microsoft.com/library/ms694363.aspx |
| x_mitre_data_sources[0] | Command: Command Execution | Module: Module Load |
| x_mitre_data_sources[1] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[3] | Module: Module Load | Process: Process Creation |
| x_mitre_version | 1.0 | 1.1 |
[T1586] Compromise Accounts
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may compromise accounts with services that can b | t | Adversaries may compromise accounts with services that can b |
| e used during targeting. For operations incorporating social | | e used during targeting. For operations incorporating social |
| engineering, the utilization of an online persona may be im | | engineering, the utilization of an online persona may be im |
| portant. Rather than creating and cultivating accounts (i.e. | | portant. Rather than creating and cultivating accounts (i.e. |
| [Establish Accounts](https://attack.mitre.org/techniques/T1 | | [Establish Accounts](https://attack.mitre.org/techniques/T1 |
| 585)), adversaries may compromise existing accounts. Utilizi | | 585)), adversaries may compromise existing accounts. Utilizi |
| ng an existing persona may engender a level of trust in a po | | ng an existing persona may engender a level of trust in a po |
| tential victim if they have a relationship, or knowledge of, | | tential victim if they have a relationship, or knowledge of, |
| the compromised persona. A variety of methods exist for c | | the compromised persona. A variety of methods exist for c |
| ompromising accounts, such as gathering credentials via [Phi | | ompromising accounts, such as gathering credentials via [Phi |
| shing for Information](https://attack.mitre.org/techniques/T | | shing for Information](https://attack.mitre.org/techniques/T |
| 1598), purchasing credentials from third-party sites, or by | | 1598), purchasing credentials from third-party sites, brute |
| brute forcing credentials (ex: password reuse from breach cr | | forcing credentials (ex: password reuse from breach credenti |
| edential dumps).(Citation: AnonHBGary) Prior to compromising | | al dumps), or paying employees, suppliers or business partne |
| accounts, adversaries may conduct Reconnaissance to inform | | rs for access to credentials.(Citation: AnonHBGary)(Citation |
| decisions about which accounts to compromise to further thei | | : Microsoft DEV-0537) Prior to compromising accounts, advers |
| r operation. Personas may exist on a single site or across | | aries may conduct Reconnaissance to inform decisions about w |
| multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc | | hich accounts to compromise to further their operation. Per |
| .). Compromised accounts may require additional development, | | sonas may exist on a single site or across multiple sites (e |
| this could include filling out or modifying profile informa | | x: Facebook, LinkedIn, Twitter, Google, etc.). Compromised a |
| tion, further developing social networks, or incorporating p | | ccounts may require additional development, this could inclu |
| hotos. Adversaries may directly leverage compromised email | | de filling out or modifying profile information, further dev |
| accounts for [Phishing for Information](https://attack.mitre | | eloping social networks, or incorporating photos. Adversari |
| .org/techniques/T1598) or [Phishing](https://attack.mitre.or | | es may directly leverage compromised email accounts for [Phi |
| g/techniques/T1566). | | shing for Information](https://attack.mitre.org/techniques/T |
| | | 1598) or [Phishing](https://attack.mitre.org/techniques/T156 |
| | | 6). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 17:15:12.428000+00:00 | 2023-04-11 01:08:56.774000+00:00 |
| description | Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.
A variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.
Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.
Adversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). | Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.
A variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.
Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.
Adversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). |
| x_mitre_data_sources[0] | Persona: Social Media | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Persona: Social Media |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft DEV-0537', 'description': 'Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.', 'url': 'https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/'} |
[T1584] Compromise Infrastructure
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may compromise third-party infrastructure that c | t | Adversaries may compromise third-party infrastructure that c |
| an be used during targeting. Infrastructure solutions includ | | an be used during targeting. Infrastructure solutions includ |
| e physical or cloud servers, domains, and third-party web an | | e physical or cloud servers, domains, and third-party web an |
| d DNS services. Instead of buying, leasing, or renting infra | | d DNS services. Instead of buying, leasing, or renting infra |
| structure an adversary may compromise infrastructure and use | | structure an adversary may compromise infrastructure and use |
| it during other phases of the adversary lifecycle.(Citation | | it during other phases of the adversary lifecycle.(Citation |
| : Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio | | : Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio |
| n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens | | n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens |
| Part 2) Additionally, adversaries may compromise numerous ma | | Part 2) Additionally, adversaries may compromise numerous ma |
| chines to form a botnet they can leverage. Use of compromis | | chines to form a botnet they can leverage. Use of compromis |
| ed infrastructure allows an adversary to stage, launch, and | | ed infrastructure allows adversaries to stage, launch, and e |
| execute an operation. Compromised infrastructure can help ad | | xecute operations. Compromised infrastructure can help adver |
| versary operations blend in with traffic that is seen as nor | | sary operations blend in with traffic that is seen as normal |
| mal, such as contact with high reputation or trusted sites. | | , such as contact with high reputation or trusted sites. For |
| For example, adversaries may leverage compromised infrastruc | | example, adversaries may leverage compromised infrastructur |
| ture (potentially also in conjunction with [Digital Certific | | e (potentially also in conjunction with [Digital Certificate |
| ates](https://attack.mitre.org/techniques/T1588/004)) to fur | | s](https://attack.mitre.org/techniques/T1588/004)) to furthe |
| ther blend in and support staged information gathering and/o | | r blend in and support staged information gathering and/or [ |
| r [Phishing](https://attack.mitre.org/techniques/T1566) camp | | Phishing](https://attack.mitre.org/techniques/T1566) campaig |
| aigns.(Citation: FireEye DNS Hijack 2019) By using comprom | | ns.(Citation: FireEye DNS Hijack 2019) Additionally, adversa |
| ised infrastructure, adversaries may make it difficult to ti | | ries may also compromise infrastructure to support [Proxy](h |
| e their actions back to them. Prior to targeting, adversarie | | ttps://attack.mitre.org/techniques/T1090).(Citation: amnesty |
| s may compromise the infrastructure of other adversaries.(Ci | | _nso_pegasus) By using compromised infrastructure, adversar |
| tation: NSA NCSC Turla OilRig) | | ies may make it difficult to tie their actions back to them. |
| | | Prior to targeting, adversaries may compromise the infrastr |
| | | ucture of other adversaries.(Citation: NSA NCSC Turla OilRig |
| | | ) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-26 23:33:26.352000+00:00 | 2023-04-12 13:32:15.704000+00:00 |
| description | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019)
By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus)
By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) |
| external_references[1]['source_name'] | FireEye DNS Hijack 2019 | amnesty_nso_pegasus |
| external_references[1]['description'] | Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020. | Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group’s Pegasus. Retrieved February 22, 2022. |
| external_references[1]['url'] | https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html | https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/ |
| external_references[2]['source_name'] | ICANNDomainNameHijacking | FireEye DNS Hijack 2019 |
| external_references[2]['description'] | ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017. | Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020. |
| external_references[2]['url'] | https://www.icann.org/groups/ssac/documents/sac-007-en | https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html |
| external_references[3]['source_name'] | Koczwara Beacon Hunting Sep 2021 | ICANNDomainNameHijacking |
| external_references[3]['description'] | Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. | ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017. |
| external_references[3]['url'] | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 | https://www.icann.org/groups/ssac/documents/sac-007-en |
| external_references[4]['source_name'] | Mandiant APT1 | Koczwara Beacon Hunting Sep 2021 |
| external_references[4]['description'] | Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. | Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. |
| external_references[4]['url'] | https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 |
| external_references[5]['source_name'] | Talos DNSpionage Nov 2018 | Mandiant APT1 |
| external_references[5]['description'] | Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020. | Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. |
| external_references[5]['url'] | https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html | https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf |
| external_references[6]['source_name'] | NSA NCSC Turla OilRig | Talos DNSpionage Nov 2018 |
| external_references[6]['description'] | NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020. | Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020. |
| external_references[6]['url'] | https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf | https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html |
| external_references[7]['source_name'] | Mandiant SCANdalous Jul 2020 | NSA NCSC Turla OilRig |
| external_references[7]['description'] | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. | NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020. |
| external_references[7]['url'] | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation | https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf |
| external_references[8]['source_name'] | ThreatConnect Infrastructure Dec 2020 | Mandiant SCANdalous Jul 2020 |
| external_references[8]['description'] | ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. |
| external_references[8]['url'] | https://threatconnect.com/blog/infrastructure-research-hunting/ | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation |
| external_references[9]['source_name'] | FireEye EPS Awakens Part 2 | ThreatConnect Infrastructure Dec 2020 |
| external_references[9]['description'] | Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016. | ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. |
| external_references[9]['url'] | https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html | https://threatconnect.com/blog/infrastructure-research-hunting/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Domain Name: Active DNS | Internet Scan: Response Content |
| x_mitre_data_sources[2] | Internet Scan: Response Content | Domain Name: Domain Registration |
| x_mitre_data_sources[4] | Domain Name: Domain Registration | Domain Name: Active DNS |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'FireEye EPS Awakens Part 2', 'description': 'Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.', 'url': 'https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html'} |
| x_mitre_contributors | | Shailesh Tiwary (Indian Army) |
[T1552.007] Unsecured Credentials: Container API
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 13:11:10.849000+00:00 | 2023-04-15 16:11:25.409000+00:00 |
| external_references[1]['source_name'] | Docker API | Unit 42 Unsecured Docker Daemons |
| external_references[1]['description'] | Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021. | Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021. |
| external_references[1]['url'] | https://docs.docker.com/engine/api/v1.41/ | https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/ |
| external_references[2]['source_name'] | Kubernetes API | Docker API |
| external_references[2]['description'] | The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021. | Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021. |
| external_references[2]['url'] | https://kubernetes.io/docs/concepts/overview/kubernetes-api/ | https://docs.docker.com/engine/api/v1.41/ |
| external_references[3]['source_name'] | Unit 42 Unsecured Docker Daemons | Kubernetes API |
| external_references[3]['description'] | Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021. | The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021. |
| external_references[3]['url'] | https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/ | https://kubernetes.io/docs/concepts/overview/kubernetes-api/ |
| x_mitre_version | 1.1 | 1.2 |
[T1609] Container Administration Command
Current version: 1.2
Version changed from: 1.1 → 1.2
New Mitigations:
- M1042: Disable or Remove Feature or Program
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 13:16:14.786000+00:00 | 2023-04-15 16:03:19.642000+00:00 |
| external_references[1]['source_name'] | Docker Daemon CLI | Docker Exec |
| external_references[1]['description'] | Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021. | Docker. (n.d.). Docker Exec. Retrieved March 29, 2021. |
| external_references[1]['url'] | https://docs.docker.com/engine/reference/commandline/dockerd/ | https://docs.docker.com/engine/reference/commandline/exec/ |
| external_references[2]['source_name'] | Kubernetes API | Docker Entrypoint |
| external_references[2]['description'] | The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021. | Docker. (n.d.). Docker run reference. Retrieved March 29, 2021. |
| external_references[2]['url'] | https://kubernetes.io/docs/concepts/overview/kubernetes-api/ | https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtime |
| external_references[3]['source_name'] | Kubernetes Kubelet | Docker Daemon CLI |
| external_references[3]['description'] | The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021. | Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021. |
| external_references[3]['url'] | https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ | https://docs.docker.com/engine/reference/commandline/dockerd/ |
| external_references[4]['source_name'] | Docker Entrypoint | Kubectl Exec Get Shell |
| external_references[4]['description'] | Docker. (n.d.). Docker run reference. Retrieved March 29, 2021. | The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021. |
| external_references[4]['url'] | https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtime | https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/ |
| external_references[5]['source_name'] | Docker Exec | Kubernetes Kubelet |
| external_references[5]['description'] | Docker. (n.d.). Docker Exec. Retrieved March 29, 2021. | The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021. |
| external_references[5]['url'] | https://docs.docker.com/engine/reference/commandline/exec/ | https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ |
| external_references[6]['source_name'] | Kubectl Exec Get Shell | Kubernetes API |
| external_references[6]['description'] | The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021. | The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021. |
| external_references[6]['url'] | https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/ | https://kubernetes.io/docs/concepts/overview/kubernetes-api/ |
| x_mitre_version | 1.1 | 1.2 |
[T1053.007] Scheduled Task/Job: Container Orchestration Job
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 13:06:58.794000+00:00 | 2023-04-15 16:23:05.392000+00:00 |
| external_references[1]['source_name'] | Kubernetes Jobs | Kubernetes CronJob |
| external_references[1]['description'] | The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March 30, 2021. | The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved March 29, 2021. |
| external_references[1]['url'] | https://kubernetes.io/docs/concepts/workloads/controllers/job/ | https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ |
| external_references[2]['source_name'] | Kubernetes CronJob | Kubernetes Jobs |
| external_references[2]['description'] | The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved March 29, 2021. | The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March 30, 2021. |
| external_references[2]['url'] | https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ | https://kubernetes.io/docs/concepts/workloads/controllers/job/ |
| x_mitre_data_sources[0] | File: File Creation | Scheduled Job: Scheduled Job Creation |
| x_mitre_data_sources[2] | Scheduled Job: Scheduled Job Creation | File: File Creation |
| x_mitre_version | 1.2 | 1.3 |
[T1613] Container and Resource Discovery
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-12 18:22:05.737000+00:00 | 2023-04-15 16:08:50.706000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1136] Create Account
Current version: 2.3
Version changed from: 2.2 → 2.3
Dropped Mitigations:
- T1136: Create Account Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-12 13:04:14.534000+00:00 | 2023-04-12 23:24:48.840000+00:00 |
| x_mitre_version | 2.2 | 2.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Austin Clark, @c2defense |
| x_mitre_data_sources | | Process: Process Creation |
| x_mitre_platforms | | Network |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
[T1134.002] Access Token Manipulation: Create Process with Token
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may create a new process with a different token | t | Adversaries may create a new process with an existing token |
| to escalate privileges and bypass access controls. Processes | | to escalate privileges and bypass access controls. Processes |
| can be created with the token and resulting security contex | | can be created with the token and resulting security contex |
| t of another user using features such as <code>CreateProcess | | t of another user using features such as <code>CreateProcess |
| WithTokenW</code> and <code>runas</code>.(Citation: Microsof | | WithTokenW</code> and <code>runas</code>.(Citation: Microsof |
| t RunAs) Creating processes with a different token may requ | | t RunAs) Creating processes with a token not associated wit |
| ire the credentials of the target user, specific privileges | | h the current user may require the credentials of the target |
| to impersonate that user, or access to the token to be used | | user, specific privileges to impersonate that user, or acce |
| (ex: gathered via other means such as [Token Impersonation/T | | ss to the token to be used. For example, the token could be |
| heft](https://attack.mitre.org/techniques/T1134/001) or [Mak | | duplicated via [Token Impersonation/Theft](https://attack.mi |
| e and Impersonate Token](https://attack.mitre.org/techniques | | tre.org/techniques/T1134/001) or created via [Make and Imper |
| /T1134/003)). | | sonate Token](https://attack.mitre.org/techniques/T1134/003) |
| | | before being used to create a process. While this techniqu |
| | | e is distinct from [Token Impersonation/Theft](https://attac |
| | | k.mitre.org/techniques/T1134/001), the techniques can be use |
| | | d in conjunction where a token is duplicated and then used t |
| | | o create a new process. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 14:51:48.978000+00:00 | 2023-04-11 21:14:37.714000+00:00 |
| description | Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)
Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)). | Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)
Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.
While this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process. |
| external_references[1]['source_name'] | Microsoft RunAs | Microsoft Command-line Logging |
| external_references[1]['description'] | Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021. | Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11) | https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing |
| external_references[2]['source_name'] | Microsoft Command-line Logging | Microsoft RunAs |
| external_references[2]['description'] | Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. | Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021. |
| external_references[2]['url'] | https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11) |
| x_mitre_data_sources[0] | Command: Command Execution | Process: OS API Execution |
| x_mitre_data_sources[1] | Process: OS API Execution | Command: Command Execution |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Jonny Johnson |
[T1110.004] Brute Force: Credential Stuffing
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-600 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-06 12:31:06.695000+00:00 | 2023-04-14 23:05:16.857000+00:00 |
| external_references[1]['source_name'] | capec | US-CERT TA18-068A 2018 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/600.html | https://www.us-cert.gov/ncas/alerts/TA18-086A |
| x_mitre_data_sources[0] | User Account: User Account Authentication | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Application Log: Application Log Content | User Account: User Account Authentication |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'US-CERT TA18-068A 2018', 'description': 'US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-086A'} | |
[T1589.001] Gather Victim Identity Information: Credentials
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may gather credentials that can be used during t | t | Adversaries may gather credentials that can be used during t |
| argeting. Account credentials gathered by adversaries may be | | argeting. Account credentials gathered by adversaries may be |
| those directly associated with the target victim organizati | | those directly associated with the target victim organizati |
| on or attempt to take advantage of the tendency for users to | | on or attempt to take advantage of the tendency for users to |
| use the same passwords across personal and business account | | use the same passwords across personal and business account |
| s. Adversaries may gather credentials from potential victim | | s. Adversaries may gather credentials from potential victim |
| s in various ways, such as direct elicitation via [Phishing | | s in various ways, such as direct elicitation via [Phishing |
| for Information](https://attack.mitre.org/techniques/T1598). | | for Information](https://attack.mitre.org/techniques/T1598). |
| Adversaries may also compromise sites then include maliciou | | Adversaries may also compromise sites then add malicious co |
| s content designed to collect website authentication cookies | | ntent designed to collect website authentication cookies fro |
| from visitors.(Citation: ATT ScanBox) Credential informatio | | m visitors.(Citation: ATT ScanBox) Credential information ma |
| n may also be exposed to adversaries via leaks to online or | | y also be exposed to adversaries via leaks to online or othe |
| other accessible data sets (ex: [Search Engines](https://att | | r accessible data sets (ex: [Search Engines](https://attack. |
| ack.mitre.org/techniques/T1593/002), breach dumps, code repo | | mitre.org/techniques/T1593/002), breach dumps, code reposito |
| sitories, etc.).(Citation: Register Deloitte)(Citation: Regi | | ries, etc.).(Citation: Register Deloitte)(Citation: Register |
| ster Uber)(Citation: Detectify Slack Tokens)(Citation: Forbe | | Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes Gi |
| s GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHu | | tHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gi |
| b Gitrob)(Citation: CNET Leaks) Adversaries may also purchas | | trob)(Citation: CNET Leaks) Adversaries may also purchase cr |
| e credentials from dark web or other black-markets. Gatherin | | edentials from dark web or other black-markets. Finally, whe |
| g this information may reveal opportunities for other forms | | re multi-factor authentication (MFA) based on out-of-band co |
| of reconnaissance (ex: [Search Open Websites/Domains](https: | | mmunications is in use, adversaries may compromise a service |
| //attack.mitre.org/techniques/T1593) or [Phishing for Inform | | provider to gain access to MFA codes and one-time passwords |
| ation](https://attack.mitre.org/techniques/T1598)), establis | | (OTP).(Citation: Okta Scatter Swine 2022) Gathering this i |
| hing operational resources (ex: [Compromise Accounts](https: | | nformation may reveal opportunities for other forms of recon |
| //attack.mitre.org/techniques/T1586)), and/or initial access | | naissance (ex: [Search Open Websites/Domains](https://attack |
| (ex: [External Remote Services](https://attack.mitre.org/te | | .mitre.org/techniques/T1593) or [Phishing for Information](h |
| chniques/T1133) or [Valid Accounts](https://attack.mitre.org | | ttps://attack.mitre.org/techniques/T1598)), establishing ope |
| /techniques/T1078)). | | rational resources (ex: [Compromise Accounts](https://attack |
| | | .mitre.org/techniques/T1586)), and/or initial access (ex: [E |
| | | xternal Remote Services](https://attack.mitre.org/techniques |
| | | /T1133) or [Valid Accounts](https://attack.mitre.org/techniq |
| | | ues/T1078)). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:26:44.352000+00:00 | 2023-04-14 23:29:10.396000+00:00 |
| description | Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). | Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). |
| external_references[2]['source_name'] | Register Deloitte | Detectify Slack Tokens |
| external_references[2]['description'] | Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020. | Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020. |
| external_references[2]['url'] | https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/ | https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/ |
| external_references[3]['source_name'] | Register Uber | GitHub truffleHog |
| external_references[3]['description'] | McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020. | Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020. |
| external_references[3]['url'] | https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/ | https://github.com/dxa4481/truffleHog |
| external_references[4]['source_name'] | Detectify Slack Tokens | Register Uber |
| external_references[4]['description'] | Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020. | McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020. |
| external_references[4]['url'] | https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/ | https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/ |
| external_references[5]['source_name'] | Forbes GitHub Creds | GitHub Gitrob |
| external_references[5]['description'] | Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020. | Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020. |
| external_references[5]['url'] | https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196 | https://github.com/michenriksen/gitrob |
| external_references[6]['source_name'] | GitHub truffleHog | CNET Leaks |
| external_references[6]['description'] | Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020. | Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020. |
| external_references[6]['url'] | https://github.com/dxa4481/truffleHog | https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/ |
| external_references[7]['source_name'] | GitHub Gitrob | Okta Scatter Swine 2022 |
| external_references[7]['description'] | Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020. | Okta. (2022, August 25). Detecting Scatter Swine: Insights into a Relentless Phishing Campaign. Retrieved February 24, 2023. |
| external_references[7]['url'] | https://github.com/michenriksen/gitrob | https://sec.okta.com/scatterswine |
| external_references[8]['source_name'] | CNET Leaks | Forbes GitHub Creds |
| external_references[8]['description'] | Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020. | Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020. |
| external_references[8]['url'] | https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/ | https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Register Deloitte', 'description': "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020.", 'url': 'https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/'} |
[T1132] Data Encoding
Current version: 1.2
Version changed from: 1.1 → 1.2
Dropped Mitigations:
- T1132: Data Encoding Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-14 23:39:50.338000+00:00 | 2023-04-21 12:20:20.711000+00:00 |
| external_references[1]['source_name'] | Wikipedia Binary-to-text Encoding | University of Birmingham C2 |
| external_references[1]['description'] | Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017. | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Binary-to-text_encoding | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf |
| external_references[2]['source_name'] | Wikipedia Character Encoding | Wikipedia Binary-to-text Encoding |
| external_references[2]['description'] | Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017. | Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017. |
| external_references[2]['url'] | https://en.wikipedia.org/wiki/Character_encoding | https://en.wikipedia.org/wiki/Binary-to-text_encoding |
| external_references[3]['source_name'] | University of Birmingham C2 | Wikipedia Character Encoding |
| external_references[3]['description'] | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. | Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017. |
| external_references[3]['url'] | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf | https://en.wikipedia.org/wiki/Character_encoding |
| x_mitre_version | 1.1 | 1.2 |
[T1005] Data from Local System
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
|---|
| t | Adversaries may search local system sources, such as file sy | t | Adversaries may search local system sources, such as file sy |
| stems and configuration files or local databases, to find fi | | stems and configuration files or local databases, to find fi |
| les of interest and sensitive data prior to Exfiltration. A | | les of interest and sensitive data prior to Exfiltration. A |
| dversaries may do this using a [Command and Scripting Interp | | dversaries may do this using a [Command and Scripting Interp |
| reter](https://attack.mitre.org/techniques/T1059), such as [ | | reter](https://attack.mitre.org/techniques/T1059), such as [ |
| cmd](https://attack.mitre.org/software/S0106) as well as a [ | | cmd](https://attack.mitre.org/software/S0106) as well as a [ |
| Network Device CLI](https://attack.mitre.org/techniques/T105 | | Network Device CLI](https://attack.mitre.org/techniques/T105 |
| 9/008), which have functionality to interact with the file s | | 9/008), which have functionality to interact with the file s |
| ystem to gather information. Adversaries may also use [Autom | | ystem to gather information.(Citation: show_run_config_cmd_c |
| ated Collection](https://attack.mitre.org/techniques/T1119) | | isco) Adversaries may also use [Automated Collection](https: |
| on the local system. | | //attack.mitre.org/techniques/T1119) on the local system. |
Dropped Mitigations:
- T1005: Data from Local System Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 21:55:54.866000+00:00 | 2023-04-12 23:54:39.466000+00:00 |
| description | Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
| Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
|
| external_references[1]['source_name'] | Mandiant APT41 Global Intrusion | show_run_config_cmd_cisco |
| external_references[1]['description'] | Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022. | Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022. |
| external_references[1]['url'] | https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733 |
| external_references[2]['source_name'] | US-CERT-TA18-106A | Mandiant APT41 Global Intrusion |
| external_references[2]['description'] | US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. | Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022. |
| external_references[2]['url'] | https://www.us-cert.gov/ncas/alerts/TA18-106A | https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: OS API Execution | Command: Command Execution |
| x_mitre_data_sources[1] | File: File Access | Process: Process Creation |
| x_mitre_data_sources[2] | Process: Process Creation | File: File Access |
| x_mitre_data_sources[3] | Script: Script Execution | Process: OS API Execution |
| x_mitre_data_sources[4] | Command: Command Execution | Script: Script Execution |
| x_mitre_detection | Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). | Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
For network infrastructure devices, collect AAA logging to monitor `show` commands that view configuration files. |
| x_mitre_version | 1.5 | 1.6 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'} |
[T1140] Deobfuscate/Decode Files or Information
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may use [Obfuscated Files or Information](https: | t | Adversaries may use [Obfuscated Files or Information](https: |
| //attack.mitre.org/techniques/T1027) to hide artifacts of an | | //attack.mitre.org/techniques/T1027) to hide artifacts of an |
| intrusion from analysis. They may require separate mechanis | | intrusion from analysis. They may require separate mechanis |
| ms to decode or deobfuscate that information depending on ho | | ms to decode or deobfuscate that information depending on ho |
| w they intend to use it. Methods for doing that include buil | | w they intend to use it. Methods for doing that include buil |
| t-in functionality of malware or by using utilities present | | t-in functionality of malware or by using utilities present |
| on the system. One such example is use of [certutil](https: | | on the system. One such example is the use of [certutil](ht |
| //attack.mitre.org/software/S0160) to decode a remote access | | tps://attack.mitre.org/software/S0160) to decode a remote ac |
| tool portable executable file that has been hidden inside a | | cess tool portable executable file that has been hidden insi |
| certificate file. (Citation: Malwarebytes Targeted Attack a | | de a certificate file.(Citation: Malwarebytes Targeted Attac |
| gainst Saudi Arabia) Another example is using the Windows <c | | k against Saudi Arabia) Another example is using the Windows |
| ode>copy /b</code> command to reassemble binary fragments in | | <code>copy /b</code> command to reassemble binary fragments |
| to a malicious payload. (Citation: Carbon Black Obfuscation | | into a malicious payload.(Citation: Carbon Black Obfuscatio |
| Sept 2016) Sometimes a user's action may be required to ope | | n Sept 2016) Sometimes a user's action may be required to o |
| n it for deobfuscation or decryption as part of [User Execut | | pen it for deobfuscation or decryption as part of [User Exec |
| ion](https://attack.mitre.org/techniques/T1204). The user ma | | ution](https://attack.mitre.org/techniques/T1204). The user |
| y also be required to input a password to open a password pr | | may also be required to input a password to open a password |
| otected compressed/encrypted file that was provided by the a | | protected compressed/encrypted file that was provided by the |
| dversary. (Citation: Volexity PowerDuke November 2016) | | adversary. (Citation: Volexity PowerDuke November 2016) |
Dropped Mitigations:
- T1140: Deobfuscate/Decode Files or Information Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 04:05:42.508000+00:00 | 2023-04-21 12:21:06.026000+00:00 |
| description | Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)
Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) | Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)
Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
[T1610] Deploy Container
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'root'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 13:14:58.939000+00:00 | 2023-04-15 16:13:40.232000+00:00 |
| external_references[1]['source_name'] | Docker Containers API | Aqua Build Images on Hosts |
| external_references[1]['description'] | Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021. | Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021. |
| external_references[1]['url'] | https://docs.docker.com/engine/api/v1.41/#tag/Container | https://blog.aquasec.com/malicious-container-image-docker-container-host |
| external_references[2]['source_name'] | Kubernetes Dashboard | Docker Containers API |
| external_references[2]['description'] | The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021. | Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021. |
| external_references[2]['url'] | https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ | https://docs.docker.com/engine/api/v1.41/#tag/Container |
| external_references[4]['source_name'] | Aqua Build Images on Hosts | Kubernetes Dashboard |
| external_references[4]['description'] | Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021. | The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021. |
| external_references[4]['url'] | https://blog.aquasec.com/malicious-container-image-docker-container-host | https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ |
| x_mitre_data_sources[1] | Container: Container Creation | Application Log: Application Log Content |
| x_mitre_data_sources[3] | Application Log: Application Log Content | Container: Container Creation |
| x_mitre_version | 1.1 | 1.2 |
[T1098.005] Account Manipulation: Device Registration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may register a device to an adversary-controlled | t | Adversaries may register a device to an adversary-controlled |
| account. Devices may be registered in a multifactor authent | | account. Devices may be registered in a multifactor authent |
| ication (MFA) system, which handles authentication to the ne | | ication (MFA) system, which handles authentication to the ne |
| twork, or in a device management system, which handles devic | | twork, or in a device management system, which handles devic |
| e access and compliance. MFA systems, such as Duo or Okta, | | e access and compliance. MFA systems, such as Duo or Okta, |
| allow users to associate devices with their accounts in orde | | allow users to associate devices with their accounts in orde |
| r to complete MFA requirements. An adversary that compromise | | r to complete MFA requirements. An adversary that compromise |
| s a user’s credentials may enroll a new device in order to b | | s a user’s credentials may enroll a new device in order to b |
| ypass initial MFA requirements and gain persistent access to | | ypass initial MFA requirements and gain persistent access to |
| a network.(Citation: CISA MFA PrintNightmare)(Citation: Dar | | a network.(Citation: CISA MFA PrintNightmare)(Citation: Dar |
| kReading FireEye SolarWinds) Similarly, an adversary with e | | kReading FireEye SolarWinds) In some cases, the MFA self-enr |
| xisting access to a network may register a device to Azure A | | ollment process may require only a username and password to |
| D and/or its device management system, Microsoft Intune, in | | enroll the account's first device or to enroll a device to a |
| order to access sensitive data or resources while bypassing | | n inactive account. (Citation: Mandiant APT29 Microsoft 365 |
| conditional access policies.(Citation: AADInternals - Device | | 2022) Similarly, an adversary with existing access to a net |
| Registration)(Citation: AADInternals - Conditional Access B | | work may register a device to Azure AD and/or its device man |
| ypass)(Citation: Microsoft DEV-0537) Devices registered in | | agement system, Microsoft Intune, in order to access sensiti |
| Azure AD may be able to conduct [Internal Spearphishing](ht | | ve data or resources while bypassing conditional access poli |
| tps://attack.mitre.org/techniques/T1534) campaigns via intra | | cies.(Citation: AADInternals - Device Registration)(Citation |
| -organizational emails, which are less likely to be treated | | : AADInternals - Conditional Access Bypass)(Citation: Micros |
| as suspicious by the email client.(Citation: Microsoft - Dev | | oft DEV-0537) Devices registered in Azure AD may be able t |
| ice Registration) Additionally, an adversary may be able to | | o conduct [Internal Spearphishing](https://attack.mitre.org/ |
| perform a [Service Exhaustion Flood](https://attack.mitre.or | | techniques/T1534) campaigns via intra-organizational emails, |
| g/techniques/T1499/002) on an Azure AD tenant by registering | | which are less likely to be treated as suspicious by the em |
| a large number of devices.(Citation: AADInternals - BPRT) | | ail client.(Citation: Microsoft - Device Registration) Addit |
| | | ionally, an adversary may be able to perform a [Service Exha |
| | | ustion Flood](https://attack.mitre.org/techniques/T1499/002) |
| | | on an Azure AD tenant by registering a large number of devi |
| | | ces.(Citation: AADInternals - BPRT) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-25 16:26:53.204000+00:00 | 2023-04-20 18:14:17.197000+00:00 |
| description | Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds)
Similarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537)
Devices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT) | Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)
Similarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537)
Devices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT) |
| external_references[2]['source_name'] | AADInternals - Conditional Access Bypass | Mandiant APT29 Microsoft 365 2022 |
| external_references[2]['description'] | Dr. Nestori Syynimaa. (2020, September 6). Bypassing conditional access by faking device compliance. Retrieved March 4, 2022. | Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. |
| external_references[2]['url'] | https://o365blog.com/post/mdm | https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft |
| external_references[3]['source_name'] | AADInternals - BPRT | AADInternals - Conditional Access Bypass |
| external_references[3]['description'] | Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022. | Dr. Nestori Syynimaa. (2020, September 6). Bypassing conditional access by faking device compliance. Retrieved March 4, 2022. |
| external_references[3]['url'] | https://o365blog.com/post/bprt/ | https://o365blog.com/post/mdm |
| external_references[4]['source_name'] | AADInternals - Device Registration | AADInternals - BPRT |
| external_references[4]['description'] | Dr. Nestori Syynimaa. (2021, March 3). Deep-dive to Azure AD device join. Retrieved March 9, 2022. | Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022. |
| external_references[4]['url'] | https://o365blog.com/post/devices/ | https://o365blog.com/post/bprt/ |
| external_references[5]['source_name'] | DarkReading FireEye SolarWinds | AADInternals - Device Registration |
| external_references[5]['description'] | Kelly Jackson Higgins. (2021, January 7). FireEye's Mandia: 'Severity-Zero Alert' Led to Discovery of SolarWinds Attack. Retrieved April 18, 2022. | Dr. Nestori Syynimaa. (2021, March 3). Deep-dive to Azure AD device join. Retrieved March 9, 2022. |
| external_references[5]['url'] | https://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack | https://o365blog.com/post/devices/ |
| external_references[6]['source_name'] | Microsoft - Device Registration | DarkReading FireEye SolarWinds |
| external_references[6]['description'] | Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA. Retrieved March 4, 2022. | Kelly Jackson Higgins. (2021, January 7). FireEye's Mandia: 'Severity-Zero Alert' Led to Discovery of SolarWinds Attack. Retrieved April 18, 2022. |
| external_references[6]['url'] | https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa | https://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack |
| external_references[7]['source_name'] | Microsoft DEV-0537 | Microsoft - Device Registration |
| external_references[7]['description'] | Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022. | Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA. Retrieved March 4, 2022. |
| external_references[7]['url'] | https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ | https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | User Account: User Account Modification | Active Directory: Active Directory Object Creation |
| x_mitre_data_sources[1] | Active Directory: Active Directory Object Creation | User Account: User Account Modification |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft DEV-0537', 'description': 'Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.', 'url': 'https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/'} |
| x_mitre_contributors | | Joe Gumke, U.S. Bank |
[T1562.008] Impair Defenses: Disable Cloud Logs
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | An adversary may disable cloud logging capabilities and inte | t | An adversary may disable cloud logging capabilities and inte |
| grations to limit what data is collected on their activities | | grations to limit what data is collected on their activities |
| and avoid detection. Cloud environments allow for collect | | and avoid detection. Cloud environments allow for collectio |
| ion and analysis of audit and application logs that provide | | n and analysis of audit and application logs that provide in |
| insight into what activities a user does within the environm | | sight into what activities a user does within the environmen |
| ent. If an adversary has sufficient permissions, they can di | | t. If an adversary has sufficient permissions, they can disa |
| sable logging to avoid detection of their activities. For ex | | ble logging to avoid detection of their activities. For exa |
| ample, in AWS an adversary may disable CloudWatch/CloudTrail | | mple, in AWS an adversary may disable CloudWatch/CloudTrail |
| integrations prior to conducting further malicious activity | | integrations prior to conducting further malicious activity. |
| .(Citation: Following the CloudTrail: Generating strong AWS | | (Citation: Following the CloudTrail: Generating strong AWS s |
| security signals with Sumo Logic) | | ecurity signals with Sumo Logic) In Office 365, an adversary |
| | | may disable logging on mail collection activities for speci |
| | | fic users by using the `Set-MailboxAuditBypassAssociation` c |
| | | mdlet, by disabling M365 Advanced Auditing for the user, or |
| | | by downgrading the user’s license from an Enterprise E5 to a |
| | | n Enterprise E3 license.(Citation: Dark Reading Microsoft 36 |
| | | 5 Attacks 2021) |
New Detections:
- DS0002: User Account (User Account Modification)
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:55:27.505000+00:00 | 2023-04-20 18:13:50.277000+00:00 |
| description | An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.
Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) | An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021) |
| external_references[1]['source_name'] | Following the CloudTrail: Generating strong AWS security signals with Sumo Logic | Stopping CloudTrail from Sending Events to CloudWatch Logs |
| external_references[1]['description'] | Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020. | Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020. |
| external_references[1]['url'] | https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/ | https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html |
| external_references[2]['source_name'] | Stopping CloudTrail from Sending Events to CloudWatch Logs | Following the CloudTrail: Generating strong AWS security signals with Sumo Logic |
| external_references[2]['description'] | Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020. | Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020. |
| external_references[2]['url'] | https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html | https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/ |
| external_references[4]['source_name'] | az monitor diagnostic-settings | Dark Reading Microsoft 365 Attacks 2021 |
| external_references[4]['description'] | Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020. | Kelly Sheridan. (2021, August 5). Incident Responders Explore Microsoft 365 Attacks in the Wild. Retrieved March 17, 2023. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete | https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591 |
| x_mitre_detection | Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs) In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled. | Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs) In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled. |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'az monitor diagnostic-settings', 'description': 'Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.', 'url': 'https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete'} |
| x_mitre_contributors | | Joe Gumke, U.S. Bank |
| x_mitre_data_sources | | User Account: User Account Modification |
| x_mitre_platforms | | SaaS |
| x_mitre_platforms | | Google Workspace |
| x_mitre_platforms | | Azure AD |
| x_mitre_platforms | | Office 365 |
[T1562.002] Impair Defenses: Disable Windows Event Logging
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may disable Windows event logging to limit data | t | Adversaries may disable Windows event logging to limit data |
| that can be leveraged for detections and audits. Windows eve | | that can be leveraged for detections and audits. Windows eve |
| nt logs record user and system activity such as login attemp | | nt logs record user and system activity such as login attemp |
| ts, process creation, and much more.(Citation: Windows Log E | | ts, process creation, and much more.(Citation: Windows Log E |
| vents) This data is used by security tools and analysts to g | | vents) This data is used by security tools and analysts to g |
| enerate detections. The EventLog service maintains event lo | | enerate detections. The EventLog service maintains event lo |
| gs from various system components and applications.(Citation | | gs from various system components and applications.(Citation |
| : EventLog_Core_Technologies) By default, the service automa | | : EventLog_Core_Technologies) By default, the service automa |
| tically starts when a system powers on. An audit policy, mai | | tically starts when a system powers on. An audit policy, mai |
| ntained by the Local Security Policy (secpol.msc), defines w | | ntained by the Local Security Policy (secpol.msc), defines w |
| hich system events the EventLog service logs. Security audit | | hich system events the EventLog service logs. Security audit |
| policy settings can be changed by running secpol.msc, then | | policy settings can be changed by running secpol.msc, then |
| navigating to <code>Security Settings\Local Policies\Audit P | | navigating to <code>Security Settings\Local Policies\Audit P |
| olicy</code> for basic audit policy settings or <code>Securi | | olicy</code> for basic audit policy settings or <code>Securi |
| ty Settings\Advanced Audit Policy Configuration</code> for a | | ty Settings\Advanced Audit Policy Configuration</code> for a |
| dvanced audit policy settings.(Citation: Audit_Policy_Micros | | dvanced audit policy settings.(Citation: Audit_Policy_Micros |
| oft)(Citation: Advanced_sec_audit_policy_settings) <code>aud | | oft)(Citation: Advanced_sec_audit_policy_settings) <code>aud |
| itpol.exe</code> may also be used to set audit policies.(Cit | | itpol.exe</code> may also be used to set audit policies.(Cit |
| ation: auditpol) Adversaries may target system-wide logging | | ation: auditpol) Adversaries may target system-wide logging |
| or just that of a particular application. For example, the | | or just that of a particular application. For example, the |
| EventLog service may be disabled using the following PowerSh | | Windows EventLog service may be disabled using the <code>Set |
| ell line: <code>Stop-Service -Name EventLog</code>.(Citation | | -Service -Name EventLog -Status Stopped</code> or <code>sc c |
| : Disable_Win_Event_Logging) Additionally, adversaries may u | | onfig eventlog start=disabled</code> commands (followed by m |
| se <code>auditpol</code> and its sub-commands in a command p | | anually stopping the service using <code>Stop-Service -Name |
| rompt to disable auditing or clear the audit policy. To enab | | EventLog</code>).(Citation: Disable_Win_Event_Logging)(Cita |
| le or disable a specified setting or audit category, adversa | | tion: disable_win_evt_logging) Additionally, the service may |
| ries may use the <code>/success</code> or <code>/failure</co | | be disabled by modifying the “Start” value in <code>HKEY_LO |
| de> parameters. For example, <code>auditpol /set /category:” | | CAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog</code |
| Account Logon” /success:disable /failure:disable</code> turn | | > then restarting the system for the change to take effect.( |
| s off auditing for the Account Logon category.(Citation: aud | | Citation: disable_win_evt_logging) There are several ways t |
| itpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clea | | o disable the EventLog service via registry key modification |
| r the audit policy, adversaries may run the following lines: | | . First, without Administrator privileges, adversaries may m |
| <code>auditpol /clear /y</code> or <code>auditpol /remove / | | odify the "Start" value in the key <code>HKEY_LOCAL_MACHINE\ |
| allusers</code>.(Citation: T1562.002_redcanaryco) By disabl | | SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Sec |
| ing Windows event logging, adversaries can operate while lea | | urity</code>, then reboot the system to disable the Security |
| ving less evidence of a compromise behind. | | EventLog.(Citation: winser19_file_overwrite_bug_twitter) Se |
| | | cond, with Administrator privilege, adversaries may modify t |
| | | he same values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentCon |
| | | trolSet\Control\WMI\Autologger\EventLog-System</code> and <c |
| | | ode>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\ |
| | | Autologger\EventLog-Application</code> to disable the entire |
| | | EventLog.(Citation: disable_win_evt_logging) Additionally, |
| | | adversaries may use <code>auditpol</code> and its sub-comma |
| | | nds in a command prompt to disable auditing or clear the aud |
| | | it policy. To enable or disable a specified setting or audit |
| | | category, adversaries may use the <code>/success</code> or |
| | | <code>/failure</code> parameters. For example, <code>auditpo |
| | | l /set /category:”Account Logon” /success:disable /failure:d |
| | | isable</code> turns off auditing for the Account Logon categ |
| | | ory.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_re |
| | | dcanaryco) To clear the audit policy, adversaries may run th |
| | | e following lines: <code>auditpol /clear /y</code> or <code> |
| | | auditpol /remove /allusers</code>.(Citation: T1562.002_redca |
| | | naryco) By disabling Windows event logging, adversaries can |
| | | operate while leaving less evidence of a compromise behind. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-19 13:37:30.534000+00:00 | 2023-03-17 23:24:19.730000+00:00 |
| description | Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.
The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)
Adversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)
By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind. | Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.
The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)
Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service may be disabled by modifying the “Start” value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change to take effect.(Citation: disable_win_evt_logging)
There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the entire EventLog.(Citation: disable_win_evt_logging)
Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)
By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind. |
| external_references[1]['source_name'] | Windows Log Events | Disable_Win_Event_Logging |
| external_references[1]['description'] | Franklin Smith. (n.d.). Windows Security Log Events. Retrieved February 21, 2020. | dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021. |
| external_references[1]['url'] | https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ | https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging |
| external_references[2]['source_name'] | EventLog_Core_Technologies | def_ev_win_event_logging |
| external_references[2]['description'] | Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021. | Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021. |
| external_references[2]['url'] | https://www.coretechnologies.com/blog/windows-services/eventlog/ | https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ |
| external_references[3]['source_name'] | Audit_Policy_Microsoft | EventLog_Core_Technologies |
| external_references[3]['description'] | Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021. | Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy | https://www.coretechnologies.com/blog/windows-services/eventlog/ |
| external_references[4]['source_name'] | Advanced_sec_audit_policy_settings | Audit_Policy_Microsoft |
| external_references[4]['description'] | Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021. | Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings | https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy |
| external_references[5]['source_name'] | auditpol | Windows Log Events |
| external_references[5]['description'] | Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021. | Franklin Smith. (n.d.). Windows Security Log Events. Retrieved February 21, 2020. |
| external_references[5]['url'] | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol | https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ |
| external_references[6]['source_name'] | Disable_Win_Event_Logging | disable_win_evt_logging |
| external_references[6]['description'] | dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021. | Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022. |
| external_references[6]['url'] | https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging | https://ptylu.github.io/content/report/report.html?report=25 |
| external_references[7]['source_name'] | auditpol.exe_STRONTIC | auditpol |
| external_references[7]['description'] | STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021. | Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021. |
| external_references[7]['url'] | https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol |
| external_references[8]['source_name'] | T1562.002_redcanaryco | winser19_file_overwrite_bug_twitter |
| external_references[8]['description'] | redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021. | Naceri, A. (2021, November 7). Windows Server 2019 file overwrite bug. Retrieved April 7, 2022. |
| external_references[8]['url'] | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md | https://web.archive.org/web/20211107115646/https://twitter.com/klinix5/status/1457316029114327040 |
| external_references[9]['source_name'] | def_ev_win_event_logging | T1562.002_redcanaryco |
| external_references[9]['description'] | Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021. | redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021. |
| external_references[9]['url'] | https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md |
| external_references[10]['source_name'] | evt_log_tampering | Advanced_sec_audit_policy_settings |
| external_references[10]['description'] | svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021. | Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021. |
| external_references[10]['url'] | https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings |
| x_mitre_data_sources[0] | Command: Command Execution | Sensor Health: Host Status |
| x_mitre_data_sources[1] | Sensor Health: Host Status | Script: Script Execution |
| x_mitre_data_sources[3] | Script: Script Execution | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[5] | Windows Registry: Windows Registry Key Creation | Command: Command Execution |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'auditpol.exe_STRONTIC', 'description': 'STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.', 'url': 'https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html'} |
| external_references | | {'source_name': 'evt_log_tampering', 'description': 'svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021.', 'url': 'https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c'} |
| x_mitre_contributors | | Lucas Heiligenstein |
[T1562.007] Impair Defenses: Disable or Modify Cloud Firewall
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may disable or modify a firewall within a cloud | t | Adversaries may disable or modify a firewall within a cloud |
| environment to bypass controls that limit access to cloud re | | environment to bypass controls that limit access to cloud re |
| sources. Cloud firewalls are separate from system firewalls | | sources. Cloud firewalls are separate from system firewalls |
| that are described in [Disable or Modify System Firewall](ht | | that are described in [Disable or Modify System Firewall](ht |
| tps://attack.mitre.org/techniques/T1562/004). Cloud enviro | | tps://attack.mitre.org/techniques/T1562/004). Cloud enviro |
| nments typically utilize restrictive security groups and fir | | nments typically utilize restrictive security groups and fir |
| ewall rules that only allow network activity from trusted IP | | ewall rules that only allow network activity from trusted IP |
| addresses via expected ports and protocols. An adversary ma | | addresses via expected ports and protocols. An adversary ma |
| y introduce new firewall rules or policies to allow access i | | y introduce new firewall rules or policies to allow access i |
| nto a victim cloud environment. For example, an adversary ma | | nto a victim cloud environment. For example, an adversary ma |
| y use a script or utility that creates new ingress rules in | | y use a script or utility that creates new ingress rules in |
| existing security groups to allow any TCP/IP connectivity.(C | | existing security groups to allow any TCP/IP connectivity, o |
| itation: Expel IO Evil in AWS) Modifying or disabling a clo | | r remove networking limitations to support traffic associate |
| ud firewall may enable adversary C2 communications, lateral | | d with malicious activity (such as cryptomining).(Citation: |
| movement, and/or data exfiltration that would otherwise not | | Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromise |
| be allowed. | | d Cloud Compute Credentials 2022) Modifying or disabling a |
| | | cloud firewall may enable adversary C2 communications, later |
| | | al movement, and/or data exfiltration that would otherwise n |
| | | ot be allowed. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-08 10:33:02.146000+00:00 | 2023-04-15 00:25:36.502000+00:00 |
| description | Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004).
Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)
Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. | Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004).
Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)
Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022', 'description': 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.', 'url': 'https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/'} |
[T1562.004] Impair Defenses: Disable or Modify System Firewall
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may disable or modify system firewalls in order | t | Adversaries may disable or modify system firewalls in order |
| to bypass controls limiting network usage. Changes could be | | to bypass controls limiting network usage. Changes could be |
| disabling the entire mechanism as well as adding, deleting, | | disabling the entire mechanism as well as adding, deleting, |
| or modifying particular rules. This can be done numerous way | | or modifying particular rules. This can be done numerous way |
| s depending on the operating system, including via command-l | | s depending on the operating system, including via command-l |
| ine, editing Windows Registry keys, and Windows Control Pane | | ine, editing Windows Registry keys, and Windows Control Pane |
| l. Modifying or disabling a system firewall may enable adve | | l. Modifying or disabling a system firewall may enable adve |
| rsary C2 communications, lateral movement, and/or data exfil | | rsary C2 communications, lateral movement, and/or data exfil |
| tration that would otherwise not be allowed. | | tration that would otherwise not be allowed. For example, ad |
| | | versaries may add a new firewall rule for a well-known proto |
| | | col (such as RDP) using a non-traditional and potentially le |
| | | ss securitized port (i.e. [Non-Standard Port](https://attack |
| | | .mitre.org/techniques/T1571)).(Citation: change_rdp_port_con |
| | | ti) |
New Mitigations:
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-29 22:18:11.166000+00:00 | 2023-02-28 22:34:38.316000+00:00 |
| description | Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. | Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti) |
| x_mitre_data_sources[1] | Firewall: Firewall Rule Modification | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[3] | Windows Registry: Windows Registry Key Modification | Firewall: Firewall Rule Modification |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'change_rdp_port_conti', 'description': 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved March 1, 2022.', 'url': 'https://twitter.com/TheDFIRReport/status/1498657772254240768'} |
[T1562.001] Impair Defenses: Disable or Modify Tools
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may modify and/or disable security tools to avoi | t | Adversaries may modify and/or disable security tools to avoi |
| d possible detection of their malware/tools and activities. | | d possible detection of their malware/tools and activities. |
| This may take many forms, such as killing security software | | This may take many forms, such as killing security software |
| processes or services, modifying / deleting Registry keys or | | processes or services, modifying / deleting Registry keys or |
| configuration files so that tools do not operate properly, | | configuration files so that tools do not operate properly, |
| or other methods to interfere with security tools scanning o | | or other methods to interfere with security tools scanning o |
| r reporting information. Adversaries may also disable update | | r reporting information. Adversaries may also disable update |
| s to prevent the latest security patches from reaching tools | | s to prevent the latest security patches from reaching tools |
| on victim systems.(Citation: SCADAfence_ransomware) Advers | | on victim systems.(Citation: SCADAfence_ransomware) Advers |
| aries may also tamper with artifacts deployed and utilized b | | aries may also tamper with artifacts deployed and utilized b |
| y security tools. Security tools may make dynamic changes to | | y security tools. Security tools may make dynamic changes to |
| system components in order to maintain visibility into spec | | system components in order to maintain visibility into spec |
| ific events. For example, security products may load their o | | ific events. For example, security products may load their o |
| wn modules and/or modify those loaded by processes to facili | | wn modules and/or modify those loaded by processes to facili |
| tate data collection. Similar to [Indicator Blocking](https: | | tate data collection. Similar to [Indicator Blocking](https: |
| //attack.mitre.org/techniques/T1562/006), adversaries may un | | //attack.mitre.org/techniques/T1562/006), adversaries may un |
| hook or otherwise modify these features added by tools (espe | | hook or otherwise modify these features added by tools (espe |
| cially those that exist in userland or are otherwise potenti | | cially those that exist in userland or are otherwise potenti |
| ally accessible to adversaries) to avoid detection.(Citation | | ally accessible to adversaries) to avoid detection.(Citation |
| : OutFlank System Calls)(Citation: MDSec System Calls) In c | | : OutFlank System Calls)(Citation: MDSec System Calls) Adv |
| loud environments, tools disabled by adversaries may include | | ersaries may also focus on specific applications such as Sys |
| cloud monitoring agents that report back to services such a | | mon. For example, the “Start” and “Enable” values in <code>H |
| s AWS CloudWatch or Google Cloud Monitor. Furthermore, alth | | KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autol |
| ough defensive tools may have anti-tampering mechanisms, adv | | ogger\EventLog-Microsoft-Windows-Sysmon-Operational</code> m |
| ersaries may abuse tools such as legitimate rootkit removal | | ay be modified to tamper with and potentially disable Sysmon |
| kits to impair and/or disable these tools.(Citation: chasing | | logging.(Citation: disable_win_evt_logging) In cloud envi |
| _avaddon_ransomware)(Citation: dharma_ransomware)(Citation: | | ronments, tools disabled by adversaries may include cloud mo |
| demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For e | | nitoring agents that report back to services such as AWS Clo |
| xample, adversaries have used tools such as GMER to find and | | udWatch or Google Cloud Monitor. Furthermore, although defe |
| shut down hidden processes and antivirus software on infect | | nsive tools may have anti-tampering mechanisms, adversaries |
| ed systems.(Citation: demystifying_ryuk) Additionally, adve | | may abuse tools such as legitimate rootkit removal kits to i |
| rsaries may exploit legitimate drivers from anti-virus softw | | mpair and/or disable these tools.(Citation: chasing_avaddon_ |
| are to gain access to kernel space (i.e. [Exploitation for P | | ransomware)(Citation: dharma_ransomware)(Citation: demystify |
| rivilege Escalation](https://attack.mitre.org/techniques/T10 | | ing_ryuk)(Citation: doppelpaymer_crowdstrike) For example, a |
| 68)), which may lead to bypassing anti-tampering features.(C | | dversaries have used tools such as GMER to find and shut dow |
| itation: avoslocker_ransomware) | | n hidden processes and antivirus software on infected system |
| | | s.(Citation: demystifying_ryuk) Additionally, adversaries m |
| | | ay exploit legitimate drivers from anti-virus software to ga |
| | | in access to kernel space (i.e. [Exploitation for Privilege |
| | | Escalation](https://attack.mitre.org/techniques/T1068)), whi |
| | | ch may lead to bypassing anti-tampering features.(Citation: |
| | | avoslocker_ransomware) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | Tran, T. (2020, November 24). Demystifying Ransomware Attacks Against Microsoft Defender Solution. Retrieved January 26, 2022. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-578 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:23:59.433000+00:00 | 2023-04-12 13:43:42.986000+00:00 |
| description | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) |
| external_references[2]['source_name'] | chasing_avaddon_ransomware | disable_win_evt_logging |
| external_references[2]['description'] | Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022. | Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022. |
| external_references[2]['url'] | https://www.mandiant.com/resources/chasing-avaddon-ransomware | https://ptylu.github.io/content/report/report.html?report=25 |
| external_references[3]['source_name'] | doppelpaymer_crowdstrike | chasing_avaddon_ransomware |
| external_references[3]['description'] | Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes. Retrieved January 26, 2022. | Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022. |
| external_references[3]['url'] | https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/ | https://www.mandiant.com/resources/chasing-avaddon-ransomware |
| external_references[4]['source_name'] | avoslocker_ransomware | doppelpaymer_crowdstrike |
| external_references[4]['description'] | Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection. Retrieved May 17, 2022. | Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes. Retrieved January 26, 2022. |
| external_references[4]['url'] | https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html | https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/ |
| external_references[5]['source_name'] | dharma_ransomware | avoslocker_ransomware |
| external_references[5]['description'] | Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022. | Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection. Retrieved May 17, 2022. |
| external_references[5]['url'] | https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/ | https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html |
| external_references[6]['source_name'] | MDSec System Calls | dharma_ransomware |
| external_references[6]['description'] | MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021. | Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022. |
| external_references[6]['url'] | https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ | https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/ |
| external_references[7]['source_name'] | SCADAfence_ransomware | MDSec System Calls |
| external_references[7]['description'] | Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022. | MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021. |
| external_references[7]['url'] | https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf | https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ |
| external_references[8]['source_name'] | demystifying_ryuk | SCADAfence_ransomware |
| external_references[8]['description'] | Tran, T. (2020, November 24). Demystifying Ransomware Attacks Against Microsoft Defender Solution. Retrieved January 26, 2022. | Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022. |
| external_references[8]['url'] | https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947 | https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf |
| external_references[9]['source_name'] | capec | demystifying_ryuk |
| external_references[9]['url'] | https://capec.mitre.org/data/definitions/578.html | https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | Driver: Driver Load | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Modification | Process: Process Termination |
| x_mitre_data_sources[3] | Service: Service Metadata | Sensor Health: Host Status |
| x_mitre_data_sources[4] | Command: Command Execution | Driver: Driver Load |
| x_mitre_data_sources[5] | Process: Process Termination | Service: Service Metadata |
| x_mitre_data_sources[6] | Sensor Health: Host Status | Command: Command Execution |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Lucas Heiligenstein |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | Lucas Heiligenstein | |
[T1561.002] Disk Wipe: Disk Structure Wipe
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may corrupt or wipe the disk data structures on | t | Adversaries may corrupt or wipe the disk data structures on |
| a hard drive necessary to boot a system; targeting specific | | a hard drive necessary to boot a system; targeting specific |
| critical systems or in large numbers in a network to interru | | critical systems or in large numbers in a network to interru |
| pt availability to system and network resources. Adversari | | pt availability to system and network resources. Adversari |
| es may attempt to render the system unable to boot by overwr | | es may attempt to render the system unable to boot by overwr |
| iting critical data located in structures such as the master | | iting critical data located in structures such as the master |
| boot record (MBR) or partition table.(Citation: Symantec Sh | | boot record (MBR) or partition table.(Citation: Symantec Sh |
| amoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Pa | | amoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Pa |
| lo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 201 | | lo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 201 |
| 7)(Citation: Unit 42 Shamoon3 2018) The data contained in di | | 7)(Citation: Unit 42 Shamoon3 2018) The data contained in di |
| sk structures may include the initial executable code for lo | | sk structures may include the initial executable code for lo |
| ading an operating system or the location of the file system | | ading an operating system or the location of the file system |
| partitions on disk. If this information is not present, the | | partitions on disk. If this information is not present, the |
| computer will not be able to load an operating system durin | | computer will not be able to load an operating system durin |
| g the boot process, leaving the computer unavailable. [Disk | | g the boot process, leaving the computer unavailable. [Disk |
| Structure Wipe](https://attack.mitre.org/techniques/T1561/00 | | Structure Wipe](https://attack.mitre.org/techniques/T1561/00 |
| 2) may be performed in isolation, or along with [Disk Conten | | 2) may be performed in isolation, or along with [Disk Conten |
| t Wipe](https://attack.mitre.org/techniques/T1561/001) if al | | t Wipe](https://attack.mitre.org/techniques/T1561/001) if al |
| l sectors of a disk are wiped. To maximize impact on the ta | | l sectors of a disk are wiped. On a network devices, advers |
| rget organization, malware designed for destroying disk stru | | aries may reformat the file system using [Network Device CLI |
| ctures may have worm-like features to propagate across a net | | ](https://attack.mitre.org/techniques/T1059/008) commands su |
| work by leveraging other techniques like [Valid Accounts](ht | | ch as `format`.(Citation: format_cmd_cisco) To maximize imp |
| tps://attack.mitre.org/techniques/T1078), [OS Credential Dum | | act on the target organization, malware designed for destroy |
| ping](https://attack.mitre.org/techniques/T1003), and [SMB/W | | ing disk structures may have worm-like features to propagate |
| indows Admin Shares](https://attack.mitre.org/techniques/T10 | | across a network by leveraging other techniques like [Valid |
| 21/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye | | Accounts](https://attack.mitre.org/techniques/T1078), [OS C |
| Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Cita | | redential Dumping](https://attack.mitre.org/techniques/T1003 |
| tion: Kaspersky StoneDrill 2017) | | ), and [SMB/Windows Admin Shares](https://attack.mitre.org/t |
| | | echniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citat |
| | | ion: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon N |
| | | ov 2016)(Citation: Kaspersky StoneDrill 2017) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Austin Clark, @c2defense'] |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'root', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-28 23:00:00.367000+00:00 | 2023-04-14 19:38:24.089000+00:00 |
| description | Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.
Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.
To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017) | Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.
Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.
On a network devices, adversaries may reformat the file system using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `format`.(Citation: format_cmd_cisco)
To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017) |
| external_references[1]['source_name'] | Symantec Shamoon 2012 | format_cmd_cisco |
| external_references[1]['description'] | Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019. | Cisco. (2022, August 16). format - Cisco IOS Configuration Fundamentals Command Reference. Retrieved July 13, 2022. |
| external_references[1]['url'] | https://www.symantec.com/connect/blogs/shamoon-attacks | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/F_through_K.html#wp2829794668 |
| external_references[2]['source_name'] | FireEye Shamoon Nov 2016 | Unit 42 Shamoon3 2018 |
| external_references[2]['description'] | FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. | Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html | https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/ |
| external_references[4]['source_name'] | Kaspersky StoneDrill 2017 | FireEye Shamoon Nov 2016 |
| external_references[4]['description'] | Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. | FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. |
| external_references[4]['url'] | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf | https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html |
| external_references[5]['source_name'] | Unit 42 Shamoon3 2018 | Kaspersky StoneDrill 2017 |
| external_references[5]['description'] | Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. | Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. |
| external_references[5]['url'] | https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/ | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf |
| x_mitre_data_sources[2] | Command: Command Execution | Driver: Driver Load |
| x_mitre_data_sources[3] | Driver: Driver Load | Command: Command Execution |
| x_mitre_detection | Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity. | Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.
For network infrastructure devices, collect AAA logging to monitor for `format` commands being run to erase the file structure and prevent recovery of the device. |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Symantec Shamoon 2012', 'description': 'Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.', 'url': 'https://www.symantec.com/connect/blogs/shamoon-attacks'} |
| x_mitre_platforms | | Network |
[T1561] Disk Wipe
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may wipe or corrupt raw disk data on specific sy | t | Adversaries may wipe or corrupt raw disk data on specific sy |
| stems or in large numbers in a network to interrupt availabi | | stems or in large numbers in a network to interrupt availabi |
| lity to system and network resources. With direct write acce | | lity to system and network resources. With direct write acce |
| ss to a disk, adversaries may attempt to overwrite portions | | ss to a disk, adversaries may attempt to overwrite portions |
| of disk data. Adversaries may opt to wipe arbitrary portions | | of disk data. Adversaries may opt to wipe arbitrary portions |
| of disk data and/or wipe disk structures like the master bo | | of disk data and/or wipe disk structures like the master bo |
| ot record (MBR). A complete wipe of all disk sectors may be | | ot record (MBR). A complete wipe of all disk sectors may be |
| attempted. To maximize impact on the target organization in | | attempted. To maximize impact on the target organization in |
| operations where network-wide availability interruption is | | operations where network-wide availability interruption is |
| the goal, malware used for wiping disks may have worm-like f | | the goal, malware used for wiping disks may have worm-like f |
| eatures to propagate across a network by leveraging addition | | eatures to propagate across a network by leveraging addition |
| al techniques like [Valid Accounts](https://attack.mitre.org | | al techniques like [Valid Accounts](https://attack.mitre.org |
| /techniques/T1078), [OS Credential Dumping](https://attack.m | | /techniques/T1078), [OS Credential Dumping](https://attack.m |
| itre.org/techniques/T1003), and [SMB/Windows Admin Shares](h | | itre.org/techniques/T1003), and [SMB/Windows Admin Shares](h |
| ttps://attack.mitre.org/techniques/T1021/002).(Citation: Nov | | ttps://attack.mitre.org/techniques/T1021/002).(Citation: Nov |
| etta Blockbuster Destructive Malware) | | etta Blockbuster Destructive Malware) On network devices, a |
| | | dversaries may wipe configuration files and other data from |
| | | the device using [Network Device CLI](https://attack.mitre.o |
| | | rg/techniques/T1059/008) commands such as `erase`.(Citation: |
| | | erase_cmd_cisco) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Austin Clark, @c2defense'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-28 18:55:35.987000+00:00 | 2023-04-20 18:16:41.942000+00:00 |
| description | Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware) | Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)
On network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `erase`.(Citation: erase_cmd_cisco) |
| external_references[1]['source_name'] | Novetta Blockbuster Destructive Malware | erase_cmd_cisco |
| external_references[1]['description'] | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. | Cisco. (2022, August 16). erase - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022. |
| external_references[1]['url'] | https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/D_through_E.html#wp3557227463 |
| external_references[2]['source_name'] | Microsoft Sysmon v6 May 2017 | Novetta Blockbuster Destructive Malware |
| external_references[2]['description'] | Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017. | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. |
| external_references[2]['url'] | https://docs.microsoft.com/sysinternals/downloads/sysmon | https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Drive: Drive Access | Drive: Drive Modification |
| x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[2] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[4] | Drive: Drive Modification | Drive: Drive Access |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft Sysmon v6 May 2017', 'description': 'Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.', 'url': 'https://docs.microsoft.com/sysinternals/downloads/sysmon'} |
| x_mitre_platforms | | Network |
[T1021.003] Remote Services: Distributed Component Object Model
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-06-23 18:58:32.752000+00:00 | 2023-04-03 18:58:54.034000+00:00 |
| external_references[3]['source_name'] | Microsoft Process Wide Com Keys | Microsoft COM ACL |
| external_references[3]['description'] | Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017. | Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017. |
| external_references[3]['url'] | https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx | https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1 |
| external_references[4]['source_name'] | Microsoft COM ACL | Microsoft Process Wide Com Keys |
| external_references[4]['description'] | Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017. | Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1 | https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx |
| external_references[5]['source_name'] | Enigma Outlook DCOM Lateral Movement Nov 2017 | MSDN WMI |
| external_references[5]['description'] | Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017. | Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016. |
| external_references[5]['url'] | https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/ | https://msdn.microsoft.com/en-us/library/aa394582.aspx |
| external_references[6]['source_name'] | Enigma MMC20 COM Jan 2017 | Enigma DCOM Lateral Movement Jan 2017 |
| external_references[6]['description'] | Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017. | Nelson, M. (2017, January 23). Lateral Movement via DCOM: Round 2. Retrieved November 21, 2017. |
| external_references[6]['url'] | https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ | https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ |
| external_references[7]['source_name'] | Enigma DCOM Lateral Movement Jan 2017 | Enigma MMC20 COM Jan 2017 |
| external_references[7]['description'] | Nelson, M. (2017, January 23). Lateral Movement via DCOM: Round 2. Retrieved November 21, 2017. | Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017. |
| external_references[7]['url'] | https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ | https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ |
| external_references[8]['source_name'] | Enigma Excel DCOM Sept 2017 | Enigma Outlook DCOM Lateral Movement Nov 2017 |
| external_references[8]['description'] | Nelson, M. (2017, September 11). Lateral Movement using Excel.Application and DCOM. Retrieved November 21, 2017. | Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017. |
| external_references[8]['url'] | https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/ | https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/ |
| external_references[9]['source_name'] | Cyberreason DCOM DDE Lateral Movement Nov 2017 | Enigma Excel DCOM Sept 2017 |
| external_references[9]['description'] | Tsukerman, P. (2017, November 8). Leveraging Excel DDE for lateral movement via DCOM. Retrieved November 21, 2017. | Nelson, M. (2017, September 11). Lateral Movement using Excel.Application and DCOM. Retrieved November 21, 2017. |
| external_references[9]['url'] | https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom | https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/ |
| external_references[10]['source_name'] | MSDN WMI | Cyberreason DCOM DDE Lateral Movement Nov 2017 |
| external_references[10]['description'] | Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016. | Tsukerman, P. (2017, November 8). Leveraging Excel DDE for lateral movement via DCOM. Retrieved November 21, 2017. |
| external_references[10]['url'] | https://msdn.microsoft.com/en-us/library/aa394582.aspx | https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom |
| x_mitre_data_sources[0] | Process: Process Creation | Module: Module Load |
| x_mitre_data_sources[2] | Module: Module Load | Process: Process Creation |
| x_mitre_version | 1.1 | 1.2 |
[T1087.002] Account Discovery: Domain Account
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may attempt to get a listing of domain accounts. | t | Adversaries may attempt to get a listing of domain accounts. |
| This information can help adversaries determine which domai | | This information can help adversaries determine which domai |
| n accounts exist to aid in follow-on behavior. Commands suc | | n accounts exist to aid in follow-on behavior such as target |
| h as <code>net user /domain</code> and <code>net group /doma | | ing specific accounts which possess particular privileges. |
| in</code> of the [Net](https://attack.mitre.org/software/S00 | | Commands such as <code>net user /domain</code> and <code>net |
| 39) utility, <code>dscacheutil -q group</code>on macOS, and | | group /domain</code> of the [Net](https://attack.mitre.org/ |
| <code>ldapsearch</code> on Linux can list domain users and g | | software/S0039) utility, <code>dscacheutil -q group</code>on |
| roups. | | macOS, and <code>ldapsearch</code> on Linux can list domain |
| | | users and groups. [PowerShell](https://attack.mitre.org/tec |
| | | hniques/T1059/001) cmdlets including <code>Get-ADUser</code> |
| | | and <code>Get-ADGroupMember</code> may enumerate members of |
| | | Active Directory groups. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-25 13:04:00.863000+00:00 | 2023-04-15 16:37:59.115000+00:00 |
| description | Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. | Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Command: Command Execution | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Process: Process Creation | Process: OS API Execution |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Process: Process Creation |
| x_mitre_data_sources[4] | Process: OS API Execution | Command: Command Execution |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/575.html', 'external_id': 'CAPEC-575'} | |
[T1078.002] Valid Accounts: Domain Accounts
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 20:14:34.479000+00:00 | 2023-04-13 17:17:03.605000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | User Account: User Account Authentication |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/560.html', 'external_id': 'CAPEC-560'} | |
| x_mitre_data_sources | User Account: User Account Authentication | |
[T1069.002] Permission Groups Discovery: Domain Groups
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 12:55:51.337000+00:00 | 2023-04-07 17:16:47.754000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Group: Group Enumeration |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Group: Group Enumeration | |
[T1584.001] Compromise Infrastructure: Domains
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may hijack domains and/or subdomains that can be | t | Adversaries may hijack domains and/or subdomains that can be |
| used during targeting. Domain registration hijacking is the | | used during targeting. Domain registration hijacking is the |
| act of changing the registration of a domain name without t | | act of changing the registration of a domain name without t |
| he permission of the original registrant.(Citation: ICANNDom | | he permission of the original registrant.(Citation: ICANNDom |
| ainNameHijacking) Adversaries may gain access to an email ac | | ainNameHijacking) Adversaries may gain access to an email ac |
| count for the person listed as the owner of the domain. The | | count for the person listed as the owner of the domain. The |
| adversary can then claim that they forgot their password in | | adversary can then claim that they forgot their password in |
| order to make changes to the domain registration. Other poss | | order to make changes to the domain registration. Other poss |
| ibilities include social engineering a domain registration h | | ibilities include social engineering a domain registration h |
| elp desk to gain access to an account or taking advantage of | | elp desk to gain access to an account or taking advantage of |
| renewal process gaps.(Citation: Krebs DNS Hijack 2019) Sub | | renewal process gaps.(Citation: Krebs DNS Hijack 2019) Sub |
| domain hijacking can occur when organizations have DNS entri | | domain hijacking can occur when organizations have DNS entri |
| es that point to non-existent or deprovisioned resources. In | | es that point to non-existent or deprovisioned resources. In |
| such cases, an adversary may take control of a subdomain to | | such cases, an adversary may take control of a subdomain to |
| conduct operations with the benefit of the trust associated | | conduct operations with the benefit of the trust associated |
| with that domain.(Citation: Microsoft Sub Takeover 2020) | | with that domain.(Citation: Microsoft Sub Takeover 2020) A |
| | | dversaries who compromise a domain may also engage in domain |
| | | shadowing by creating malicious subdomains under their cont |
| | | rol while keeping any existing DNS records. As service will |
| | | not be disrupted, the malicious subdomains may go unnoticed |
| | | for long periods of time.(Citation: Palo Alto Unit 42 Domain |
| | | Shadowing 2022) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 14:10:48.814000+00:00 | 2023-03-07 13:05:42.901000+00:00 |
| description | Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020) | Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
Adversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022) |
| external_references[3]['source_name'] | Microsoft Sub Takeover 2020 | Palo Alto Unit 42 Domain Shadowing 2022 |
| external_references[3]['description'] | Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020. | Janos Szurdi, Rebekah Houser and Daiping Liu. (2022, September 21). Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime. Retrieved March 7, 2023. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover | https://unit42.paloaltonetworks.com/domain-shadowing/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | Domain Name: Passive DNS | Domain Name: Domain Registration |
| x_mitre_data_sources[2] | Domain Name: Domain Registration | Domain Name: Passive DNS |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft Sub Takeover 2020', 'description': 'Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020.', 'url': 'https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover'} |
[T1189] Drive-by Compromise
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
|---|
| t | Adversaries may gain access to a system through a user visit | t | Adversaries may gain access to a system through a user visit |
| ing a website over the normal course of browsing. With this | | ing a website over the normal course of browsing. With this |
| technique, the user's web browser is typically targeted for | | technique, the user's web browser is typically targeted for |
| exploitation, but adversaries may also use compromised websi | | exploitation, but adversaries may also use compromised websi |
| tes for non-exploitation behavior such as acquiring [Applica | | tes for non-exploitation behavior such as acquiring [Applica |
| tion Access Token](https://attack.mitre.org/techniques/T1550 | | tion Access Token](https://attack.mitre.org/techniques/T1550 |
| /001). Multiple ways of delivering exploit code to a browse | | /001). Multiple ways of delivering exploit code to a browse |
| r exist, including: * A legitimate website is compromised w | | r exist (i.e., [Drive-by Target](https://attack.mitre.org/te |
| here adversaries have injected some form of malicious code s | | chniques/T1608/004)), including: * A legitimate website is |
| uch as JavaScript, iFrames, and cross-site scripting. * Mali | | compromised where adversaries have injected some form of mal |
| cious ads are paid for and served through legitimate ad prov | | icious code such as JavaScript, iFrames, and cross-site scri |
| iders. * Built-in web application interfaces are leveraged f | | pting * Script files served to a legitimate website from a p |
| or the insertion of any other kind of object that can be use | | ublicly writeable cloud storage bucket are modified by an ad |
| d to display web content or contain a script that executes o | | versary * Malicious ads are paid for and served through legi |
| n the visiting client (e.g. forum posts, comments, and other | | timate ad providers (i.e., [Malvertising](https://attack.mit |
| user controllable web content). Often the website used by | | re.org/techniques/T1583/008)) * Built-in web application int |
| an adversary is one visited by a specific community, such as | | erfaces are leveraged for the insertion of any other kind of |
| government, a particular industry, or region, where the goa | | object that can be used to display web content or contain a |
| l is to compromise a specific user or set of users based on | | script that executes on the visiting client (e.g. forum pos |
| a shared interest. This kind of targeted campaign is often r | | ts, comments, and other user controllable web content). Oft |
| eferred to a strategic web compromise or watering hole attac | | en the website used by an adversary is one visited by a spec |
| k. There are several known examples of this occurring.(Citat | | ific community, such as government, a particular industry, o |
| ion: Shadowserver Strategic Web Compromise) Typical drive-b | | r region, where the goal is to compromise a specific user or |
| y compromise process: 1. A user visits a website that is us | | set of users based on a shared interest. This kind of targe |
| ed to host the adversary controlled content. 2. Scripts auto | | ted campaign is often referred to a strategic web compromise |
| matically execute, typically searching versions of the brows | | or watering hole attack. There are several known examples o |
| er and plugins for a potentially vulnerable version. * | | f this occurring.(Citation: Shadowserver Strategic Web Compr |
| The user may be required to assist in this process by enabli | | omise) Typical drive-by compromise process: 1. A user visi |
| ng scripting or active website components and ignoring warni | | ts a website that is used to host the adversary controlled c |
| ng dialog boxes. 3. Upon finding a vulnerable version, explo | | ontent. 2. Scripts automatically execute, typically searchin |
| it code is delivered to the browser. 4. If exploitation is s | | g versions of the browser and plugins for a potentially vuln |
| uccessful, then it will give the adversary code execution on | | erable version. * The user may be required to assist in |
| the user's system unless other protections are in place. | | this process by enabling scripting or active website compon |
| * In some cases a second visit to the website after the in | | ents and ignoring warning dialog boxes. 3. Upon finding a vu |
| itial scan is required before exploit code is delivered. Un | | lnerable version, exploit code is delivered to the browser. |
| like [Exploit Public-Facing Application](https://attack.mitr | | 4. If exploitation is successful, then it will give the adve |
| e.org/techniques/T1190), the focus of this technique is to e | | rsary code execution on the user's system unless other prote |
| xploit software on a client endpoint upon visiting a website | | ctions are in place. * In some cases a second visit to t |
| . This will commonly give an adversary access to systems on | | he website after the initial scan is required before exploit |
| the internal network instead of external systems that may be | | code is delivered. Unlike [Exploit Public-Facing Applicati |
| in a DMZ. Adversaries may also use compromised websites to | | on](https://attack.mitre.org/techniques/T1190), the focus of |
| deliver a user to a malicious application designed to [Stea | | this technique is to exploit software on a client endpoint |
| l Application Access Token](https://attack.mitre.org/techniq | | upon visiting a website. This will commonly give an adversar |
| ues/T1528)s, like OAuth tokens, to gain access to protected | | y access to systems on the internal network instead of exter |
| applications and information. These malicious applications h | | nal systems that may be in a DMZ. Adversaries may also use |
| ave been delivered through popups on legitimate websites.(Ci | | compromised websites to deliver a user to a malicious applic |
| tation: Volexity OceanLotus Nov 2017) | | ation designed to [Steal Application Access Token](https://a |
| | | ttack.mitre.org/techniques/T1528)s, like OAuth tokens, to ga |
| | | in access to protected applications and information. These m |
| | | alicious applications have been delivered through popups on |
| | | legitimate websites.(Citation: Volexity OceanLotus Nov 2017) |
Dropped Mitigations:
- T1189: Drive-by Compromise Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:11:47.798000+00:00 | 2023-04-14 23:58:45.490000+00:00 |
| description | Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).
Multiple ways of delivering exploit code to a browser exist, including:
* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.
* Malicious ads are paid for and served through legitimate ad providers.
* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).
Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)
Typical drive-by compromise process:
1. A user visits a website that is used to host the adversary controlled content.
2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
* The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
3. Upon finding a vulnerable version, exploit code is delivered to the browser.
4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
* In some cases a second visit to the website after the initial scan is required before exploit code is delivered.
Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.
Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017) | Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).
Multiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:
* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting
* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary
* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))
* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).
Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)
Typical drive-by compromise process:
1. A user visits a website that is used to host the adversary controlled content.
2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
* The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
3. Upon finding a vulnerable version, exploit code is delivered to the browser.
4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
* In some cases a second visit to the website after the initial scan is required before exploit code is delivered.
Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.
Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017) |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Process: Process Creation |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Network Traffic: Network Traffic Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
[T1608.004] Stage Capabilities: Drive-by Target
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may prepare an operational environment to infect | t | Adversaries may prepare an operational environment to infect |
| systems that visit a website over the normal course of brow | | systems that visit a website over the normal course of brow |
| sing. Endpoint systems may be compromised through browsing t | | sing. Endpoint systems may be compromised through browsing t |
| o adversary controlled sites, as in [Drive-by Compromise](ht | | o adversary controlled sites, as in [Drive-by Compromise](ht |
| tps://attack.mitre.org/techniques/T1189). In such cases, the | | tps://attack.mitre.org/techniques/T1189). In such cases, the |
| user's web browser is typically targeted for exploitation ( | | user's web browser is typically targeted for exploitation ( |
| often not requiring any extra user interaction once landing | | often not requiring any extra user interaction once landing |
| on the site), but adversaries may also set up websites for n | | on the site), but adversaries may also set up websites for n |
| on-exploitation behavior such as [Application Access Token]( | | on-exploitation behavior such as [Application Access Token]( |
| https://attack.mitre.org/techniques/T1550/001). Prior to [Dr | | https://attack.mitre.org/techniques/T1550/001). Prior to [Dr |
| ive-by Compromise](https://attack.mitre.org/techniques/T1189 | | ive-by Compromise](https://attack.mitre.org/techniques/T1189 |
| ), adversaries must stage resources needed to deliver that e | | ), adversaries must stage resources needed to deliver that e |
| xploit to users who browse to an adversary controlled site. | | xploit to users who browse to an adversary controlled site. |
| Drive-by content can be staged on adversary controlled infra | | Drive-by content can be staged on adversary controlled infra |
| structure that has been acquired ([Acquire Infrastructure](h | | structure that has been acquired ([Acquire Infrastructure](h |
| ttps://attack.mitre.org/techniques/T1583)) or previously com | | ttps://attack.mitre.org/techniques/T1583)) or previously com |
| promised ([Compromise Infrastructure](https://attack.mitre.o | | promised ([Compromise Infrastructure](https://attack.mitre.o |
| rg/techniques/T1584)). Adversaries may upload or inject mal | | rg/techniques/T1584)). Adversaries may upload or inject mal |
| icious web content, such as [JavaScript](https://attack.mitr | | icious web content, such as [JavaScript](https://attack.mitr |
| e.org/techniques/T1059/007), into websites.(Citation: FireEy | | e.org/techniques/T1059/007), into websites.(Citation: FireEy |
| e CFR Watering Hole 2012)(Citation: Gallagher 2015) This may | | e CFR Watering Hole 2012)(Citation: Gallagher 2015) This may |
| be done in a number of ways, including inserting malicious | | be done in a number of ways, including: * Inserting malici |
| script into web pages or other user controllable web content | | ous scripts into web pages or other user controllable web co |
| such as forum posts. Adversaries may also craft malicious w | | ntent such as forum posts * Modifying script files served to |
| eb advertisements and purchase ad space on a website through | | websites from publicly writeable cloud storage buckets * Cr |
| legitimate ad providers. In addition to staging content to | | afting malicious web advertisements and purchasing ad space |
| exploit a user's web browser, adversaries may also stage scr | | on a website through legitimate ad providers (i.e., [Malvert |
| ipting content to profile the user's browser (as in [Gather | | ising](https://attack.mitre.org/techniques/T1583/008)) In a |
| Victim Host Information](https://attack.mitre.org/techniques | | ddition to staging content to exploit a user's web browser, |
| /T1592)) to ensure it is vulnerable prior to attempting expl | | adversaries may also stage scripting content to profile the |
| oitation.(Citation: ATT ScanBox) Websites compromised by an | | user's browser (as in [Gather Victim Host Information](https |
| adversary and used to stage a drive-by may be ones visited | | ://attack.mitre.org/techniques/T1592)) to ensure it is vulne |
| by a specific community, such as government, a particular in | | rable prior to attempting exploitation.(Citation: ATT ScanBo |
| dustry, or region, where the goal is to compromise a specifi | | x) Websites compromised by an adversary and used to stage a |
| c user or set of users based on a shared interest. This kind | | drive-by may be ones visited by a specific community, such |
| of targeted campaign is referred to a strategic web comprom | | as government, a particular industry, or region, where the g |
| ise or watering hole attack. Adversaries may purchase domai | | oal is to compromise a specific user or set of users based o |
| ns similar to legitimate domains (ex: homoglyphs, typosquatt | | n a shared interest. This kind of targeted campaign is refer |
| ing, different top-level domain, etc.) during acquisition of | | red to a strategic web compromise or watering hole attack. |
| infrastructure ([Domains](https://attack.mitre.org/techniqu | | Adversaries may purchase domains similar to legitimate domai |
| es/T1583/001)) to help facilitate [Drive-by Compromise](http | | ns (ex: homoglyphs, typosquatting, different top-level domai |
| s://attack.mitre.org/techniques/T1189). | | n, etc.) during acquisition of infrastructure ([Domains](htt |
| | | ps://attack.mitre.org/techniques/T1583/001)) to help facilit |
| | | ate [Drive-by Compromise](https://attack.mitre.org/technique |
| | | s/T1189). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:59:57.082000+00:00 | 2023-04-15 00:21:55.791000+00:00 |
| description | Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).
Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)
Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.
Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). | Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).
Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including:
* Inserting malicious scripts into web pages or other user controllable web content such as forum posts
* Modifying script files served to websites from publicly writeable cloud storage buckets
* Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))
In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)
Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.
Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). |
| external_references[1]['source_name'] | FireEye CFR Watering Hole 2012 | ATT ScanBox |
| external_references[1]['description'] | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020. | Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020. |
| external_references[1]['url'] | https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html | https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks |
| external_references[3]['source_name'] | ATT ScanBox | FireEye CFR Watering Hole 2012 |
| external_references[3]['description'] | Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020. | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020. |
| external_references[3]['url'] | https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks | https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html |
| x_mitre_version | 1.2 | 1.3 |
[T1586.002] Compromise Accounts: Email Accounts
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may compromise email accounts that can be used d | t | Adversaries may compromise email accounts that can be used d |
| uring targeting. Adversaries can use compromised email accou | | uring targeting. Adversaries can use compromised email accou |
| nts to further their operations, such as leveraging them to | | nts to further their operations, such as leveraging them to |
| conduct [Phishing for Information](https://attack.mitre.org/ | | conduct [Phishing for Information](https://attack.mitre.org/ |
| techniques/T1598) or [Phishing](https://attack.mitre.org/tec | | techniques/T1598), [Phishing](https://attack.mitre.org/techn |
| hniques/T1566). Utilizing an existing persona with a comprom | | iques/T1566), or large-scale spam email campaigns. Utilizing |
| ised email account may engender a level of trust in a potent | | an existing persona with a compromised email account may en |
| ial victim if they have a relationship, or knowledge of, the | | gender a level of trust in a potential victim if they have a |
| compromised persona. Compromised email accounts can also be | | relationship with, or knowledge of, the compromised persona |
| used in the acquisition of infrastructure (ex: [Domains](ht | | . Compromised email accounts can also be used in the acquisi |
| tps://attack.mitre.org/techniques/T1583/001)). A variety of | | tion of infrastructure (ex: [Domains](https://attack.mitre.o |
| methods exist for compromising email accounts, such as gath | | rg/techniques/T1583/001)). A variety of methods exist for c |
| ering credentials via [Phishing for Information](https://att | | ompromising email accounts, such as gathering credentials vi |
| ack.mitre.org/techniques/T1598), purchasing credentials from | | a [Phishing for Information](https://attack.mitre.org/techni |
| third-party sites, or by brute forcing credentials (ex: pas | | ques/T1598), purchasing credentials from third-party sites, |
| sword reuse from breach credential dumps).(Citation: AnonHBG | | brute forcing credentials (ex: password reuse from breach cr |
| ary) Prior to compromising email accounts, adversaries may c | | edential dumps), or paying employees, suppliers or business |
| onduct Reconnaissance to inform decisions about which accoun | | partners for access to credentials.(Citation: AnonHBGary)(Ci |
| ts to compromise to further their operation. Adversaries ca | | tation: Microsoft DEV-0537) Prior to compromising email acco |
| n use a compromised email account to hijack existing email t | | unts, adversaries may conduct Reconnaissance to inform decis |
| hreads with targets of interest. | | ions about which accounts to compromise to further their ope |
| | | ration. Adversaries may target compromising well-known email |
| | | accounts or domains from which malicious spam or [Phishing] |
| | | (https://attack.mitre.org/techniques/T1566) emails may evade |
| | | reputation-based email filtering rules. Adversaries can us |
| | | e a compromised email account to hijack existing email threa |
| | | ds with targets of interest. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Tristan Bennett, Seamless Intelligence', 'Bryan Onel'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 02:57:25.544000+00:00 | 2023-04-11 01:07:48.218000+00:00 |
| description | Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).
A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.
Adversaries can use a compromised email account to hijack existing email threads with targets of interest. | Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).
A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or [Phishing](https://attack.mitre.org/techniques/T1566) emails may evade reputation-based email filtering rules.
Adversaries can use a compromised email account to hijack existing email threads with targets of interest. |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft DEV-0537', 'description': 'Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.', 'url': 'https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/'} |
[T1114] Email Collection
Current version: 2.4
Version changed from: 2.3 → 2.4
Dropped Mitigations:
- T1114: Email Collection Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 20:19:33.750000+00:00 | 2023-04-12 20:46:04.871000+00:00 |
| x_mitre_data_sources[1] | Logon Session: Logon Session Creation | Application Log: Application Log Content |
| x_mitre_data_sources[2] | Application Log: Application Log Content | Logon Session: Logon Session Creation |
| x_mitre_version | 2.3 | 2.4 |
[T1114.003] Email Collection: Email Forwarding Rule
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may setup email forwarding rules to collect sens | t | Adversaries may setup email forwarding rules to collect sens |
| itive information. Adversaries may abuse email-forwarding ru | | itive information. Adversaries may abuse email forwarding ru |
| les to monitor the activities of a victim, steal information | | les to monitor the activities of a victim, steal information |
| , and further gain intelligence on the victim or the victim’ | | , and further gain intelligence on the victim or the victim’ |
| s organization to use as part of further exploits or operati | | s organization to use as part of further exploits or operati |
| ons.(Citation: US-CERT TA18-068A 2018) Furthermore, email fo | | ons.(Citation: US-CERT TA18-068A 2018) Furthermore, email fo |
| rwarding rules can allow adversaries to maintain persistent | | rwarding rules can allow adversaries to maintain persistent |
| access to victim's emails even after compromised credentials | | access to victim's emails even after compromised credentials |
| are reset by administrators.(Citation: Pfammatter - Hidden | | are reset by administrators.(Citation: Pfammatter - Hidden |
| Inbox Rules) Most email clients allow users to create inbox | | Inbox Rules) Most email clients allow users to create inbox |
| rules for various email functions, including forwarding to a | | rules for various email functions, including forwarding to a |
| different recipient. These rules may be created through a l | | different recipient. These rules may be created through a l |
| ocal email application, a web interface, or by command-line | | ocal email application, a web interface, or by command-line |
| interface. Messages can be forwarded to internal or external | | interface. Messages can be forwarded to internal or external |
| recipients, and there are no restrictions limiting the exte | | recipients, and there are no restrictions limiting the exte |
| nt of this rule. Administrators may also create forwarding r | | nt of this rule. Administrators may also create forwarding r |
| ules for user accounts with the same considerations and outc | | ules for user accounts with the same considerations and outc |
| omes.(Citation: Microsoft Tim McMichael Exchange Mail Forwar | | omes.(Citation: Microsoft Tim McMichael Exchange Mail Forwar |
| ding 2)(Citation: Mac Forwarding Rules) Any user or adminis | | ding 2)(Citation: Mac Forwarding Rules) Any user or adminis |
| trator within the organization (or adversary with valid cred | | trator within the organization (or adversary with valid cred |
| entials) can create rules to automatically forward all recei | | entials) can create rules to automatically forward all recei |
| ved messages to another recipient, forward emails to differe | | ved messages to another recipient, forward emails to differe |
| nt locations based on the sender, and more. Adversaries may | | nt locations based on the sender, and more. Adversaries may |
| also hide the rule by making use of the Microsoft Messaging | | also hide the rule by making use of the Microsoft Messaging |
| API (MAPI) to modify the rule properties, making it hidden a | | API (MAPI) to modify the rule properties, making it hidden a |
| nd not visible from Outlook, OWA or most Exchange Administra | | nd not visible from Outlook, OWA or most Exchange Administra |
| tion tools.(Citation: Pfammatter - Hidden Inbox Rules) | | tion tools.(Citation: Pfammatter - Hidden Inbox Rules) In s |
| | | ome environments, administrators may be able to enable email |
| | | forwarding rules that operate organization-wide rather than |
| | | on individual inboxes. For example, Microsoft Exchange supp |
| | | orts transport rules that evaluate all mail an organization |
| | | receives against user-specified conditions, then performs a |
| | | user-specified action on mail that adheres to those conditio |
| | | ns.(Citation: Microsoft Mail Flow Rules 2023) Adversaries th |
| | | at abuse such features may be able to enable forwarding on a |
| | | ll or specific mail an organization receives. |
New Detections:
- DS0017: Command (Command Execution)
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 20:19:33.416000+00:00 | 2023-04-12 20:47:47.583000+00:00 |
| description | Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)
Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules) | Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)
Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)
In some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives. |
| external_references[1]['source_name'] | US-CERT TA18-068A 2018 | Mac Forwarding Rules |
| external_references[1]['description'] | US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019. | Apple. (n.d.). Reply to, forward, or redirect emails in Mail on Mac. Retrieved June 22, 2021. |
| external_references[1]['url'] | https://www.us-cert.gov/ncas/alerts/TA18-086A | https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac |
| external_references[4]['source_name'] | Mac Forwarding Rules | Microsoft Mail Flow Rules 2023 |
| external_references[4]['description'] | Apple. (n.d.). Reply to, forward, or redirect emails in Mail on Mac. Retrieved June 22, 2021. | Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023. |
| external_references[4]['url'] | https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac | https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'US-CERT TA18-068A 2018', 'description': 'US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-086A'} |
| x_mitre_contributors | | Liran Ravich, CardinalOps |
| x_mitre_data_sources | | Command: Command Execution |
[T1564.008] Hide Artifacts: Email Hiding Rules
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may use email rules to hide inbound emails in a | t | Adversaries may use email rules to hide inbound emails in a |
| compromised user's mailbox. Many email clients allow users t | | compromised user's mailbox. Many email clients allow users t |
| o create inbox rules for various email functions, including | | o create inbox rules for various email functions, including |
| moving emails to other folders, marking emails as read, or d | | moving emails to other folders, marking emails as read, or d |
| eleting emails. Rules may be created or modified within emai | | eleting emails. Rules may be created or modified within emai |
| l clients or through external features such as the <code>New | | l clients or through external features such as the <code>New |
| -InboxRule</code> or <code>Set-InboxRule</code> [PowerShell] | | -InboxRule</code> or <code>Set-InboxRule</code> [PowerShell] |
| (https://attack.mitre.org/techniques/T1059/001) cmdlets on W | | (https://attack.mitre.org/techniques/T1059/001) cmdlets on W |
| indows systems.(Citation: Microsoft Inbox Rules)(Citation: M | | indows systems.(Citation: Microsoft Inbox Rules)(Citation: M |
| acOS Email Rules)(Citation: Microsoft New-InboxRule)(Citatio | | acOS Email Rules)(Citation: Microsoft New-InboxRule)(Citatio |
| n: Microsoft Set-InboxRule) Adversaries may utilize email r | | n: Microsoft Set-InboxRule) Adversaries may utilize email r |
| ules within a compromised user's mailbox to delete and/or mo | | ules within a compromised user's mailbox to delete and/or mo |
| ve emails to less noticeable folders. Adversaries may do thi | | ve emails to less noticeable folders. Adversaries may do thi |
| s to hide security alerts, C2 communication, or responses to | | s to hide security alerts, C2 communication, or responses to |
| [Internal Spearphishing](https://attack.mitre.org/technique | | [Internal Spearphishing](https://attack.mitre.org/technique |
| s/T1534) emails sent from the compromised account. Any user | | s/T1534) emails sent from the compromised account. Any user |
| or administrator within the organization (or adversary with | | or administrator within the organization (or adversary with |
| valid credentials) may be able to create rules to automatic | | valid credentials) may be able to create rules to automatic |
| ally move or delete emails. These rules can be abused to imp | | ally move or delete emails. These rules can be abused to imp |
| air/delay detection had the email content been immediately s | | air/delay detection had the email content been immediately s |
| een by a user or defender. Malicious rules commonly filter o | | een by a user or defender. Malicious rules commonly filter o |
| ut emails based on key words (such as <code>malware</code>, | | ut emails based on key words (such as <code>malware</code>, |
| <code>suspicious</code>, <code>phish</code>, and <code>hack< | | <code>suspicious</code>, <code>phish</code>, and <code>hack< |
| /code>) found in message bodies and subject lines. (Citation | | /code>) found in message bodies and subject lines. (Citation |
| : Microsoft Cloud App Security) | | : Microsoft Cloud App Security) In some environments, admin |
| | | istrators may be able to enable email rules that operate org |
| | | anization-wide rather than on individual inboxes. For exampl |
| | | e, Microsoft Exchange supports transport rules that evaluate |
| | | all mail an organization receives against user-specified co |
| | | nditions, then performs a user-specified action on mail that |
| | | adheres to those conditions.(Citation: Microsoft Mail Flow |
| | | Rules 2023) Adversaries that abuse such features may be able |
| | | to automatically modify or delete all emails related to spe |
| | | cific topics (such as internal security incident notificatio |
| | | ns). |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-12 15:22:29.599000+00:00 | 2023-04-12 20:42:20.079000+00:00 |
| description | Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.
Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security) | Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.
Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)
In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications). |
| external_references[3]['source_name'] | Microsoft Inbox Rules | Microsoft Mail Flow Rules 2023 |
| external_references[3]['description'] | Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021. | Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023. |
| external_references[3]['url'] | https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59 | https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules |
| external_references[4]['source_name'] | Microsoft New-InboxRule | Microsoft Inbox Rules |
| external_references[4]['description'] | Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021. | Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps | https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59 |
| external_references[5]['source_name'] | Microsoft Set-InboxRule | Microsoft New-InboxRule |
| external_references[5]['description'] | Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021. | Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021. |
| external_references[5]['url'] | https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps | https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps |
| external_references[6]['source_name'] | Microsoft Cloud App Security | Microsoft Set-InboxRule |
| external_references[6]['description'] | Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021. | Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021. |
| external_references[6]['url'] | https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154 | https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft Cloud App Security', 'description': 'Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.', 'url': 'https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154'} |
| x_mitre_contributors | | Liran Ravich, CardinalOps |
| x_mitre_data_sources | | File: File Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | File: File Modification | |
[T1611] Escape to Host
Current version: 1.4
Version changed from: 1.3 → 1.4
New Mitigations:
- M1042: Disable or Remove Feature or Program
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 20:03:06.707000+00:00 | 2023-04-15 16:21:04.265000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Container: Container Creation |
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_data_sources | Container: Container Creation | |
[T1048] Exfiltration Over Alternative Protocol
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may steal data by exfiltrating it over a differe | t | Adversaries may steal data by exfiltrating it over a differe |
| nt protocol than that of the existing command and control ch | | nt protocol than that of the existing command and control ch |
| annel. The data may also be sent to an alternate network loc | | annel. The data may also be sent to an alternate network loc |
| ation from the main command and control server. Alternate | | ation from the main command and control server. Alternate |
| protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other | | protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other |
| network protocol not being used as the main command and con | | network protocol not being used as the main command and con |
| trol channel. Different protocol channels could also include | | trol channel. Adversaries may also opt to encrypt and/or obf |
| Web services such as cloud storage. Adversaries may also op | | uscate these alternate channels. [Exfiltration Over Altern |
| t to encrypt and/or obfuscate these alternate channels. [E | | ative Protocol](https://attack.mitre.org/techniques/T1048) c |
| xfiltration Over Alternative Protocol](https://attack.mitre. | | an be done using various common operating system utilities s |
| org/techniques/T1048) can be done using various common opera | | uch as [Net](https://attack.mitre.org/software/S0039)/SMB or |
| ting system utilities such as [Net](https://attack.mitre.org | | FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linu |
| /software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct | | x <code>curl</code> may be used to invoke protocols such as |
| 2016) On macOS and Linux <code>curl</code> may be used to in | | HTTP/S or FTP/S to exfiltrate data from a system.(Citation: |
| voke protocols such as HTTP/S or FTP/S to exfiltrate data fr | | 20 macOS Common Tools and Techniques) Many IaaS and SaaS pl |
| om a system.(Citation: 20 macOS Common Tools and Techniques) | | atforms (such as Microsoft Exchange, Microsoft SharePoint, G |
| | | itHub, and AWS S3) support the direct download of files, ema |
| | | ils, source code, and other sensitive information via the we |
| | | b console or [Cloud API](https://attack.mitre.org/techniques |
| | | /T1059/009). |
New Mitigations:
- M1018: User Account Management
- M1022: Restrict File and Directory Permissions
New Detections:
- DS0010: Cloud Storage (Cloud Storage Access)
- DS0015: Application Log (Application Log Content)
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| x_mitre_network_requirements | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 22:49:28.766000+00:00 | 2023-04-15 00:58:36.287000+00:00 |
| description | Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.
[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) | Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.
[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques)
Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009). |
| external_references[1]['source_name'] | Palo Alto OilRig Oct 2016 | University of Birmingham C2 |
| external_references[1]['description'] | Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. |
| external_references[1]['url'] | http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/ | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf |
| external_references[2]['source_name'] | 20 macOS Common Tools and Techniques | Palo Alto OilRig Oct 2016 |
| external_references[2]['description'] | Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. | Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. |
| external_references[2]['url'] | https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ | http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/ |
| external_references[3]['source_name'] | University of Birmingham C2 | 20 macOS Common Tools and Techniques |
| external_references[3]['description'] | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. | Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. |
| external_references[3]['url'] | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf | https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ |
| x_mitre_version | 1.3 | 1.4 |
| x_mitre_data_sources[3] | Command: Command Execution | Cloud Storage: Cloud Storage Access |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Application Log: Application Log Content |
| x_mitre_data_sources | | Network Traffic: Network Connection Creation |
| x_mitre_data_sources | | Command: Command Execution |
| x_mitre_platforms | | Office 365 |
| x_mitre_platforms | | SaaS |
| x_mitre_platforms | | IaaS |
| x_mitre_platforms | | Google Workspace |
| x_mitre_platforms | | Network |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Network Traffic: Network Connection Creation | |
[T1041] Exfiltration Over C2 Channel
Current version: 2.2
Version changed from: 2.1 → 2.2
Dropped Mitigations:
- T1041: Exfiltration Over Command and Control Channel Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| x_mitre_network_requirements | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 22:45:50.620000+00:00 | 2023-04-07 17:09:14.040000+00:00 |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | File: File Access |
| x_mitre_data_sources[1] | Command: Command Execution | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[3] | Network Traffic: Network Connection Creation | Command: Command Execution |
| x_mitre_data_sources[4] | File: File Access | Network Traffic: Network Connection Creation |
| x_mitre_version | 2.1 | 2.2 |
[T1048.003] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Current version: 2.1
Version changed from: 2.0 → 2.1
|
|
|---|
| t | Adversaries may steal data by exfiltrating it over an un-enc | t | Adversaries may steal data by exfiltrating it over an un-enc |
| rypted network protocol other than that of the existing comm | | rypted network protocol other than that of the existing comm |
| and and control channel. The data may also be sent to an alt | | and and control channel. The data may also be sent to an alt |
| ernate network location from the main command and control se | | ernate network location from the main command and control se |
| rver. Adversaries may opt to obfuscate this data, without | | rver.(Citation: copy_cmd_cisco) Adversaries may opt to obfu |
| the use of encryption, within network protocols that are nat | | scate this data, without the use of encryption, within netwo |
| ively unencrypted (such as HTTP, FTP, or DNS). This may incl | | rk protocols that are natively unencrypted (such as HTTP, FT |
| ude custom or publicly available encoding/compression algori | | P, or DNS). This may include custom or publicly available en |
| thms (such as base64) as well as embedding data within proto | | coding/compression algorithms (such as base64) as well as em |
| col headers and fields. | | bedding data within protocol headers and fields. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_network_requirements | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-12 19:57:45.277000+00:00 | 2023-04-12 23:39:25.476000+00:00 |
| description | Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. | Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)
Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. |
| external_references[1]['source_name'] | University of Birmingham C2 | copy_cmd_cisco |
| external_references[1]['description'] | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. | Cisco. (2022, August 16). copy - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022. |
| external_references[1]['url'] | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/C_commands.html#wp1068167689 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[4] | Network Traffic: Network Connection Creation | Network Traffic: Network Traffic Content |
| x_mitre_detection | Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) | Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
For network infrastructure devices, collect AAA logging to monitor for `copy` commands being run to exfiltrate configuration files to non-standard destinations over unencrypted protocols such as TFTP. |
| x_mitre_version | 2.0 | 2.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'University of Birmingham C2', 'description': 'Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.', 'url': 'https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf'} |
| x_mitre_contributors | | Austin Clark, @c2defense |
| x_mitre_platforms | | Network |
[T1190] Exploit Public-Facing Application
Current version: 2.4
Version changed from: 2.3 → 2.4
|
|
|---|
| t | Adversaries may attempt to take advantage of a weakness in a | t | Adversaries may attempt to exploit a weakness in an Internet |
| n Internet-facing computer or program using software, data, | | -facing host or system to initially access a network. The we |
| or commands in order to cause unintended or unanticipated be | | akness in the system can be a software bug, a temporary glit |
| havior. The weakness in the system can be a bug, a glitch, o | | ch, or a misconfiguration. Exploited applications are often |
| r a design vulnerability. These applications are often websi | | websites/web servers, but can also include databases (like |
| tes, but can include databases (like SQL), standard services | | SQL), standard services (like SMB or SSH), network device ad |
| (like SMB or SSH), network device administration and manage | | ministration and management protocols (like SNMP and Smart I |
| ment protocols (like SNMP and Smart Install), and any other | | nstall), and any other system with Internet accessible open |
| applications with Internet accessible open sockets, such as | | sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple |
| web servers and related services.(Citation: NVD CVE-2016-666 | | SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network In |
| 2)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US- | | frastructure Devices 2018)(Citation: Cisco Blog Legacy Devic |
| CERT TA18-106A Network Infrastructure Devices 2018)(Citation | | e Attacks)(Citation: NVD CVE-2014-7169) Depending on the fla |
| : Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7 | | w being exploited this may also involve [Exploitation for De |
| 169) Depending on the flaw being exploited this may include | | fense Evasion](https://attack.mitre.org/techniques/T1211). |
| [Exploitation for Defense Evasion](https://attack.mitre.org/ | | If an application is hosted on cloud-based infrastructure a |
| techniques/T1211). If an application is hosted on cloud-ba | | nd/or is containerized, then exploiting it may lead to compr |
| sed infrastructure and/or is containerized, then exploiting | | omise of the underlying instance or container. This can allo |
| it may lead to compromise of the underlying instance or cont | | w an adversary a path to access the cloud or container APIs, |
| ainer. This can allow an adversary a path to access the clou | | exploit container host access via [Escape to Host](https:// |
| d or container APIs, exploit container host access via [Esca | | attack.mitre.org/techniques/T1611), or take advantage of wea |
| pe to Host](https://attack.mitre.org/techniques/T1611), or t | | k identity and access management policies. Adversaries may |
| ake advantage of weak identity and access management policie | | also exploit edge network infrastructure and related applian |
| s. For websites and databases, the OWASP top 10 and CWE top | | ces, specifically targeting devices that do not support robu |
| 25 highlight the most common web-based vulnerabilities.(Cit | | st host-based defenses.(Citation: Mandiant Fortinet Zero Day |
| ation: OWASP Top 10)(Citation: CWE top 25) | | )(Citation: Wired Russia Cyberwar) For websites and databas |
| | | es, the OWASP top 10 and CWE top 25 highlight the most commo |
| | | n web-based vulnerabilities.(Citation: OWASP Top 10)(Citatio |
| | | n: CWE top 25) |
Dropped Mitigations:
- T1190: Exploit Public-Facing Application Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 17:06:53.032000+00:00 | 2023-04-14 22:18:39.190000+00:00 |
| description | Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) | Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) |
| external_references[3]['source_name'] | NVD CVE-2016-6662 | Wired Russia Cyberwar |
| external_references[3]['description'] | National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018. | Greenberg, A. (2022, November 10). Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless. Retrieved March 22, 2023. |
| external_references[3]['url'] | https://nvd.nist.gov/vuln/detail/CVE-2016-6662 | https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/ |
| external_references[4]['source_name'] | NVD CVE-2014-7169 | Mandiant Fortinet Zero Day |
| external_references[4]['description'] | National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018. | Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. |
| external_references[4]['url'] | https://nvd.nist.gov/vuln/detail/CVE-2014-7169 | https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem |
| external_references[5]['source_name'] | Cisco Blog Legacy Device Attacks | NVD CVE-2016-6662 |
| external_references[5]['description'] | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. | National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018. |
| external_references[5]['url'] | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 | https://nvd.nist.gov/vuln/detail/CVE-2016-6662 |
| external_references[6]['source_name'] | OWASP Top 10 | NVD CVE-2014-7169 |
| external_references[6]['description'] | OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018. | National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018. |
| external_references[6]['url'] | https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project | https://nvd.nist.gov/vuln/detail/CVE-2014-7169 |
| external_references[7]['source_name'] | US-CERT TA18-106A Network Infrastructure Devices 2018 | Cisco Blog Legacy Device Attacks |
| external_references[7]['description'] | US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. |
| external_references[7]['url'] | https://us-cert.cisa.gov/ncas/alerts/TA18-106A | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
| x_mitre_version | 2.3 | 2.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'OWASP Top 10', 'description': 'OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.', 'url': 'https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project'} |
| external_references | | {'source_name': 'US-CERT TA18-106A Network Infrastructure Devices 2018', 'description': 'US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://us-cert.cisa.gov/ncas/alerts/TA18-106A'} |
[T1068] Exploitation for Privilege Escalation
Current version: 1.5
Version changed from: 1.4 → 1.5
Dropped Mitigations:
- T1068: Exploitation for Privilege Escalation Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-16 19:25:12.835000+00:00 | 2023-04-07 17:13:54.168000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Driver: Driver Load | Process: Process Creation |
| x_mitre_data_sources[1] | Process: Process Creation | Driver: Driver Load |
| x_mitre_version | 1.4 | 1.5 |
[T1606] Forge Web Credentials
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may forge credential materials that can be used | t | Adversaries may forge credential materials that can be used |
| to gain access to web applications or Internet services. Web | | to gain access to web applications or Internet services. Web |
| applications and services (hosted in cloud SaaS environment | | applications and services (hosted in cloud SaaS environment |
| s or on-premise servers) often use session cookies, tokens, | | s or on-premise servers) often use session cookies, tokens, |
| or other materials to authenticate and authorize user access | | or other materials to authenticate and authorize user access |
| . Adversaries may generate these credential materials in or | | . Adversaries may generate these credential materials in or |
| der to gain access to web resources. This differs from [Stea | | der to gain access to web resources. This differs from [Stea |
| l Web Session Cookie](https://attack.mitre.org/techniques/T1 | | l Web Session Cookie](https://attack.mitre.org/techniques/T1 |
| 539), [Steal Application Access Token](https://attack.mitre. | | 539), [Steal Application Access Token](https://attack.mitre. |
| org/techniques/T1528), and other similar behaviors in that t | | org/techniques/T1528), and other similar behaviors in that t |
| he credentials are new and forged by the adversary, rather t | | he credentials are new and forged by the adversary, rather t |
| han stolen or intercepted from legitimate users. The generat | | han stolen or intercepted from legitimate users. The generat |
| ion of web credentials often requires secret values, such as | | ion of web credentials often requires secret values, such as |
| passwords, [Private Keys](https://attack.mitre.org/techniqu | | passwords, [Private Keys](https://attack.mitre.org/techniqu |
| es/T1552/004), or other cryptographic seed values.(Citation: | | es/T1552/004), or other cryptographic seed values.(Citation: |
| GitHub AWS-ADFS-Credential-Generator) Once forged, adversa | | GitHub AWS-ADFS-Credential-Generator) Adversaries may also |
| ries may use these web credentials to access resources (ex: | | forge tokens by taking advantage of features such as the `As |
| [Use Alternate Authentication Material](https://attack.mitre | | sumeRole` and `GetFederationToken` APIs in AWS, which allow |
| .org/techniques/T1550)), which may bypass multi-factor and o | | users to request temporary security credentials.(Citation: A |
| ther authentication protection mechanisms.(Citation: Pass Th | | WS Temporary Security Credentials) Once forged, adversaries |
| e Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019) | | may use these web credentials to access resources (ex: [Use |
| (Citation: Microsoft SolarWinds Customer Guidance) | | Alternate Authentication Material](https://attack.mitre.org |
| | | /techniques/T1550)), which may bypass multi-factor and other |
| | | authentication protection mechanisms.(Citation: Pass The Co |
| | | okie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Cit |
| | | ation: Microsoft SolarWinds Customer Guidance) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Dylan'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 14:26:52.179000+00:00 | 2023-04-12 21:35:48.084000+00:00 |
| description | Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.
Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator)
Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) | Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.
Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials)
Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) |
| external_references[1]['source_name'] | GitHub AWS-ADFS-Credential-Generator | AWS Temporary Security Credentials |
| external_references[1]['description'] | Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved December 16, 2020. | AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022. |
| external_references[1]['url'] | https://github.com/damianh/aws-adfs-credential-generator | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html |
| external_references[2]['source_name'] | Pass The Cookie | Unit 42 Mac Crypto Cookies January 2019 |
| external_references[2]['description'] | Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019. | Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. |
| external_references[2]['url'] | https://wunderwuzzi23.github.io/blog/passthecookie.html | https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ |
| external_references[3]['source_name'] | Unit 42 Mac Crypto Cookies January 2019 | GitHub AWS-ADFS-Credential-Generator |
| external_references[3]['description'] | Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. | Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved December 16, 2020. |
| external_references[3]['url'] | https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ | https://github.com/damianh/aws-adfs-credential-generator |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Pass The Cookie', 'description': 'Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.', 'url': 'https://wunderwuzzi23.github.io/blog/passthecookie.html'} |
| x_mitre_data_sources | | Logon Session: Logon Session Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Logon Session: Logon Session Creation | |
[T1615] Group Policy Discovery
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may gather information on Group Policy settings | t | Adversaries may gather information on Group Policy settings |
| to identify paths for privilege escalation, security measure | | to identify paths for privilege escalation, security measure |
| s applied within a domain, and to discover patterns in domai | | s applied within a domain, and to discover patterns in domai |
| n objects that can be manipulated or used to blend in the en | | n objects that can be manipulated or used to blend in the en |
| vironment. Group Policy allows for centralized management of | | vironment. Group Policy allows for centralized management of |
| user and computer settings in Active Directory (AD). Group | | user and computer settings in Active Directory (AD). Group |
| policy objects (GPOs) are containers for group policy settin | | policy objects (GPOs) are containers for group policy settin |
| gs made up of files stored within a predicable network path | | gs made up of files stored within a predictable network path |
| <code>\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\</code>.(Citation: | | `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Gr |
| TechNet Group Policy Basics)(Citation: ADSecurity GPO Persis | | oup Policy Basics)(Citation: ADSecurity GPO Persistence 2016 |
| tence 2016) Adversaries may use commands such as <code>gpre | | ) Adversaries may use commands such as <code>gpresult</code |
| sult</code> or various publicly available PowerShell functio | | > or various publicly available PowerShell functions, such a |
| ns, such as <code>Get-DomainGPO</code> and <code>Get-DomainG | | s <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGro |
| POLocalGroup</code>, to gather information on Group Policy s | | up</code>, to gather information on Group Policy settings.(C |
| ettings.(Citation: Microsoft gpresult)(Citation: Github Powe | | itation: Microsoft gpresult)(Citation: Github PowerShell Emp |
| rShell Empire) Adversaries may use this information to shape | | ire) Adversaries may use this information to shape follow-on |
| follow-on behaviors, including determining potential attack | | behaviors, including determining potential attack paths wit |
| paths within the target network as well as opportunities to | | hin the target network as well as opportunities to manipulat |
| manipulate Group Policy settings (i.e. [Domain Policy Modif | | e Group Policy settings (i.e. [Domain Policy Modification](h |
| ication](https://attack.mitre.org/techniques/T1484)) for the | | ttps://attack.mitre.org/techniques/T1484)) for their benefit |
| ir benefit. | | . |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 23:16:28.296000+00:00 | 2023-01-06 12:41:08.579000+00:00 |
| description | Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path \\SYSVOL\\Policies\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit. | Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit. |
| external_references[1]['source_name'] | TechNet Group Policy Basics | ADSecurity GPO Persistence 2016 |
| external_references[1]['description'] | srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019. | Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019. |
| external_references[1]['url'] | https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ | https://adsecurity.org/?p=2716 |
| external_references[2]['source_name'] | ADSecurity GPO Persistence 2016 | Microsoft gpresult |
| external_references[2]['description'] | Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019. | Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021. |
| external_references[2]['url'] | https://adsecurity.org/?p=2716 | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult |
| external_references[3]['source_name'] | Microsoft gpresult | Github PowerShell Empire |
| external_references[3]['description'] | Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021. | Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult | https://github.com/PowerShellEmpire/Empire |
| external_references[4]['source_name'] | Github PowerShell Empire | TechNet Group Policy Basics |
| external_references[4]['description'] | Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. | srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019. |
| external_references[4]['url'] | https://github.com/PowerShellEmpire/Empire | https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Active Directory: Active Directory Object Access |
| x_mitre_data_sources[1] | Command: Command Execution | Script: Script Execution |
| x_mitre_data_sources[2] | Script: Script Execution | Process: Process Creation |
| x_mitre_data_sources[3] | Process: Process Creation | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[4] | Active Directory: Active Directory Object Access | Command: Command Execution |
| x_mitre_version | 1.0 | 1.1 |
[T1562] Impair Defenses
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may maliciously modify components of a victim en | t | Adversaries may maliciously modify components of a victim en |
| vironment in order to hinder or disable defensive mechanisms | | vironment in order to hinder or disable defensive mechanisms |
| . This not only involves impairing preventative defenses, su | | . This not only involves impairing preventative defenses, su |
| ch as firewalls and anti-virus, but also detection capabilit | | ch as firewalls and anti-virus, but also detection capabilit |
| ies that defenders can use to audit activity and identify ma | | ies that defenders can use to audit activity and identify ma |
| licious behavior. This may also span both native defenses as | | licious behavior. This may also span both native defenses as |
| well as supplemental capabilities installed by users and ad | | well as supplemental capabilities installed by users and ad |
| ministrators. Adversaries could also target event aggregati | | ministrators. Adversaries may also impair routine operation |
| on and analysis mechanisms, or otherwise disrupt these proce | | s that contribute to defensive hygiene, such as blocking use |
| dures by altering other system components. | | rs from logging out of a computer or stopping it from being |
| | | shut down. These restrictions can further enable malicious o |
| | | perations as well as the continued propagation of incidents. |
| | | (Citation: Emotet shutdown) Adversaries could also target e |
| | | vent aggregation and analysis mechanisms, or otherwise disru |
| | | pt these procedures by altering other system components. |
New Mitigations:
New Detections:
- DS0002: User Account (User Account Modification)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 16:32:56.502000+00:00 | 2023-04-15 00:48:46.626000+00:00 |
| description | Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. | Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Cloud Service: Cloud Service Modification | Firewall: Firewall Rule Modification |
| x_mitre_data_sources[1] | Firewall: Firewall Rule Modification | Cloud Service: Cloud Service Disable |
| x_mitre_data_sources[2] | Process: Process Termination | Command: Command Execution |
| x_mitre_data_sources[3] | Service: Service Metadata | User Account: User Account Modification |
| x_mitre_data_sources[4] | Process: Process Creation | Cloud Service: Cloud Service Modification |
| x_mitre_data_sources[5] | Driver: Driver Load | Firewall: Firewall Disable |
| x_mitre_data_sources[6] | Firewall: Firewall Disable | Script: Script Execution |
| x_mitre_data_sources[7] | Command: Command Execution | Driver: Driver Load |
| x_mitre_data_sources[8] | Cloud Service: Cloud Service Disable | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[9] | Windows Registry: Windows Registry Key Deletion | Sensor Health: Host Status |
| x_mitre_data_sources[10] | Windows Registry: Windows Registry Key Modification | Windows Registry: Windows Registry Key Deletion |
| x_mitre_data_sources[11] | Sensor Health: Host Status | Process: Process Termination |
| x_mitre_data_sources[12] | Script: Script Execution | Process: Process Creation |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Emotet shutdown', 'description': 'The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.', 'url': 'https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/#:~:text=Don’t%20Sleep%20has%20the%20capability%20to%20keep%20the%20computer%20from%20being%20shutdown%20and%20the%20user%20from%20being%20signed%20off.%20This%20was%20likely%20done%20to%20ensure%20nothing%20will%20interfere%20with%20the%20propagation%20of%20the%20ransomware%20payload'} |
| x_mitre_data_sources | | Service: Service Metadata |
[T1562.006] Impair Defenses: Indicator Blocking
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | An adversary may attempt to block indicators or events typic | t | An adversary may attempt to block indicators or events typic |
| ally captured by sensors from being gathered and analyzed. T | | ally captured by sensors from being gathered and analyzed. T |
| his could include maliciously redirecting (Citation: Microso | | his could include maliciously redirecting(Citation: Microsof |
| ft Lamin Sept 2017) or even disabling host-based sensors, su | | t Lamin Sept 2017) or even disabling host-based sensors, suc |
| ch as Event Tracing for Windows (ETW),(Citation: Microsoft A | | h as Event Tracing for Windows (ETW)(Citation: Microsoft Abo |
| bout Event Tracing 2018) by tampering settings that control | | ut Event Tracing 2018), by tampering settings that control t |
| the collection and flow of event telemetry. (Citation: Mediu | | he collection and flow of event telemetry.(Citation: Medium |
| m Event Tracing Tampering 2018) These settings may be stored | | Event Tracing Tampering 2018) These settings may be stored o |
| on the system in configuration files and/or in the Registry | | n the system in configuration files and/or in the Registry a |
| as well as being accessible via administrative utilities su | | s well as being accessible via administrative utilities such |
| ch as [PowerShell](https://attack.mitre.org/techniques/T1059 | | as [PowerShell](https://attack.mitre.org/techniques/T1059/0 |
| /001) or [Windows Management Instrumentation](https://attack | | 01) or [Windows Management Instrumentation](https://attack.m |
| .mitre.org/techniques/T1047). ETW interruption can be achie | | itre.org/techniques/T1047). For example, adversaries may mo |
| ved multiple ways, however most directly by defining conditi | | dify the `File` value in <code>HKEY_LOCAL_MACHINE\SYSTEM\Cur |
| ons using the [PowerShell](https://attack.mitre.org/techniqu | | rentControlSet\Services\EventLog\Security</code> to hide the |
| es/T1059/001) <code>Set-EtwTraceProvider</code> cmdlet or by | | ir malicious actions in a new or different .evtx log file. T |
| interfacing directly with the Registry to make alterations. | | his action does not require a system reboot and takes effect |
| In the case of network-based reporting of indicators, an a | | immediately.(Citation: disable_win_evt_logging) ETW inter |
| dversary may block traffic associated with reporting to prev | | ruption can be achieved multiple ways, however most directly |
| ent central analysis. This may be accomplished by many means | | by defining conditions using the [PowerShell](https://attac |
| , such as stopping a local process responsible for forwardin | | k.mitre.org/techniques/T1059/001) <code>Set-EtwTraceProvider |
| g telemetry and/or creating a host-based firewall rule to bl | | </code> cmdlet or by interfacing directly with the Registry |
| ock traffic to specific hosts responsible for aggregating ev | | to make alterations. In the case of network-based reporting |
| ents, such as security information and event management (SIE | | of indicators, an adversary may block traffic associated wi |
| M) products. In Linux environments, adversaries may disable | | th reporting to prevent central analysis. This may be accomp |
| or reconfigure log processing tools such as syslog or nxlog | | lished by many means, such as stopping a local process respo |
| to inhibit detection and monitoring capabilities to facilit | | nsible for forwarding telemetry and/or creating a host-based |
| ate follow on behaviors (Citation: LemonDuck). | | firewall rule to block traffic to specific hosts responsibl |
| | | e for aggregating events, such as security information and e |
| | | vent management (SIEM) products. In Linux environments, adv |
| | | ersaries may disable or reconfigure log processing tools suc |
| | | h as syslog or nxlog to inhibit detection and monitoring cap |
| | | abilities to facilitate follow on behaviors (Citation: Lemon |
| | | Duck). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | Palantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved June 7, 2019. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-571 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-30 16:44:16.962000+00:00 | 2023-04-12 15:25:10.496000+00:00 |
| description | An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.
In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck). | An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
For example, adversaries may modify the `File` value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging)
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.
In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck). |
| external_references[1]['source_name'] | LemonDuck | disable_win_evt_logging |
| external_references[1]['description'] | Manoj Ahuje. (2022, April 21). LemonDuck Targets Docker for Cryptomining Operations. Retrieved June 30, 2022. | Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022. |
| external_references[1]['url'] | https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ | https://ptylu.github.io/content/report/report.html?report=25 |
| external_references[2]['source_name'] | Microsoft Lamin Sept 2017 | LemonDuck |
| external_references[2]['description'] | Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved September 6, 2018. | Manoj Ahuje. (2022, April 21). LemonDuck Targets Docker for Cryptomining Operations. Retrieved June 30, 2022. |
| external_references[2]['url'] | https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A | https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ |
| external_references[3]['source_name'] | Microsoft About Event Tracing 2018 | Microsoft Lamin Sept 2017 |
| external_references[3]['description'] | Microsoft. (2018, May 30). About Event Tracing. Retrieved June 7, 2019. | Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved September 6, 2018. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events | https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A |
| external_references[4]['source_name'] | Medium Event Tracing Tampering 2018 | Microsoft About Event Tracing 2018 |
| external_references[4]['description'] | Palantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved June 7, 2019. | Microsoft. (2018, May 30). About Event Tracing. Retrieved June 7, 2019. |
| external_references[4]['url'] | https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 | https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events |
| external_references[5]['source_name'] | capec | Medium Event Tracing Tampering 2018 |
| external_references[5]['url'] | https://capec.mitre.org/data/definitions/571.html | https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Lucas Heiligenstein |
| x_mitre_data_sources | | Windows Registry: Windows Registry Key Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Windows Registry: Windows Registry Key Modification | |
[T1070] Indicator Removal
Current version: 2.1
Version changed from: 2.0 → 2.1
Dropped Mitigations:
- T1070: Indicator Removal on Host Mitigation
New Detections:
- DS0002: User Account (User Account Deletion)
- DS0015: Application Log (Application Log Content)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 16:12:54.457000+00:00 | 2023-04-11 22:27:54.003000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | File: File Modification |
| x_mitre_data_sources[2] | File: File Modification | Windows Registry: Windows Registry Key Deletion |
| x_mitre_data_sources[3] | File: File Deletion | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[4] | Command: Command Execution | User Account: User Account Deletion |
| x_mitre_data_sources[5] | Windows Registry: Windows Registry Key Modification | File: File Metadata |
| x_mitre_data_sources[6] | File: File Metadata | User Account: User Account Authentication |
| x_mitre_data_sources[8] | Scheduled Job: Scheduled Job Modification | Command: Command Execution |
| x_mitre_data_sources[10] | Windows Registry: Windows Registry Key Deletion | Scheduled Job: Scheduled Job Modification |
| x_mitre_data_sources[11] | User Account: User Account Authentication | Network Traffic: Network Traffic Content |
| x_mitre_version | 2.0 | 2.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Application Log: Application Log Content |
| x_mitre_data_sources | | File: File Deletion |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/93.html', 'external_id': 'CAPEC-93'} | |
[T1105] Ingress Tool Transfer
Current version: 2.2
Version changed from: 2.1 → 2.2
|
|
|---|
| t | Adversaries may transfer tools or other files from an extern | t | Adversaries may transfer tools or other files from an extern |
| al system into a compromised environment. Tools or files may | | al system into a compromised environment. Tools or files may |
| be copied from an external adversary-controlled system to t | | be copied from an external adversary-controlled system to t |
| he victim network through the command and control channel or | | he victim network through the command and control channel or |
| through alternate protocols such as [ftp](https://attack.mi | | through alternate protocols such as [ftp](https://attack.mi |
| tre.org/software/S0095). Once present, adversaries may also | | tre.org/software/S0095). Once present, adversaries may also |
| transfer/spread tools between victim devices within a compro | | transfer/spread tools between victim devices within a compro |
| mised environment (i.e. [Lateral Tool Transfer](https://atta | | mised environment (i.e. [Lateral Tool Transfer](https://atta |
| ck.mitre.org/techniques/T1570)). Files can also be transfe | | ck.mitre.org/techniques/T1570)). Files can also be transfe |
| rred using various [Web Service](https://attack.mitre.org/te | | rred using various [Web Service](https://attack.mitre.org/te |
| chniques/T1102)s as well as native or otherwise present tool | | chniques/T1102)s as well as native or otherwise present tool |
| s on the victim system.(Citation: PTSecurity Cobalt Dec 2016 | | s on the victim system.(Citation: PTSecurity Cobalt Dec 2016 |
| ) On Windows, adversaries may use various utilities to down | | ) On Windows, adversaries may use various utilities to down |
| load tools, such as `copy`, `finger`, and [PowerShell](https | | load tools, such as `copy`, `finger`, [certutil](https://att |
| ://attack.mitre.org/techniques/T1059/001) commands such as < | | ack.mitre.org/software/S0160), and [PowerShell](https://atta |
| code>IEX(New-Object Net.WebClient).downloadString()</code> a | | ck.mitre.org/techniques/T1059/001) commands such as <code>IE |
| nd <code>Invoke-WebRequest</code>. On Linux and macOS system | | X(New-Object Net.WebClient).downloadString()</code> and <cod |
| s, a variety of utilities also exist, such as `curl`, `scp`, | | e>Invoke-WebRequest</code>. On Linux and macOS systems, a va |
| `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1 | | riety of utilities also exist, such as `curl`, `scp`, `sftp` |
| 105_lolbas) | | , `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lol |
| | | bas) |
Dropped Mitigations:
- T1105: Remote File Copy Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-20 17:38:35.985000+00:00 | 2023-04-14 19:27:57.370000+00:00 |
| description | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).
Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)
On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).
Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)
On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.1 | 2.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Mark Wee |
| x_mitre_data_sources | | Network Traffic: Network Connection Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Network Traffic: Network Connection Creation | |
[T1490] Inhibit System Recovery
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may delete or remove built-in operating system d | t | Adversaries may delete or remove built-in data and turn off |
| ata and turn off services designed to aid in the recovery of | | services designed to aid in the recovery of a corrupted syst |
| a corrupted system to prevent recovery.(Citation: Talos Oly | | em to prevent recovery.(Citation: Talos Olympic Destroyer 20 |
| mpic Destroyer 2018)(Citation: FireEye WannaCry 2017) This m | | 18)(Citation: FireEye WannaCry 2017) This may deny access to |
| ay deny access to available backups and recovery options. O | | available backups and recovery options. Operating systems |
| perating systems may contain features that can help fix corr | | may contain features that can help fix corrupted systems, su |
| upted systems, such as a backup catalog, volume shadow copie | | ch as a backup catalog, volume shadow copies, and automatic |
| s, and automatic repair features. Adversaries may disable or | | repair features. Adversaries may disable or delete system re |
| delete system recovery features to augment the effects of [ | | covery features to augment the effects of [Data Destruction] |
| Data Destruction](https://attack.mitre.org/techniques/T1485) | | (https://attack.mitre.org/techniques/T1485) and [Data Encryp |
| and [Data Encrypted for Impact](https://attack.mitre.org/te | | ted for Impact](https://attack.mitre.org/techniques/T1486).( |
| chniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Cit | | Citation: Talos Olympic Destroyer 2018)(Citation: FireEye Wa |
| ation: FireEye WannaCry 2017) A number of native Windows ut | | nnaCry 2017) Furthermore, adversaries may disable recovery n |
| ilities have been used by adversaries to disable or delete s | | otifications, then corrupt backups.(Citation: disable_notif_ |
| ystem recovery features: * <code>vssadmin.exe</code> can be | | synology_ransom) A number of native Windows utilities have |
| used to delete all volume shadow copies on a system - <code | | been used by adversaries to disable or delete system recover |
| >vssadmin.exe delete shadows /all /quiet</code> * [Windows M | | y features: * <code>vssadmin.exe</code> can be used to dele |
| anagement Instrumentation](https://attack.mitre.org/techniqu | | te all volume shadow copies on a system - <code>vssadmin.exe |
| es/T1047) can be used to delete volume shadow copies - <code | | delete shadows /all /quiet</code> * [Windows Management Ins |
| >wmic shadowcopy delete</code> * <code>wbadmin.exe</code> ca | | trumentation](https://attack.mitre.org/techniques/T1047) can |
| n be used to delete the Windows Backup Catalog - <code>wbadm | | be used to delete volume shadow copies - <code>wmic shadowc |
| in.exe delete catalog -quiet</code> * <code>bcdedit.exe</cod | | opy delete</code> * <code>wbadmin.exe</code> can be used to |
| e> can be used to disable automatic Windows recovery feature | | delete the Windows Backup Catalog - <code>wbadmin.exe delete |
| s by modifying boot configuration data - <code>bcdedit.exe / | | catalog -quiet</code> * <code>bcdedit.exe</code> can be use |
| set {default} bootstatuspolicy ignoreallfailures & bcdedit / | | d to disable automatic Windows recovery features by modifyin |
| set {default} recoveryenabled no</code> | | g boot configuration data - <code>bcdedit.exe /set {default} |
| | | bootstatuspolicy ignoreallfailures & bcdedit /set {default} |
| | | recoveryenabled no</code> * <code>REAgentC.exe</code> can b |
| | | e used to disable Windows Recovery Environment (WinRE) repai |
| | | r/recovery options of an infected system On network devices |
| | | , adversaries may leverage [Disk Wipe](https://attack.mitre. |
| | | org/techniques/T1561) to delete backup firmware images and r |
| | | eformat the file system, then [System Shutdown/Reboot](https |
| | | ://attack.mitre.org/techniques/T1529) to reload the device. |
| | | Together this activity may leave network devices completely |
| | | inoperable and inhibit recovery operations. Adversaries may |
| | | also delete “online” backups that are connected to their ne |
| | | twork – whether via network storage media or through folders |
| | | that sync to cloud services.(Citation: ZDNet Ransomware Bac |
| | | kups 2020) In cloud environments, adversaries may disable ve |
| | | rsioning and backup policies and delete snapshots, machine i |
| | | mages, and prior versions of objects designed to be used in |
| | | disaster recovery scenarios.(Citation: Dark Reading Code Spa |
| | | ces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ranso |
| | | mware) |
New Mitigations:
- M1018: User Account Management
Dropped Mitigations:
- T1490: Inhibit System Recovery Mitigation
New Detections:
- DS0010: Cloud Storage (Cloud Storage Deletion)
- DS0020: Snapshot (Snapshot Deletion)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 23:26:59.186000+00:00 | 2023-04-14 23:09:55.976000+00:00 |
| description | Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete
* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no | Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete
* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware) |
| external_references[1]['source_name'] | FireEye WannaCry 2017 | Dark Reading Code Spaces Cyber Attack |
| external_references[1]['description'] | Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. | Brian Prince. (2014, June 20). Code Hosting Service Shuts Down After Cyber Attack. Retrieved March 21, 2023. |
| external_references[1]['url'] | https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html | https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack |
| external_references[2]['source_name'] | Talos Olympic Destroyer 2018 | FireEye WannaCry 2017 |
| external_references[2]['description'] | Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. | Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. |
| external_references[2]['url'] | https://blog.talosintelligence.com/2018/02/olympic-destroyer.html | https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Service: Service Metadata | Command: Command Execution |
| x_mitre_data_sources[2] | File: File Deletion | Snapshot: Snapshot Deletion |
| x_mitre_data_sources[4] | Command: Command Execution | Cloud Storage: Cloud Storage Deletion |
| x_mitre_detection | Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.
Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage). | Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, bcdedit and REAgentC. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.
Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).
For network infrastructure devices, collect AAA logging to monitor for `erase`, `format`, and `reload` commands being run in succession. |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Talos Olympic Destroyer 2018', 'description': 'Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.', 'url': 'https://blog.talosintelligence.com/2018/02/olympic-destroyer.html'} |
| external_references | | {'source_name': 'Rhino Security Labs AWS S3 Ransomware', 'description': 'Spencer Gietzen. (n.d.). AWS Simple Storage Service S3 Ransomware Part 2: Prevention and Defense. Retrieved March 21, 2023.', 'url': 'https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/'} |
| external_references | | {'source_name': 'ZDNet Ransomware Backups 2020', 'description': 'Steve Ranger. (2020, February 27). Ransomware victims thought their backups were safe. They were wrong. Retrieved March 21, 2023.', 'url': 'https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/'} |
| external_references | | {'source_name': 'disable_notif_synology_ransom', 'description': 'TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved October 19, 2022.', 'url': 'https://twitter.com/TheDFIRReport/status/1498657590259109894'} |
| x_mitre_contributors | | Austin Clark, @c2defense |
| x_mitre_contributors | | Pallavi Sivakumaran |
| x_mitre_data_sources | | File: File Deletion |
| x_mitre_data_sources | | Service: Service Metadata |
| x_mitre_platforms | | Network |
| x_mitre_platforms | | IaaS |
[T1003.001] OS Credential Dumping: LSASS Memory
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-06 16:16:53.388000+00:00 | 2023-04-03 18:54:21.492000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Command: Command Execution | |
[T1608.005] Stage Capabilities: Link Target
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may put in place resources that are referenced b | t | Adversaries may put in place resources that are referenced b |
| y a link that can be used during targeting. An adversary may | | y a link that can be used during targeting. An adversary may |
| rely upon a user clicking a malicious link in order to divu | | rely upon a user clicking a malicious link in order to divu |
| lge information (including credentials) or to gain execution | | lge information (including credentials) or to gain execution |
| , as in [Malicious Link](https://attack.mitre.org/techniques | | , as in [Malicious Link](https://attack.mitre.org/techniques |
| /T1204/001). Links can be used for spearphishing, such as se | | /T1204/001). Links can be used for spearphishing, such as se |
| nding an email accompanied by social engineering text to coa | | nding an email accompanied by social engineering text to coa |
| x the user to actively click or copy and paste a URL into a | | x the user to actively click or copy and paste a URL into a |
| browser. Prior to a phish for information (as in [Spearphish | | browser. Prior to a phish for information (as in [Spearphish |
| ing Link](https://attack.mitre.org/techniques/T1598/003)) or | | ing Link](https://attack.mitre.org/techniques/T1598/003)) or |
| a phish to gain initial access to a system (as in [Spearphi | | a phish to gain initial access to a system (as in [Spearphi |
| shing Link](https://attack.mitre.org/techniques/T1566/002)), | | shing Link](https://attack.mitre.org/techniques/T1566/002)), |
| an adversary must set up the resources for a link target fo | | an adversary must set up the resources for a link target fo |
| r the spearphishing link. Typically, the resources for a l | | r the spearphishing link. Typically, the resources for a l |
| ink target will be an HTML page that may include some client | | ink target will be an HTML page that may include some client |
| -side script such as [JavaScript](https://attack.mitre.org/t | | -side script such as [JavaScript](https://attack.mitre.org/t |
| echniques/T1059/007) to decide what content to serve to the | | echniques/T1059/007) to decide what content to serve to the |
| user. Adversaries may clone legitimate sites to serve as the | | user. Adversaries may clone legitimate sites to serve as the |
| link target, this can include cloning of login pages of leg | | link target, this can include cloning of login pages of leg |
| itimate web services or organization login pages in an effor | | itimate web services or organization login pages in an effor |
| t to harvest credentials during [Spearphishing Link](https:/ | | t to harvest credentials during [Spearphishing Link](https:/ |
| /attack.mitre.org/techniques/T1598/003).(Citation: Malwareby | | /attack.mitre.org/techniques/T1598/003).(Citation: Malwareby |
| tes Silent Librarian October 2020)(Citation: Proofpoint TA40 | | tes Silent Librarian October 2020)(Citation: Proofpoint TA40 |
| 7 September 2019) Adversaries may also [Upload Malware](http | | 7 September 2019) Adversaries may also [Upload Malware](http |
| s://attack.mitre.org/techniques/T1608/001) and have the link | | s://attack.mitre.org/techniques/T1608/001) and have the link |
| target point to malware for download/execution by the user. | | target point to malware for download/execution by the user. |
| Adversaries may purchase domains similar to legitimate dom | | Adversaries may purchase domains similar to legitimate dom |
| ains (ex: homoglyphs, typosquatting, different top-level dom | | ains (ex: homoglyphs, typosquatting, different top-level dom |
| ain, etc.) during acquisition of infrastructure ([Domains](h | | ain, etc.) during acquisition of infrastructure ([Domains](h |
| ttps://attack.mitre.org/techniques/T1583/001)) to help facil | | ttps://attack.mitre.org/techniques/T1583/001)) to help facil |
| itate [Malicious Link](https://attack.mitre.org/techniques/T | | itate [Malicious Link](https://attack.mitre.org/techniques/T |
| 1204/001). Link shortening services can also be employed. Ad | | 1204/001). Link shortening services can also be employed. Ad |
| versaries may also use free or paid accounts on Platform-as- | | versaries may also use free or paid accounts on Platform-as- |
| a-Service providers to host link targets while taking advant | | a-Service providers to host link targets while taking advant |
| age of the widely trusted domains of those providers to avoi | | age of the widely trusted domains of those providers to avoi |
| d being blocked.(Citation: Netskope GCP Redirection)(Citatio | | d being blocked.(Citation: Netskope GCP Redirection)(Citatio |
| n: Netskope Cloud Phishing)(Citation: Intezer App Service Ph | | n: Netskope Cloud Phishing)(Citation: Intezer App Service Ph |
| ishing) | | ishing) Finally, adversaries may take advantage of the decen |
| | | tralized nature of the InterPlanetary File System (IPFS) to |
| | | host link targets that are difficult to remove.(Citation: Ta |
| | | los IPFS 2022) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Goldstein Menachem'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 20:15:57.855000+00:00 | 2023-04-11 23:20:48.603000+00:00 |
| description | Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link.
Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.
Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing) | Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link.
Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.
Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022) |
| external_references[3]['source_name'] | Malwarebytes Silent Librarian October 2020 | Talos IPFS 2022 |
| external_references[3]['description'] | Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021. | Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023. |
| external_references[3]['url'] | https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/ | https://blog.talosintelligence.com/ipfs-abuse/ |
| external_references[4]['source_name'] | Intezer App Service Phishing | Malwarebytes Silent Librarian October 2020 |
| external_references[4]['description'] | Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022. | Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021. |
| external_references[4]['url'] | https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/ | https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/ |
| external_references[5]['source_name'] | Proofpoint TA407 September 2019 | Intezer App Service Phishing |
| external_references[5]['description'] | Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021. | Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022. |
| external_references[5]['url'] | https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian | https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Proofpoint TA407 September 2019', 'description': 'Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.', 'url': 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian'} |
[T1087.001] Account Discovery: Local Account
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-25 13:04:39.404000+00:00 | 2023-04-13 17:20:22.867000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[1] | Process: OS API Execution | File: File Access |
| x_mitre_data_sources[2] | File: File Access | Process: OS API Execution |
| x_mitre_data_sources[3] | Command: Command Execution | Process: Process Creation |
| x_mitre_version | 1.3 | 1.4 |
[T1136.001] Create Account: Local Account
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may create a local account to maintain access to | t | Adversaries may create a local account to maintain access to |
| victim systems. Local accounts are those configured by an o | | victim systems. Local accounts are those configured by an o |
| rganization for use by users, remote support, services, or f | | rganization for use by users, remote support, services, or f |
| or administration on a single system or service. With a suff | | or administration on a single system or service. With a suff |
| icient level of access, the <code>net user /add</code> comma | | icient level of access, the <code>net user /add</code> comma |
| nd can be used to create a local account. On macOS systems t | | nd can be used to create a local account. On macOS systems t |
| he <code>dscl -create</code> command can be used to create a | | he <code>dscl -create</code> command can be used to create a |
| local account. Such accounts may be used to establish seco | | local account. Local accounts may also be added to network |
| ndary credentialed access that do not require persistent rem | | devices, often via common [Network Device CLI](https://attac |
| ote access tools to be deployed on the system. | | k.mitre.org/techniques/T1059/008) commands such as <code>use |
| | | rname</code>.(Citation: cisco_username_cmd) Such accounts m |
| | | ay be used to establish secondary credentialed access that d |
| | | o not require persistent remote access tools to be deployed |
| | | on the system. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Austin Clark, @c2defense'] |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-12 13:04:14.248000+00:00 | 2023-04-12 23:23:35.209000+00:00 |
| description | Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. | Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username.(Citation: cisco_username_cmd)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. |
| external_references[1]['source_name'] | Microsoft User Creation Event | cisco_username_cmd |
| external_references[1]['description'] | Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017. | Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630 |
| x_mitre_detection | Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary. | Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary. For network infrastructure devices, collect AAA logging to monitor for account creations. |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft User Creation Event', 'description': 'Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.', 'url': 'https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720'} |
| x_mitre_platforms | | Network |
[T1078.003] Valid Accounts: Local Accounts
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 17:45:48.323000+00:00 | 2023-04-13 17:17:49.889000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1069.001] Permission Groups Discovery: Local Groups
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-25 13:03:08.484000+00:00 | 2023-04-07 17:14:42.184000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
[T1134.003] Access Token Manipulation: Make and Impersonate Token
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may make and impersonate tokens to escalate priv | t | Adversaries may make new tokens and impersonate users to esc |
| ileges and bypass access controls. If an adversary has a use | | alate privileges and bypass access controls. For example, if |
| rname and password but the user is not logged onto the syste | | an adversary has a username and password but the user is no |
| m, the adversary can then create a logon session for the use | | t logged onto the system the adversary can then create a log |
| r using the <code>LogonUser</code> function. The function wi | | on session for the user using the `LogonUser` function. The |
| ll return a copy of the new session's access token and the a | | function will return a copy of the new session's access toke |
| dversary can use <code>SetThreadToken</code> to assign the t | | n and the adversary can use `SetThreadToken` to assign the t |
| oken to a thread. | | oken to a thread. This behavior is distinct from [Token Imp |
| | | ersonation/Theft](https://attack.mitre.org/techniques/T1134/ |
| | | 001) in that this refers to creating a new user token instea |
| | | d of stealing or duplicating an existing one. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Jonny Johnson'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-02-18 18:03:37.481000+00:00 | 2023-04-11 21:22:17.257000+00:00 |
| description | Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread. | Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.
This behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one. |
| x_mitre_data_sources[0] | Process: OS API Execution | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Process: OS API Execution |
| x_mitre_version | 1.0 | 1.1 |
[T1204.002] User Execution: Malicious File
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-20 17:19:50.801000+00:00 | 2023-04-21 12:22:19.740000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1036] Masquerading
Current version: 1.5
Version changed from: 1.4 → 1.5
New Mitigations:
- M1040: Behavior Prevention on Endpoint
- M1049: Antivirus/Antimalware
Dropped Mitigations:
- T1036: Masquerading Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 04:56:08.978000+00:00 | 2023-04-07 17:04:34.648000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Service: Service Creation | File: File Modification |
| x_mitre_data_sources[1] | Scheduled Job: Scheduled Job Metadata | Service: Service Creation |
| x_mitre_data_sources[2] | Scheduled Job: Scheduled Job Modification | Scheduled Job: Scheduled Job Metadata |
| x_mitre_data_sources[3] | Service: Service Metadata | Scheduled Job: Scheduled Job Modification |
| x_mitre_data_sources[4] | File: File Metadata | Process: Process Metadata |
| x_mitre_data_sources[7] | Process: Process Metadata | Service: Service Metadata |
| x_mitre_data_sources[8] | File: File Modification | File: File Metadata |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/177.html', 'external_id': 'CAPEC-177'} | |
[T1556] Modify Authentication Process
Current version: 2.3
Version changed from: 2.2 → 2.3
New Mitigations:
- M1024: Restrict Registry Permissions
New Detections:
- DS0024: Windows Registry (Windows Registry Key Creation)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 16:28:56.126000+00:00 | 2023-04-11 03:17:32.211000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Modification | Active Directory: Active Directory Object Modification |
| x_mitre_data_sources[2] | User Account: User Account Authentication | File: File Modification |
| x_mitre_data_sources[4] | File: File Creation | Application Log: Application Log Content |
| x_mitre_data_sources[5] | Logon Session: Logon Session Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[6] | File: File Modification | Process: OS API Execution |
| x_mitre_data_sources[7] | Application Log: Application Log Content | Process: Process Access |
| x_mitre_data_sources[8] | Process: OS API Execution | Logon Session: Logon Session Creation |
| x_mitre_data_sources[9] | Active Directory: Active Directory Object Modification | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[10] | Process: Process Access | User Account: User Account Authentication |
| x_mitre_version | 2.2 | 2.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | File: File Creation |
[T1112] Modify Registry
Current version: 1.3
Version changed from: 1.2 → 1.3
Dropped Mitigations:
- T1112: Modify Registry Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
| external_references | CAPEC-203 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-08-13 20:02:49.641000+00:00 | 2023-04-21 12:19:38.962000+00:00 |
| external_references[1]['source_name'] | capec | Microsoft Reg |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/203.html | https://technet.microsoft.com/en-us/library/cc732643.aspx |
| external_references[2]['source_name'] | Microsoft Reg | Microsoft Remote |
| external_references[2]['description'] | Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015. | Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015. |
| external_references[2]['url'] | https://technet.microsoft.com/en-us/library/cc732643.aspx | https://technet.microsoft.com/en-us/library/cc754820.aspx |
| external_references[3]['source_name'] | Microsoft Reghide NOV 2006 | Microsoft 4657 APR 2017 |
| external_references[3]['description'] | Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018. | Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018. |
| external_references[3]['url'] | https://docs.microsoft.com/sysinternals/downloads/reghide | https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657 |
| external_references[4]['source_name'] | TrendMicro POWELIKS AUG 2014 | SpectorOps Hiding Reg Jul 2017 |
| external_references[4]['description'] | Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018. | Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018. |
| external_references[4]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/ | https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353 |
| external_references[5]['source_name'] | SpectorOps Hiding Reg Jul 2017 | Microsoft Reghide NOV 2006 |
| external_references[5]['description'] | Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018. | Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018. |
| external_references[5]['url'] | https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353 | https://docs.microsoft.com/sysinternals/downloads/reghide |
| external_references[6]['source_name'] | Microsoft Remote | Microsoft RegDelNull July 2016 |
| external_references[6]['description'] | Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015. | Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018. |
| external_references[6]['url'] | https://technet.microsoft.com/en-us/library/cc754820.aspx | https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull |
| external_references[7]['source_name'] | Microsoft 4657 APR 2017 | TrendMicro POWELIKS AUG 2014 |
| external_references[7]['description'] | Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018. | Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018. |
| external_references[7]['url'] | https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657 | https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/ |
| x_mitre_data_sources[0] | Process: Process Creation | Windows Registry: Windows Registry Key Deletion |
| x_mitre_data_sources[5] | Process: OS API Execution | Process: Process Creation |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: OS API Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Microsoft RegDelNull July 2016', 'description': 'Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.', 'url': 'https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull'} | |
| x_mitre_data_sources | Windows Registry: Windows Registry Key Deletion | |
[T1111] Multi-Factor Authentication Interception
Current version: 2.1
Version changed from: 2.0 → 2.1
|
|
|---|
| t | Adversaries may target multi-factor authentication (MFA) mec | t | Adversaries may target multi-factor authentication (MFA) mec |
| hanisms, (I.e., smart cards, token generators, etc.) to gain | | hanisms, (i.e., smart cards, token generators, etc.) to gain |
| access to credentials that can be used to access systems, s | | access to credentials that can be used to access systems, s |
| ervices, and network resources. Use of MFA is recommended an | | ervices, and network resources. Use of MFA is recommended an |
| d provides a higher level of security than user names and pa | | d provides a higher level of security than usernames and pas |
| sswords alone, but organizations should be aware of techniqu | | swords alone, but organizations should be aware of technique |
| es that could be used to intercept and bypass these security | | s that could be used to intercept and bypass these security |
| mechanisms. If a smart card is used for multi-factor auth | | mechanisms. If a smart card is used for multi-factor authe |
| entication, then a keylogger will need to be used to obtain | | ntication, then a keylogger will need to be used to obtain t |
| the password associated with a smart card during normal use. | | he password associated with a smart card during normal use. |
| With both an inserted card and access to the smart card pas | | With both an inserted card and access to the smart card pass |
| sword, an adversary can connect to a network resource using | | word, an adversary can connect to a network resource using t |
| the infected system to proxy the authentication with the ins | | he infected system to proxy the authentication with the inse |
| erted hardware token. (Citation: Mandiant M Trends 2011) Ad | | rted hardware token. (Citation: Mandiant M Trends 2011) Adv |
| versaries may also employ a keylogger to similarly target ot | | ersaries may also employ a keylogger to similarly target oth |
| her hardware tokens, such as RSA SecurID. Capturing token in | | er hardware tokens, such as RSA SecurID. Capturing token inp |
| put (including a user's personal identification code) may pr | | ut (including a user's personal identification code) may pro |
| ovide temporary access (i.e. replay the one-time passcode un | | vide temporary access (i.e. replay the one-time passcode unt |
| til the next value rollover) as well as possibly enabling ad | | il the next value rollover) as well as possibly enabling adv |
| versaries to reliably predict future authentication values ( | | ersaries to reliably predict future authentication values (g |
| given access to both the algorithm and any seed values used | | iven access to both the algorithm and any seed values used t |
| to generate appended temporary codes). (Citation: GCN RSA Ju | | o generate appended temporary codes). (Citation: GCN RSA Jun |
| ne 2011) Other methods of MFA may be intercepted and used b | | e 2011) Other methods of MFA may be intercepted and used by |
| y an adversary to authenticate. It is common for one-time co | | an adversary to authenticate. It is common for one-time cod |
| des to be sent via out-of-band communications (email, SMS). | | es to be sent via out-of-band communications (email, SMS). I |
| If the device and/or service is not secured, then it may be | | f the device and/or service is not secured, then it may be v |
| vulnerable to interception. Although primarily focused on by | | ulnerable to interception. Service providers can also be tar |
| cyber criminals, these authentication mechanisms have been | | geted: for example, an adversary may compromise an SMS messa |
| targeted by advanced actors. (Citation: Operation Emmental) | | ging service in order to steal MFA codes sent to users’ phon |
| | | es.(Citation: Okta Scatter Swine 2022) |
Dropped Mitigations:
- T1111: Two-Factor Authentication Interception Mitigation
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Smart card Proxy: Use of smart cards for single or multifactor authentication to access to network resources. Attached smart card reader with card inserted.\n\nOut-of-band one-time code: Access to the device, service, or communications to intercept the one-time code.\n\nHardware token: Access to the seed and algorithm of generating one-time codes.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-31 19:47:26.104000+00:00 | 2023-04-14 23:26:24.262000+00:00 |
| description | Adversaries may target multi-factor authentication (MFA) mechanisms, (I.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.
If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)
Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)
Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental) | Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.
If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)
Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)
Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users’ phones.(Citation: Okta Scatter Swine 2022) |
| external_references[3]['source_name'] | Operation Emmental | Okta Scatter Swine 2022 |
| external_references[3]['description'] | Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016. | Okta. (2022, August 25). Detecting Scatter Swine: Insights into a Relentless Phishing Campaign. Retrieved February 24, 2023. |
| external_references[3]['url'] | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf | https://sec.okta.com/scatterswine |
| x_mitre_attack_spec_version | 3.0.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: OS API Execution | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Modification | Process: OS API Execution |
| x_mitre_version | 2.0 | 2.1 |
[T1070.005] Indicator Removal: Network Share Connection Removal
Current version: 1.1
Version changed from: 1.0 → 1.1
Dropped Mitigations:
- T1126: Network Share Connection Removal Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 13:31:01.970000+00:00 | 2023-04-13 17:15:56.948000+00:00 |
| x_mitre_data_sources[0] | Process: Process Creation | User Account: User Account Authentication |
| x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[3] | User Account: User Account Authentication | Command: Command Execution |
| x_mitre_version | 1.0 | 1.1 |
[T1040] Network Sniffing
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may sniff network traffic to capture information | t | Adversaries may sniff network traffic to capture information |
| about an environment, including authentication material pas | | about an environment, including authentication material pas |
| sed over the network. Network sniffing refers to using the n | | sed over the network. Network sniffing refers to using the n |
| etwork interface on a system to monitor or capture informati | | etwork interface on a system to monitor or capture informati |
| on sent over a wired or wireless connection. An adversary ma | | on sent over a wired or wireless connection. An adversary ma |
| y place a network interface into promiscuous mode to passive | | y place a network interface into promiscuous mode to passive |
| ly access data in transit over the network, or use span port | | ly access data in transit over the network, or use span port |
| s to capture a larger amount of data. Data captured via thi | | s to capture a larger amount of data. Data captured via thi |
| s technique may include user credentials, especially those s | | s technique may include user credentials, especially those s |
| ent over an insecure, unencrypted protocol. Techniques for n | | ent over an insecure, unencrypted protocol. Techniques for n |
| ame service resolution poisoning, such as [LLMNR/NBT-NS Pois | | ame service resolution poisoning, such as [LLMNR/NBT-NS Pois |
| oning and SMB Relay](https://attack.mitre.org/techniques/T15 | | oning and SMB Relay](https://attack.mitre.org/techniques/T15 |
| 57/001), can also be used to capture credentials to websites | | 57/001), can also be used to capture credentials to websites |
| , proxies, and internal systems by redirecting traffic to an | | , proxies, and internal systems by redirecting traffic to an |
| adversary. Network sniffing may also reveal configuration | | adversary. Network sniffing may also reveal configuration |
| details, such as running services, version numbers, and othe | | details, such as running services, version numbers, and othe |
| r network characteristics (e.g. IP addresses, hostnames, VLA | | r network characteristics (e.g. IP addresses, hostnames, VLA |
| N IDs) necessary for subsequent Lateral Movement and/or Defe | | N IDs) necessary for subsequent Lateral Movement and/or Defe |
| nse Evasion activities. In cloud-based environments, advers | | nse Evasion activities. In cloud-based environments, advers |
| aries may still be able to use traffic mirroring services to | | aries may still be able to use traffic mirroring services to |
| sniff network traffic from virtual machines. For example, A | | sniff network traffic from virtual machines. For example, A |
| WS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap a | | WS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap a |
| llow users to define specified instances to collect traffic | | llow users to define specified instances to collect traffic |
| from and specified targets to send collected traffic to.(Cit | | from and specified targets to send collected traffic to.(Cit |
| ation: AWS Traffic Mirroring) (Citation: GCP Packet Mirrorin | | ation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring |
| g) (Citation: Azure Virtual Network TAP) Often, much of this | | )(Citation: Azure Virtual Network TAP) Often, much of this t |
| traffic will be in cleartext due to the use of TLS terminat | | raffic will be in cleartext due to the use of TLS terminatio |
| ion at the load balancer level to reduce the strain of encry | | n at the load balancer level to reduce the strain of encrypt |
| pting and decrypting traffic.(Citation: Rhino Security Labs | | ing and decrypting traffic.(Citation: Rhino Security Labs AW |
| AWS VPC Traffic Mirroring) (Citation: SpecterOps AWS Traffic | | S VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mi |
| Mirroring) The adversary can then use exfiltration techniqu | | rroring) The adversary can then use exfiltration techniques |
| es such as Transfer Data to Cloud Account in order to access | | such as Transfer Data to Cloud Account in order to access th |
| the sniffed traffic. (Citation: Rhino Security Labs AWS VPC | | e sniffed traffic.(Citation: Rhino Security Labs AWS VPC Tra |
| Traffic Mirroring) | | ffic Mirroring) On network devices, adversaries may perform |
| | | network captures using [Network Device CLI](https://attack. |
| | | mitre.org/techniques/T1059/008) commands such as `monitor ca |
| | | pture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embed |
| | | ded_packet_on_software) |
Dropped Mitigations:
- T1040: Network Sniffing Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-158 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-20 17:32:27.146000+00:00 | 2023-04-12 23:31:49.085000+00:00 |
| description | Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring) (Citation: GCP Packet Mirroring) (Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) (Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic. (Citation: Rhino Security Labs AWS VPC Traffic Mirroring) | Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software) |
| external_references[2]['source_name'] | GCP Packet Mirroring | capture_embedded_packet_on_software |
| external_references[2]['description'] | Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022. | Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022. |
| external_references[2]['url'] | https://cloud.google.com/vpc/docs/packet-mirroring | https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html |
| external_references[3]['source_name'] | SpecterOps AWS Traffic Mirroring | GCP Packet Mirroring |
| external_references[3]['description'] | Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022. | Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022. |
| external_references[3]['url'] | https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512 | https://cloud.google.com/vpc/docs/packet-mirroring |
| external_references[4]['source_name'] | Azure Virtual Network TAP | SpecterOps AWS Traffic Mirroring |
| external_references[4]['description'] | Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022. | Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview | https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512 |
| external_references[5]['source_name'] | Rhino Security Labs AWS VPC Traffic Mirroring | Azure Virtual Network TAP |
| external_references[5]['description'] | Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022. | Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022. |
| external_references[5]['url'] | https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/ | https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview |
| external_references[6]['source_name'] | capec | Rhino Security Labs AWS VPC Traffic Mirroring |
| external_references[6]['url'] | https://capec.mitre.org/data/definitions/158.html | https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_detection | Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.
In cloud-based environments, monitor for the creation of new traffic mirrors or modification of existing traffic mirrors. | Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.
In cloud-based environments, monitor for the creation of new traffic mirrors or modification of existing traffic mirrors. For network infrastructure devices, collect AAA logging to monitor for the capture of network traffic. |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'} |
| x_mitre_contributors | | Austin Clark, @c2defense |
[T1095] Non-Application Layer Protocol
Current version: 2.2
Version changed from: 2.1 → 2.2
|
|
|---|
| t | Adversaries may use a non-application layer protocol for com | t | Adversaries may use an OSI non-application layer protocol fo |
| munication between host and C2 server or among infected host | | r communication between host and C2 server or among infected |
| s within a network. The list of possible protocols is extens | | hosts within a network. The list of possible protocols is e |
| ive.(Citation: Wikipedia OSI) Specific examples include use | | xtensive.(Citation: Wikipedia OSI) Specific examples include |
| of network layer protocols, such as the Internet Control Mes | | use of network layer protocols, such as the Internet Contro |
| sage Protocol (ICMP), transport layer protocols, such as the | | l Message Protocol (ICMP), transport layer protocols, such a |
| User Datagram Protocol (UDP), session layer protocols, such | | s the User Datagram Protocol (UDP), session layer protocols, |
| as Socket Secure (SOCKS), as well as redirected/tunneled pr | | such as Socket Secure (SOCKS), as well as redirected/tunnel |
| otocols, such as Serial over LAN (SOL). ICMP communication | | ed protocols, such as Serial over LAN (SOL). ICMP communica |
| between hosts is one example.(Citation: Cisco Synful Knock E | | tion between hosts is one example.(Citation: Cisco Synful Kn |
| volution) Because ICMP is part of the Internet Protocol Suit | | ock Evolution) Because ICMP is part of the Internet Protocol |
| e, it is required to be implemented by all IP-compatible hos | | Suite, it is required to be implemented by all IP-compatibl |
| ts.(Citation: Microsoft ICMP) However, it is not as commonly | | e hosts.(Citation: Microsoft ICMP) However, it is not as com |
| monitored as other Internet Protocols such as TCP or UDP an | | monly monitored as other Internet Protocols such as TCP or U |
| d may be used by adversaries to hide communications. | | DP and may be used by adversaries to hide communications. |
Dropped Mitigations:
- T1095: Standard Non-Application Layer Protocol Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-02-17 15:38:54.578000+00:00 | 2023-04-20 19:11:53.499000+00:00 |
| description | Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. | Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. |
| external_references[1]['source_name'] | Wikipedia OSI | University of Birmingham C2 |
| external_references[1]['description'] | Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014. | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. |
| external_references[1]['url'] | http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29 | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf |
| external_references[5]['source_name'] | University of Birmingham C2 | Wikipedia OSI |
| external_references[5]['description'] | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. | Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014. |
| external_references[5]['url'] | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf | http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29 |
| x_mitre_version | 2.1 | 2.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Duane Michael |
[T1571] Non-Standard Port
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may communicate using a protocol and port paring | t | Adversaries may communicate using a protocol and port pairin |
| that are typically not associated. For example, HTTPS over | | g that are typically not associated. For example, HTTPS over |
| port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Cit | | port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Ci |
| ation: Fortinet Agent Tesla April 2018) as opposed to the tr | | tation: Fortinet Agent Tesla April 2018) as opposed to the t |
| aditional port 443. Adversaries may make changes to the stan | | raditional port 443. Adversaries may make changes to the sta |
| dard port used by a protocol to bypass filtering or muddle a | | ndard port used by a protocol to bypass filtering or muddle |
| nalysis/parsing of network data. | | analysis/parsing of network data. Adversaries may also make |
| | | changes to victim systems to abuse non-standard ports. For |
| | | example, Registry keys and other configuration settings can |
| | | be used to modify protocol and port pairings.(Citation: chan |
| | | ge_rdp_port_conti) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 22:02:25.221000+00:00 | 2023-02-28 22:28:35.202000+00:00 |
| description | Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. | Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti) |
| external_references[1]['source_name'] | Symantec Elfin Mar 2019 | University of Birmingham C2 |
| external_references[1]['description'] | Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. |
| external_references[1]['url'] | https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf |
| external_references[2]['source_name'] | Fortinet Agent Tesla April 2018 | Symantec Elfin Mar 2019 |
| external_references[2]['description'] | Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. | Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. |
| external_references[2]['url'] | https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html | https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage |
| external_references[3]['source_name'] | University of Birmingham C2 | change_rdp_port_conti |
| external_references[3]['description'] | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. | The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved March 1, 2022. |
| external_references[3]['url'] | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf | https://twitter.com/TheDFIRReport/status/1498657772254240768 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Fortinet Agent Tesla April 2018', 'description': 'Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.', 'url': 'https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html'} |
[T1027] Obfuscated Files or Information
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may attempt to make an executable or file diffic | t | Adversaries may attempt to make an executable or file diffic |
| ult to discover or analyze by encrypting, encoding, or other | | ult to discover or analyze by encrypting, encoding, or other |
| wise obfuscating its contents on the system or in transit. T | | wise obfuscating its contents on the system or in transit. T |
| his is common behavior that can be used across different pla | | his is common behavior that can be used across different pla |
| tforms and the network to evade defenses. Payloads may be | | tforms and the network to evade defenses. Payloads may be |
| compressed, archived, or encrypted in order to avoid detecti | | compressed, archived, or encrypted in order to avoid detecti |
| on. These payloads may be used during Initial Access or late | | on. These payloads may be used during Initial Access or late |
| r to mitigate detection. Sometimes a user's action may be re | | r to mitigate detection. Sometimes a user's action may be re |
| quired to open and [Deobfuscate/Decode Files or Information] | | quired to open and [Deobfuscate/Decode Files or Information] |
| (https://attack.mitre.org/techniques/T1140) for [User Execut | | (https://attack.mitre.org/techniques/T1140) for [User Execut |
| ion](https://attack.mitre.org/techniques/T1204). The user ma | | ion](https://attack.mitre.org/techniques/T1204). The user ma |
| y also be required to input a password to open a password pr | | y also be required to input a password to open a password pr |
| otected compressed/encrypted file that was provided by the a | | otected compressed/encrypted file that was provided by the a |
| dversary. (Citation: Volexity PowerDuke November 2016) Adver | | dversary. (Citation: Volexity PowerDuke November 2016) Adver |
| saries may also use compressed or archived scripts, such as | | saries may also use compressed or archived scripts, such as |
| JavaScript. Portions of files can also be encoded to hide | | JavaScript. Portions of files can also be encoded to hide |
| the plain-text strings that would otherwise help defenders w | | the plain-text strings that would otherwise help defenders w |
| ith discovery. (Citation: Linux/Cdorked.A We Live Security A | | ith discovery. (Citation: Linux/Cdorked.A We Live Security A |
| nalysis) Payloads may also be split into separate, seemingly | | nalysis) Payloads may also be split into separate, seemingly |
| benign files that only reveal malicious functionality when | | benign files that only reveal malicious functionality when |
| reassembled. (Citation: Carbon Black Obfuscation Sept 2016) | | reassembled. (Citation: Carbon Black Obfuscation Sept 2016) |
| Adversaries may also obfuscate commands executed from paylo | | Adversaries may also abuse [Command Obfuscation](https://at |
| ads or directly via a [Command and Scripting Interpreter](ht | | tack.mitre.org/techniques/T1027/010) to obscure commands exe |
| tps://attack.mitre.org/techniques/T1059). Environment variab | | cuted from payloads or directly via [Command and Scripting I |
| les, aliases, characters, and other platform/language specif | | nterpreter](https://attack.mitre.org/techniques/T1059). Envi |
| ic semantics can be used to evade signature based detections | | ronment variables, aliases, characters, and other platform/l |
| and application control mechanisms. (Citation: FireEye Obfu | | anguage specific semantics can be used to evade signature ba |
| scation June 2017) (Citation: FireEye Revoke-Obfuscation Jul | | sed detections and application control mechanisms. (Citation |
| y 2017)(Citation: PaloAlto EncodedCommand March 2017) | | : FireEye Obfuscation June 2017) (Citation: FireEye Revoke-O |
| | | bfuscation July 2017)(Citation: PaloAlto EncodedCommand Marc |
| | | h 2017) |
New Mitigations:
New Detections:
- DS0005: WMI (WMI Creation)
- DS0012: Script (Script Execution)
- DS0024: Windows Registry (Windows Registry Key Creation)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 18:06:32.808000+00:00 | 2023-03-30 21:01:43.857000+00:00 |
| description | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html | https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: OS API Execution | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[1] | Command: Command Execution | Module: Module Load |
| x_mitre_data_sources[2] | File: File Creation | Script: Script Execution |
| x_mitre_data_sources[3] | Module: Module Load | Command: Command Execution |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: OS API Execution |
| x_mitre_data_sources | | WMI: WMI Creation |
| x_mitre_data_sources | | File: File Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/267.html', 'external_id': 'CAPEC-267'} | |
[T1110.001] Brute Force: Password Guessing
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-22 18:37:22.173000+00:00 | 2023-04-14 23:04:08.394000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | User Account: User Account Authentication | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Application Log: Application Log Content | User Account: User Account Authentication |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/49.html', 'external_id': 'CAPEC-49'} | |
[T1110.003] Brute Force: Password Spraying
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-565 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-06 12:32:47.678000+00:00 | 2023-04-14 23:04:38.816000+00:00 |
| external_references[1]['source_name'] | capec | Trimarc Detecting Password Spraying |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/565.html | https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Trimarc Detecting Password Spraying', 'description': 'Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.', 'url': 'https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing'} | |
[T1069] Permission Groups Discovery
Current version: 2.5
Version changed from: 2.4 → 2.5
|
|
|---|
| t | Adversaries may attempt to find group and permission setting | t | Adversaries may attempt to discover group and permission set |
| s. This information can help adversaries determine which use | | tings. This information can help adversaries determine which |
| r accounts and groups are available, the membership of users | | user accounts and groups are available, the membership of u |
| in particular groups, and which users and groups have eleva | | sers in particular groups, and which users and groups have e |
| ted permissions. | | levated permissions. Adversaries may attempt to discover gr |
| | | oup permission settings in many different ways. This data ma |
| | | y provide the adversary with information about the compromis |
| | | ed environment that can be used in follow-on activity and ta |
| | | rgeting.(Citation: CrowdStrike BloodHound April 2018) |
Dropped Mitigations:
- T1069: Permission Groups Discovery Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | Kubernetes. (n.d.). Authorization Overview. Retrieved June 24, 2021. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-576 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 18:10:53.423000+00:00 | 2023-04-15 17:26:53.365000+00:00 |
| description | Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. | Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018) |
| external_references[1]['source_name'] | capec | K8s Authorization Overview |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/576.html | https://kubernetes.io/docs/reference/access-authn-authz/authorization/ |
| external_references[2]['source_name'] | K8s Authorization Overview | CrowdStrike BloodHound April 2018 |
| external_references[2]['description'] | Kubernetes. (n.d.). Authorization Overview. Retrieved June 24, 2021. | Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020. |
| external_references[2]['url'] | https://kubernetes.io/docs/reference/access-authn-authz/authorization/ | https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/ |
| x_mitre_data_sources[0] | Group: Group Enumeration | Command: Command Execution |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Group: Group Enumeration |
| x_mitre_data_sources[3] | Group: Group Metadata | Application Log: Application Log Content |
| x_mitre_data_sources[4] | Command: Command Execution | Group: Group Metadata |
| x_mitre_version | 2.4 | 2.5 |
[T1566] Phishing
Current version: 2.3
Version changed from: 2.2 → 2.3
|
|
|---|
| t | Adversaries may send phishing messages to gain access to vic | t | Adversaries may send phishing messages to gain access to vic |
| tim systems. All forms of phishing are electronically delive | | tim systems. All forms of phishing are electronically delive |
| red social engineering. Phishing can be targeted, known as s | | red social engineering. Phishing can be targeted, known as s |
| pearphishing. In spearphishing, a specific individual, compa | | pearphishing. In spearphishing, a specific individual, compa |
| ny, or industry will be targeted by the adversary. More gene | | ny, or industry will be targeted by the adversary. More gene |
| rally, adversaries can conduct non-targeted phishing, such a | | rally, adversaries can conduct non-targeted phishing, such a |
| s in mass malware spam campaigns. Adversaries may send vict | | s in mass malware spam campaigns. Adversaries may send vict |
| ims emails containing malicious attachments or links, typica | | ims emails containing malicious attachments or links, typica |
| lly to execute malicious code on victim systems. Phishing ma | | lly to execute malicious code on victim systems. Phishing ma |
| y also be conducted via third-party services, like social me | | y also be conducted via third-party services, like social me |
| dia platforms. Phishing may also involve social engineering | | dia platforms. Phishing may also involve social engineering |
| techniques, such as posing as a trusted source. | | techniques, such as posing as a trusted source, as well as e |
| | | vasive techniques such as removing or manipulating emails or |
| | | metadata/headers from compromised accounts being abused to |
| | | send messages (e.g., [Email Hiding Rules](https://attack.mit |
| | | re.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spa |
| | | m 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) An |
| | | other way to accomplish this is by forging or spoofing(Citat |
| | | ion: Proofpoint-spoof) the identity of the sender which can |
| | | be used to fool both the human recipient as well as automate |
| | | d security tools.(Citation: cyberproof-double-bounce) Vict |
| | | ims may also receive phishing messages that instruct them to |
| | | call a phone number where they are directed to visit a mali |
| | | cious URL, download malware,(Citation: sygnia Luna Month)(Ci |
| | | tation: CISA Remote Monitoring and Management Software) or i |
| | | nstall adversary-accessible remote management tools onto the |
| | | ir computer (i.e., [User Execution](https://attack.mitre.org |
| | | /techniques/T1204)).(Citation: Unit42 Luna Moth) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-98 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-01-04 13:57:16.959000+00:00 | 2023-04-14 17:42:15.871000+00:00 |
| description | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source. | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)
Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth) |
| external_references[1]['source_name'] | capec | ACSC Email Spoofing |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/98.html | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf |
| external_references[2]['source_name'] | Microsoft Anti Spoofing | CISA Remote Monitoring and Management Software |
| external_references[2]['description'] | Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. | CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide | https://www.cisa.gov/uscert/ncas/alerts/aa23-025a |
| external_references[3]['source_name'] | ACSC Email Spoofing | cyberproof-double-bounce |
| external_references[3]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023. |
| external_references[3]['url'] | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf | https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends |
| x_mitre_version | 2.2 | 2.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Unit42 Luna Moth', 'description': 'Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.', 'url': 'https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/'} |
| external_references | | {'source_name': 'Microsoft Anti Spoofing', 'description': 'Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.', 'url': 'https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide'} |
| external_references | | {'source_name': 'Microsoft OAuth Spam 2022', 'description': 'Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/'} |
| external_references | | {'source_name': 'sygnia Luna Month', 'description': 'Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.', 'url': 'https://blog.sygnia.co/luna-moth-false-subscription-scams'} |
| external_references | | {'source_name': 'Proofpoint-spoof', 'description': 'Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.', 'url': 'https://www.proofpoint.com/us/threat-reference/email-spoofing'} |
| external_references | | {'source_name': 'Palo Alto Unit 42 VBA Infostealer 2014', 'description': 'Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.', 'url': 'https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/'} |
| x_mitre_contributors | | Ohad Zaidenberg, @ohad_mz |
| x_mitre_contributors | | Liora Itkin |
| x_mitre_contributors | | Liran Ravich, CardinalOps |
| x_mitre_contributors | | Scott Cook, Capital One |
| x_mitre_data_sources | | Application Log: Application Log Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Application Log: Application Log Content | |
[T1598] Phishing for Information
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may send phishing messages to elicit sensitive i | t | Adversaries may send phishing messages to elicit sensitive i |
| nformation that can be used during targeting. Phishing for i | | nformation that can be used during targeting. Phishing for i |
| nformation is an attempt to trick targets into divulging inf | | nformation is an attempt to trick targets into divulging inf |
| ormation, frequently credentials or other actionable informa | | ormation, frequently credentials or other actionable informa |
| tion. Phishing for information is different from [Phishing]( | | tion. Phishing for information is different from [Phishing]( |
| https://attack.mitre.org/techniques/T1566) in that the objec | | https://attack.mitre.org/techniques/T1566) in that the objec |
| tive is gathering data from the victim rather than executing | | tive is gathering data from the victim rather than executing |
| malicious code. All forms of phishing are electronically d | | malicious code. All forms of phishing are electronically d |
| elivered social engineering. Phishing can be targeted, known | | elivered social engineering. Phishing can be targeted, known |
| as spearphishing. In spearphishing, a specific individual, | | as spearphishing. In spearphishing, a specific individual, |
| company, or industry will be targeted by the adversary. More | | company, or industry will be targeted by the adversary. More |
| generally, adversaries can conduct non-targeted phishing, s | | generally, adversaries can conduct non-targeted phishing, s |
| uch as in mass credential harvesting campaigns. Adversaries | | uch as in mass credential harvesting campaigns. Adversaries |
| may also try to obtain information directly through the exc | | may also try to obtain information directly through the exc |
| hange of emails, instant messages, or other electronic conve | | hange of emails, instant messages, or other electronic conve |
| rsation means.(Citation: ThreatPost Social Media Phishing)(C | | rsation means.(Citation: ThreatPost Social Media Phishing)(C |
| itation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Ci | | itation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Ci |
| tation: Sophos Attachment)(Citation: GitHub Phishery) Phishi | | tation: Sophos Attachment)(Citation: GitHub Phishery) Victim |
| ng for information frequently involves social engineering te | | s may also receive phishing messages that direct them to cal |
| chniques, such as posing as a source with a reason to collec | | l a phone number where the adversary attempts to collect con |
| t information (ex: [Establish Accounts](https://attack.mitre | | fidential information.(Citation: Avertium callback phishing) |
| .org/techniques/T1585) or [Compromise Accounts](https://atta | | Phishing for information frequently involves social engine |
| ck.mitre.org/techniques/T1586)) and/or sending multiple, see | | ering techniques, such as posing as a source with a reason t |
| mingly urgent messages. | | o collect information (ex: [Establish Accounts](https://atta |
| | | ck.mitre.org/techniques/T1585) or [Compromise Accounts](http |
| | | s://attack.mitre.org/techniques/T1586)) and/or sending multi |
| | | ple, seemingly urgent messages. Another way to accomplish th |
| | | is is by forging or spoofing(Citation: Proofpoint-spoof) the |
| | | identity of the sender which can be used to fool both the h |
| | | uman recipient as well as automated security tools.(Citation |
| | | : cyberproof-double-bounce) Phishing for information may a |
| | | lso involve evasive techniques, such as removing or manipula |
| | | ting emails or metadata/headers from compromised accounts be |
| | | ing abused to send messages (e.g., [Email Hiding Rules](http |
| | | s://attack.mitre.org/techniques/T1564/008)).(Citation: Micro |
| | | soft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infost |
| | | ealer 2014) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:57:56.078000+00:00 | 2023-04-14 17:42:38.063000+00:00 |
| description | Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.
All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. | Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.
All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)
Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)
Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) |
| external_references[1]['source_name'] | ThreatPost Social Media Phishing | ACSC Email Spoofing |
| external_references[1]['description'] | O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020. | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. |
| external_references[1]['url'] | https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/ | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf |
| external_references[2]['source_name'] | TrendMictro Phishing | Avertium callback phishing |
| external_references[2]['description'] | Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020. | Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023. |
| external_references[2]['url'] | https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html | https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing |
| external_references[3]['source_name'] | PCMag FakeLogin | TrendMictro Phishing |
| external_references[3]['description'] | Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020. | Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020. |
| external_references[3]['url'] | https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages | https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html |
| external_references[5]['source_name'] | GitHub Phishery | cyberproof-double-bounce |
| external_references[5]['description'] | Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020. | Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023. |
| external_references[5]['url'] | https://github.com/ryhanson/phishery | https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends |
| external_references[6]['source_name'] | Microsoft Anti Spoofing | PCMag FakeLogin |
| external_references[6]['description'] | Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. | Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020. |
| external_references[6]['url'] | https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide | https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages |
| external_references[7]['source_name'] | ACSC Email Spoofing | Microsoft Anti Spoofing |
| external_references[7]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. |
| external_references[7]['url'] | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf | https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft OAuth Spam 2022', 'description': 'Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/'} |
| external_references | | {'source_name': 'ThreatPost Social Media Phishing', 'description': "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.", 'url': 'https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/'} |
| external_references | | {'source_name': 'Proofpoint-spoof', 'description': 'Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.', 'url': 'https://www.proofpoint.com/us/threat-reference/email-spoofing'} |
| external_references | | {'source_name': 'GitHub Phishery', 'description': 'Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.', 'url': 'https://github.com/ryhanson/phishery'} |
| external_references | | {'source_name': 'Palo Alto Unit 42 VBA Infostealer 2014', 'description': 'Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.', 'url': 'https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/'} |
| x_mitre_contributors | | Ohad Zaidenberg, @ohad_mz |
| x_mitre_contributors | | Liora Itkin |
| x_mitre_contributors | | Liran Ravich, CardinalOps |
| x_mitre_contributors | | Scott Cook, Capital One |
| x_mitre_data_sources | | Network Traffic: Network Traffic Flow |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Flow | |
[T1059.001] Command and Scripting Interpreter: PowerShell
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 20:25:48.646000+00:00 | 2023-03-27 17:19:48.136000+00:00 |
| external_references[2]['url'] | https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/ | https://web.archive.org/web/20190508170150/https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/ |
| external_references[8]['url'] | http://www.sixdub.net/?p=367 | https://web.archive.org/web/20160327101330/http://www.sixdub.net/?p=367 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Script: Script Execution | Process: Process Creation |
| x_mitre_data_sources[2] | Process: Process Metadata | Module: Module Load |
| x_mitre_data_sources[3] | Process: Process Creation | Script: Script Execution |
| x_mitre_data_sources[4] | Module: Module Load | Process: Process Metadata |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Ross Brittain |
[T1552.004] Unsecured Credentials: Private Keys
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may search for private key certificate files on | t | Adversaries may search for private key certificate files on |
| compromised systems for insecurely stored credentials. Priva | | compromised systems for insecurely stored credentials. Priva |
| te cryptographic keys and certificates are used for authenti | | te cryptographic keys and certificates are used for authenti |
| cation, encryption/decryption, and digital signatures.(Citat | | cation, encryption/decryption, and digital signatures.(Citat |
| ion: Wikipedia Public Key Crypto) Common key and certificate | | ion: Wikipedia Public Key Crypto) Common key and certificate |
| file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pe | | file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pe |
| m, .pfx, .cer, .p7b, .asc. Adversaries may also look in co | | m, .pfx, .cer, .p7b, .asc. Adversaries may also look in co |
| mmon key directories, such as <code>~/.ssh</code> for SSH ke | | mmon key directories, such as <code>~/.ssh</code> for SSH ke |
| ys on * nix-based systems or <code>C:\Users\(usernam | | ys on * nix-based systems or <code>C:\Users\(usernam |
| e)\.ssh\</code> on Windows. These private keys can b | | e)\.ssh\</code> on Windows. Adversary tools may also |
| e used to authenticate to [Remote Services](https://attack.m | | search compromised systems for file extensions relating to |
| itre.org/techniques/T1021) like SSH or for use in decrypting | | cryptographic keys and certificates.(Citation: Kaspersky Car |
| other collected files such as email. Adversary tools have | | eto)(Citation: Palo Alto Prince of Persia) When a device is |
| been discovered that search compromised systems for file ext | | registered to Azure AD, a device key and a transport key ar |
| ensions relating to cryptographic keys and certificates.(Cit | | e generated and used to verify the device’s identity.(Citati |
| ation: Kaspersky Careto)(Citation: Palo Alto Prince of Persi | | on: Microsoft Primary Refresh Token) An adversary with acces |
| a) Some private keys require a password or passphrase for o | | s to the device may be able to export the keys in order to i |
| peration, so an adversary may also use [Input Capture](https | | mpersonate the device.(Citation: AADInternals Azure AD Devic |
| ://attack.mitre.org/techniques/T1056) for keylogging or atte | | e Identities) On network devices, private keys may be expor |
| mpt to [Brute Force](https://attack.mitre.org/techniques/T11 | | ted via [Network Device CLI](https://attack.mitre.org/techni |
| 10) the passphrase off-line. | | ques/T1059/008) commands such as `crypto pki export`.(Citati |
| | | on: cisco_deploy_rsa_keys) Some private keys require a pas |
| | | sword or passphrase for operation, so an adversary may also |
| | | use [Input Capture](https://attack.mitre.org/techniques/T105 |
| | | 6) for keylogging or attempt to [Brute Force](https://attack |
| | | .mitre.org/techniques/T1110) the passphrase off-line. These |
| | | private keys can be used to authenticate to [Remote Services |
| | | ](https://attack.mitre.org/techniques/T1021) like SSH or for |
| | | use in decrypting other collected files such as email. |
Dropped Mitigations:
- T1145: Private Keys Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-29 21:36:36.613000+00:00 | 2023-04-12 23:52:08.194000+00:00 |
| description | Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.
Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
Some private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. | Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email. |
| external_references[1]['source_name'] | Wikipedia Public Key Crypto | Palo Alto Prince of Persia |
| external_references[1]['description'] | Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017. | Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017. |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Public-key_cryptography | https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/ |
| external_references[2]['source_name'] | Kaspersky Careto | cisco_deploy_rsa_keys |
| external_references[2]['description'] | Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017. | Cisco. (2023, February 17). Chapter: Deploying RSA Keys Within a PKI . Retrieved March 27, 2023. |
| external_references[2]['url'] | https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436 |
| external_references[3]['source_name'] | Palo Alto Prince of Persia | AADInternals Azure AD Device Identities |
| external_references[3]['description'] | Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017. | Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023. |
| external_references[3]['url'] | https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/ | https://aadinternals.com/post/deviceidentity/ |
| x_mitre_data_sources[0] | File: File Access | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | File: File Access |
| x_mitre_detection | Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication. | Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication. For network infrastructure devices, collect AAA logging to monitor for private keys being exported. |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Kaspersky Careto', 'description': 'Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017.', 'url': 'https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf'} |
| external_references | | {'source_name': 'Microsoft Primary Refresh Token', 'description': 'Microsoft. (2022, September 9). What is a Primary Refresh Token?. Retrieved February 21, 2023.', 'url': 'https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token'} |
| external_references | | {'source_name': 'Wikipedia Public Key Crypto', 'description': 'Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017.', 'url': 'https://en.wikipedia.org/wiki/Public-key_cryptography'} |
| x_mitre_contributors | | Austin Clark, @c2defense |
| x_mitre_platforms | | Network |
[T1003.007] OS Credential Dumping: Proc Filesystem
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may gather credentials from information stored i | t | Adversaries may gather credentials from the proc filesystem |
| n the Proc filesystem or <code>/proc</code>. The Proc filesy | | or `/proc`. The proc filesystem is a pseudo-filesystem used |
| stem on Linux contains a great deal of information regarding | | as an interface to kernel data structures for Linux based sy |
| the state of the running operating system. Processes runnin | | stems managing virtual memory. For each process, the `/proc/ |
| g with root privileges can use this facility to scrape live | | <PID>/maps` file shows how memory is mapped within the proce |
| memory of other running programs. If any of these programs s | | ss’s virtual address space. And `/proc/<PID>/mem`, exposed f |
| tore passwords in clear text or password hashes in memory, t | | or debugging purposes, provides access to the process’s virt |
| hese values can then be harvested for either usage or brute | | ual address space.(Citation: Picus Labs Proc cump 2022)(Cita |
| force attacks, respectively. This functionality has been im | | tion: baeldung Linux proc map 2022) When executing with roo |
| plemented in the MimiPenguin(Citation: MimiPenguin GitHub Ma | | t privileges, adversaries can search these memory locations |
| y 2017), an open source tool inspired by Mimikatz. The tool | | for all processes on a system that contain patterns that are |
| dumps process memory, then harvests passwords and hashes by | | indicative of credentials, such as looking for fixed string |
| looking for text strings and regex patterns for how given ap | | s in memory structures or cached hashes. When running withou |
| plications such as Gnome Keyring, sshd, and Apache use memor | | t privileged access, processes can still view their own virt |
| y to store such authentication artifacts. | | ual memory locations. Some services or programs may save cre |
| | | dentials in clear text inside the process’s memory.(Citation |
| | | : MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc |
| | | Gitbook) If running as or with the permissions of a web br |
| | | owser, a process can search the `/maps` & `/mem` locations f |
| | | or common website credential patterns (that can also be used |
| | | to find adjacent memory within the same structure) in which |
| | | hashes or cleartext credentials may be located. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Tim (Wadhwa-)Brown'] |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['root'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-19 15:32:18.098000+00:00 | 2023-04-15 01:16:25.566000+00:00 |
| description | Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.
This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts. | Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc//maps` file shows how memory is mapped within the process’s virtual address space. And `/proc//mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located. |
| external_references[1]['source_name'] | MimiPenguin GitHub May 2017 | baeldung Linux proc map 2022 |
| external_references[1]['description'] | Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017. | baeldung. (2022, April 8). Understanding the Linux /proc/id/maps File. Retrieved March 31, 2023. |
| external_references[1]['url'] | https://github.com/huntergregal/mimipenguin | https://www.baeldung.com/linux/proc-id-maps |
| x_mitre_data_sources[0] | File: File Access | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | File: File Access |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Polop Linux PrivEsc Gitbook', 'description': 'Carlos Polop. (2023, March 5). Linux Privilege Escalation. Retrieved March 31, 2023.', 'url': 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation#proc-usdpid-maps-and-proc-usdpid-mem'} |
| external_references | | {'source_name': 'MimiPenguin GitHub May 2017', 'description': 'Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.', 'url': 'https://github.com/huntergregal/mimipenguin'} |
| external_references | | {'source_name': 'Picus Labs Proc cump 2022', 'description': 'Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023.', 'url': 'https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use'} |
[T1057] Process Discovery
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may attempt to get information about running pro | t | Adversaries may attempt to get information about running pro |
| cesses on a system. Information obtained could be used to ga | | cesses on a system. Information obtained could be used to ga |
| in an understanding of common software/applications running | | in an understanding of common software/applications running |
| on systems within the network. Adversaries may use the infor | | on systems within the network. Adversaries may use the infor |
| mation from [Process Discovery](https://attack.mitre.org/tec | | mation from [Process Discovery](https://attack.mitre.org/tec |
| hniques/T1057) during automated discovery to shape follow-on | | hniques/T1057) during automated discovery to shape follow-on |
| behaviors, including whether or not the adversary fully inf | | behaviors, including whether or not the adversary fully inf |
| ects the target and/or attempts specific actions. In Window | | ects the target and/or attempts specific actions. In Window |
| s environments, adversaries could obtain details on running | | s environments, adversaries could obtain details on running |
| processes using the [Tasklist](https://attack.mitre.org/soft | | processes using the [Tasklist](https://attack.mitre.org/soft |
| ware/S0057) utility via [cmd](https://attack.mitre.org/softw | | ware/S0057) utility via [cmd](https://attack.mitre.org/softw |
| are/S0106) or <code>Get-Process</code> via [PowerShell](http | | are/S0106) or <code>Get-Process</code> via [PowerShell](http |
| s://attack.mitre.org/techniques/T1059/001). Information abou | | s://attack.mitre.org/techniques/T1059/001). Information abou |
| t processes can also be extracted from the output of [Native | | t processes can also be extracted from the output of [Native |
| API](https://attack.mitre.org/techniques/T1106) calls such | | API](https://attack.mitre.org/techniques/T1106) calls such |
| as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, | | as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, |
| this is accomplished with the <code>ps</code> command. Adver | | this is accomplished with the <code>ps</code> command. Adver |
| saries may also opt to enumerate processes via /proc. | | saries may also opt to enumerate processes via /proc. On ne |
| | | twork devices, [Network Device CLI](https://attack.mitre.org |
| | | /techniques/T1059/008) commands such as `show processes` can |
| | | be used to display current running processes.(Citation: US- |
| | | CERT-TA18-106A)(Citation: show_processes_cisco_cmd) |
Dropped Mitigations:
- T1057: Process Discovery Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Austin Clark, @c2defense'] |
| x_mitre_deprecated | | False |
| external_references | | Cisco. (2022, August 16). show processes - . Retrieved July 13, 2022. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
| external_references | CAPEC-573 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 18:05:53.130000+00:00 | 2023-04-12 23:34:02.125000+00:00 |
| description | Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc. | Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.
On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd) |
| external_references[1]['source_name'] | capec | show_processes_cisco_cmd |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/573.html | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_monitor_permit_list_through_show_process_memory.html#wp3599497760 |
| x_mitre_detection | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
For network infrastructure devices, collect AAA logging to monitor for `show` commands being run by non-standard users from non-standard locations. |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'} |
| x_mitre_platforms | | Network |
[T1012] Query Registry
Current version: 1.3
Version changed from: 1.2 → 1.3
Dropped Mitigations:
- T1012: Query Registry Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
| external_references | CAPEC-647 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 18:08:20.049000+00:00 | 2023-04-03 18:56:37.011000+00:00 |
| external_references[1]['source_name'] | capec | Wikipedia Windows Registry |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/647.html | https://en.wikipedia.org/wiki/Windows_Registry |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Wikipedia Windows Registry', 'description': 'Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.', 'url': 'https://en.wikipedia.org/wiki/Windows_Registry'} | |
| x_mitre_data_sources | Process: Process Creation | |
[T1218.010] System Binary Proxy Execution: Regsvr32
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 20:41:41.503000+00:00 | 2023-04-21 12:24:56.148000+00:00 |
| external_references[1]['source_name'] | Microsoft Regsvr32 | FireEye Regsvr32 Targeting Mongolian Gov |
| external_references[1]['description'] | Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016. | Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017. |
| external_references[1]['url'] | https://support.microsoft.com/en-us/kb/249873 | https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html |
| external_references[3]['source_name'] | Carbon Black Squiblydoo Apr 2016 | Microsoft Regsvr32 |
| external_references[3]['description'] | Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018. | Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016. |
| external_references[3]['url'] | https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/ | https://support.microsoft.com/en-us/kb/249873 |
| external_references[4]['source_name'] | FireEye Regsvr32 Targeting Mongolian Gov | Carbon Black Squiblydoo Apr 2016 |
| external_references[4]['description'] | Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017. | Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html | https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/ |
| x_mitre_version | 2.0 | 2.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Network Traffic: Network Connection Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Network Traffic: Network Connection Creation | |
[T1021] Remote Services
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may use [Valid Accounts](https://attack.mitre.or | t | Adversaries may use [Valid Accounts](https://attack.mitre.or |
| g/techniques/T1078) to log into a service specifically desig | | g/techniques/T1078) to log into a service that accepts remot |
| ned to accept remote connections, such as telnet, SSH, and V | | e connections, such as telnet, SSH, and VNC. The adversary m |
| NC. The adversary may then perform actions as the logged-on | | ay then perform actions as the logged-on user. In an enterp |
| user. In an enterprise environment, servers and workstation | | rise environment, servers and workstations can be organized |
| s can be organized into domains. Domains provide centralized | | into domains. Domains provide centralized identity managemen |
| identity management, allowing users to login using one set | | t, allowing users to login using one set of credentials acro |
| of credentials across the entire network. If an adversary is | | ss the entire network. If an adversary is able to obtain a s |
| able to obtain a set of valid domain credentials, they coul | | et of valid domain credentials, they could login to many dif |
| d login to many different machines using remote access proto | | ferent machines using remote access protocols such as secure |
| cols such as secure shell (SSH) or remote desktop protocol ( | | shell (SSH) or remote desktop protocol (RDP).(Citation: SSH |
| RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote D | | Secure Shell)(Citation: TechNet Remote Desktop Services) Th |
| esktop Services) Legitimate applications (such as [Software | | ey could also login to accessible SaaS or IaaS services, suc |
| Deployment Tools](https://attack.mitre.org/techniques/T1072 | | h as those that federate their identities to the domain. L |
| ) and other administrative programs) may utilize [Remote Ser | | egitimate applications (such as [Software Deployment Tools]( |
| vices](https://attack.mitre.org/techniques/T1021) to access | | https://attack.mitre.org/techniques/T1072) and other adminis |
| remote hosts. For example, Apple Remote Desktop (ARD) on mac | | trative programs) may utilize [Remote Services](https://atta |
| OS is native software used for remote management. ARD levera | | ck.mitre.org/techniques/T1021) to access remote hosts. For e |
| ges a blend of protocols, including [VNC](https://attack.mit | | xample, Apple Remote Desktop (ARD) on macOS is native softwa |
| re.org/techniques/T1021/005) to send the screen and control | | re used for remote management. ARD leverages a blend of prot |
| buffers and [SSH](https://attack.mitre.org/techniques/T1021/ | | ocols, including [VNC](https://attack.mitre.org/techniques/T |
| 004) for secure file transfer.(Citation: Remote Management M | | 1021/005) to send the screen and control buffers and [SSH](h |
| DM macOS)(Citation: Kickstart Apple Remote Desktop commands) | | ttps://attack.mitre.org/techniques/T1021/004) for secure fil |
| (Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries | | e transfer.(Citation: Remote Management MDM macOS)(Citation: |
| can abuse applications such as ARD to gain remote code exec | | Kickstart Apple Remote Desktop commands)(Citation: Apple Re |
| ution and perform lateral movement. In versions of macOS pri | | mote Desktop Admin Guide 3.3) Adversaries can abuse applicat |
| or to 10.14, an adversary can escalate an SSH session to an | | ions such as ARD to gain remote code execution and perform l |
| ARD session which enables an adversary to accept TCC (Transp | | ateral movement. In versions of macOS prior to 10.14, an adv |
| arency, Consent, and Control) prompts without user interacti | | ersary can escalate an SSH session to an ARD session which e |
| on and gain access to data.(Citation: FireEye 2019 Apple Rem | | nables an adversary to accept TCC (Transparency, Consent, an |
| ote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstar | | d Control) prompts without user interaction and gain access |
| t Apple Remote Desktop commands) | | to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citati |
| | | on: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desk |
| | | top commands) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | Apple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-555 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-28 16:07:45.017000+00:00 | 2023-03-30 21:01:42.821000+00:00 |
| description | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)
Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands) | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.
Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands) |
| external_references[1]['source_name'] | capec | Apple Remote Desktop Admin Guide 3.3 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/555.html | https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf |
| external_references[2]['source_name'] | SSH Secure Shell | Remote Management MDM macOS |
| external_references[2]['description'] | SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020. | Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021. |
| external_references[2]['url'] | https://www.ssh.com/ssh | https://support.apple.com/en-us/HT209161 |
| external_references[3]['source_name'] | TechNet Remote Desktop Services | Kickstart Apple Remote Desktop commands |
| external_references[3]['description'] | Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016. | Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021. |
| external_references[3]['url'] | https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx | https://support.apple.com/en-us/HT201710 |
| external_references[4]['source_name'] | Remote Management MDM macOS | Lockboxx ARD 2019 |
| external_references[4]['description'] | Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021. | Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021. |
| external_references[4]['url'] | https://support.apple.com/en-us/HT209161 | http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html |
| external_references[5]['source_name'] | Kickstart Apple Remote Desktop commands | FireEye 2019 Apple Remote Desktop |
| external_references[5]['description'] | Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021. | Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021. |
| external_references[5]['url'] | https://support.apple.com/en-us/HT201710 | https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html |
| external_references[6]['source_name'] | Apple Remote Desktop Admin Guide 3.3 | TechNet Remote Desktop Services |
| external_references[6]['description'] | Apple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021. | Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016. |
| external_references[6]['url'] | https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf | https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx |
| external_references[7]['source_name'] | FireEye 2019 Apple Remote Desktop | Apple Unified Log Analysis Remote Login and Screen Sharing |
| external_references[7]['description'] | Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021. | Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. |
| external_references[7]['url'] | https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html | https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins |
| external_references[8]['source_name'] | Lockboxx ARD 2019 | SSH Secure Shell |
| external_references[8]['description'] | Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021. | SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020. |
| external_references[8]['url'] | http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html | https://www.ssh.com/ssh |
| x_mitre_data_sources[1] | Module: Module Load | Logon Session: Logon Session Creation |
| x_mitre_data_sources[2] | Network Traffic: Network Connection Creation | Network Share: Network Share Access |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Flow | Command: Command Execution |
| x_mitre_data_sources[4] | Command: Command Execution | Module: Module Load |
| x_mitre_data_sources[5] | Logon Session: Logon Session Creation | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[6] | Network Share: Network Share Access | Network Traffic: Network Traffic Flow |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Apple Unified Log Analysis Remote Login and Screen Sharing', 'description': 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.', 'url': 'https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins'} | |
[T1036.003] Masquerading: Rename System Utilities
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-23 17:03:38.941000+00:00 | 2023-04-07 17:07:20.038000+00:00 |
| external_references[1]['source_name'] | LOLBAS Main Site | Twitter ItsReallyNick Masquerading Update |
| external_references[1]['description'] | LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020. | Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. |
| external_references[1]['url'] | https://lolbas-project.github.io/ | https://twitter.com/ItsReallyNick/status/1055321652777619457 |
| external_references[4]['source_name'] | Twitter ItsReallyNick Masquerading Update | LOLBAS Main Site |
| external_references[4]['description'] | Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. | LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020. |
| external_references[4]['url'] | https://twitter.com/ItsReallyNick/status/1055321652777619457 | https://lolbas-project.github.io/ |
| x_mitre_data_sources[0] | Process: Process Metadata | File: File Metadata |
| x_mitre_data_sources[1] | File: File Modification | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Process: Process Metadata |
| x_mitre_data_sources[3] | File: File Metadata | File: File Modification |
| x_mitre_version | 1.0 | 1.1 |
[T1218.011] System Binary Proxy Execution: Rundll32
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 18:12:39.357000+00:00 | 2023-04-21 12:25:32.096000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: Process Creation | Module: Module Load |
| x_mitre_data_sources[1] | File: File Metadata | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | File: File Metadata |
| x_mitre_data_sources[3] | Module: Module Load | Process: Process Creation |
| x_mitre_version | 2.0 | 2.1 |
[T1021.002] Remote Services: SMB/Windows Admin Shares
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator'] | |
| external_references | CAPEC-561 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-23 21:16:02.812000+00:00 | 2023-04-03 18:57:59.554000+00:00 |
| external_references[1]['source_name'] | capec | Medium Detecting WMI Persistence |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/561.html | https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 |
| external_references[2]['source_name'] | Wikipedia Server Message Block | TechNet RPC |
| external_references[2]['description'] | Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017. | Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016. |
| external_references[2]['url'] | https://en.wikipedia.org/wiki/Server_Message_Block | https://technet.microsoft.com/en-us/library/cc787851.aspx |
| external_references[3]['source_name'] | TechNet RPC | Microsoft Admin Shares |
| external_references[3]['description'] | Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016. | Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014. |
| external_references[3]['url'] | https://technet.microsoft.com/en-us/library/cc787851.aspx | http://support.microsoft.com/kb/314984 |
| external_references[4]['source_name'] | Microsoft Admin Shares | Windows Event Forwarding Payne |
| external_references[4]['description'] | Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014. | Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016. |
| external_references[4]['url'] | http://support.microsoft.com/kb/314984 | https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem |
| external_references[6]['source_name'] | Windows Event Forwarding Payne | Wikipedia Server Message Block |
| external_references[6]['description'] | Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016. | Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017. |
| external_references[6]['url'] | https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem | https://en.wikipedia.org/wiki/Server_Message_Block |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Logon Session: Logon Session Creation |
| x_mitre_data_sources[2] | Logon Session: Logon Session Creation | Network Share: Network Share Access |
| x_mitre_data_sources[4] | Network Share: Network Share Access | Network Traffic: Network Traffic Flow |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Medium Detecting WMI Persistence', 'description': 'French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019.', 'url': 'https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96'} | |
[T1098.004] Account Manipulation: SSH Authorized Keys
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may modify the SSH <code>authorized_keys</code> | t | Adversaries may modify the SSH <code>authorized_keys</code> |
| file to maintain persistence on a victim host. Linux distrib | | file to maintain persistence on a victim host. Linux distrib |
| utions and macOS commonly use key-based authentication to se | | utions and macOS commonly use key-based authentication to se |
| cure the authentication process of SSH sessions for remote m | | cure the authentication process of SSH sessions for remote m |
| anagement. The <code>authorized_keys</code> file in SSH spec | | anagement. The <code>authorized_keys</code> file in SSH spec |
| ifies the SSH keys that can be used for logging into the use | | ifies the SSH keys that can be used for logging into the use |
| r account for which the file is configured. This file is usu | | r account for which the file is configured. This file is usu |
| ally found in the user's home directory under <code><user | | ally found in the user's home directory under <code><user |
| -home>/.ssh/authorized_keys</code>.(Citation: SSH Authori | | -home>/.ssh/authorized_keys</code>.(Citation: SSH Authori |
| zed Keys) Users may edit the system’s SSH config file to mod | | zed Keys) Users may edit the system’s SSH config file to mod |
| ify the directives PubkeyAuthentication and RSAAuthenticatio | | ify the directives PubkeyAuthentication and RSAAuthenticatio |
| n to the value “yes” to ensure public key and RSA authentica | | n to the value “yes” to ensure public key and RSA authentica |
| tion are enabled. The SSH config file is usually located und | | tion are enabled. The SSH config file is usually located und |
| er <code>/etc/ssh/sshd_config</code>. Adversaries may modif | | er <code>/etc/ssh/sshd_config</code>. Adversaries may modif |
| y SSH <code>authorized_keys</code> files directly with scrip | | y SSH <code>authorized_keys</code> files directly with scrip |
| ts or shell commands to add their own adversary-supplied pub | | ts or shell commands to add their own adversary-supplied pub |
| lic keys. In cloud environments, adversaries may be able to | | lic keys. In cloud environments, adversaries may be able to |
| modify the SSH authorized_keys file of a particular virtual | | modify the SSH authorized_keys file of a particular virtual |
| machine via the command line interface or rest API. For exam | | machine via the command line interface or rest API. For exam |
| ple, by using the Google Cloud CLI’s “add-metadata” command | | ple, by using the Google Cloud CLI’s “add-metadata” command |
| an adversary may add SSH keys to a user account.(Citation: G | | an adversary may add SSH keys to a user account.(Citation: G |
| oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E | | oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E |
| scalation) Similarly, in Azure, an adversary may update the | | scalation) Similarly, in Azure, an adversary may update the |
| authorized_keys file of a virtual machine via a PATCH reques | | authorized_keys file of a virtual machine via a PATCH reques |
| t to the API.(Citation: Azure Update Virtual Machines) This | | t to the API.(Citation: Azure Update Virtual Machines) This |
| ensures that an adversary possessing the corresponding priva | | ensures that an adversary possessing the corresponding priva |
| te key may log in as an existing user via SSH.(Citation: Ven | | te key may log in as an existing user via SSH.(Citation: Ven |
| afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) Wh | | afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) W |
| ere authorized_keys files are modified via cloud APIs or com | | here authorized_keys files are modified via cloud APIs or co |
| mand line interfaces, an adversary may achieve privilege esc | | mmand line interfaces, an adversary may achieve privilege es |
| alation on the target virtual machine if they add a key to a | | calation on the target virtual machine if they add a key to |
| higher-privileged user. | | a higher-privileged user. SSH keys can also be added to ac |
| | | counts on network devices, such as with the `ip ssh pubkey-c |
| | | hain` [Network Device CLI](https://attack.mitre.org/techniqu |
| | | es/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 16:26:57.982000+00:00 | 2023-04-12 23:28:34.599000+00:00 |
| description | Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. | Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.
SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd) |
| external_references[3]['source_name'] | Cybereason Linux Exim Worm | cisco_ip_ssh_pubkey_ch_cmd |
| external_references[3]['description'] | Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020. | Cisco. (2021, August 23). ip ssh pubkey-chain. Retrieved July 13, 2022. |
| external_references[3]['url'] | https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478 |
| external_references[4]['source_name'] | Google Cloud Add Metadata | Cybereason Linux Exim Worm |
| external_references[4]['description'] | Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022. | Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020. |
| external_references[4]['url'] | https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata | https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability |
| external_references[5]['source_name'] | Azure Update Virtual Machines | Google Cloud Add Metadata |
| external_references[5]['description'] | Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022. | Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022. |
| external_references[5]['url'] | https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update | https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata |
| external_references[6]['source_name'] | SSH Authorized Keys | Azure Update Virtual Machines |
| external_references[6]['description'] | ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020. | Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022. |
| external_references[6]['url'] | https://www.ssh.com/ssh/authorized_keys/ | https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_detection | Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file. In cloud environments, monitor instances for modification of metadata and configurations.
Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config. | Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file. In cloud environments, monitor instances for modification of metadata and configurations.
Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.
For network infrastructure devices, collect AAA logging to monitor for rogue SSH keys being added to accounts. |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'SSH Authorized Keys', 'description': 'ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.', 'url': 'https://www.ssh.com/ssh/authorized_keys/'} |
| x_mitre_contributors | | Austin Clark, @c2defense |
| x_mitre_data_sources | | File: File Modification |
| x_mitre_platforms | | Network |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | File: File Modification | |
[T1053.005] Scheduled Task/Job: Scheduled Task
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-06 20:20:13.871000+00:00 | 2023-04-07 17:11:17.807000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Scheduled Job: Scheduled Job Creation | File: File Modification |
| x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Creation | Scheduled Job: Scheduled Job Creation |
| x_mitre_data_sources[2] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[3] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[4] | File: File Modification | Windows Registry: Windows Registry Key Creation |
| x_mitre_version | 1.2 | 1.3 |
[T1546.002] Event Triggered Execution: Screensaver
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 16:58:48.140000+00:00 | 2023-04-21 12:31:54.177000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | File: File Modification | Command: Command Execution |
| x_mitre_data_sources[2] | File: File Creation | Process: Process Creation |
| x_mitre_data_sources[3] | Command: Command Execution | File: File Modification |
| x_mitre_data_sources[4] | Process: Process Creation | File: File Creation |
| x_mitre_version | 1.0 | 1.1 |
[T1518.001] Software Discovery: Security Software Discovery
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 22:26:34.327000+00:00 | 2023-04-21 12:30:00.939000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[2] | Process: Process Creation | Firewall: Firewall Metadata |
| x_mitre_data_sources[4] | Firewall: Firewall Metadata | Process: Process Creation |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/581.html', 'external_id': 'CAPEC-581'} | |
[T1584.004] Compromise Infrastructure: Server
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may compromise third-party servers that can be u | t | Adversaries may compromise third-party servers that can be u |
| sed during targeting. Use of servers allows an adversary to | | sed during targeting. Use of servers allows an adversary to |
| stage, launch, and execute an operation. During post-comprom | | stage, launch, and execute an operation. During post-comprom |
| ise activity, adversaries may utilize servers for various ta | | ise activity, adversaries may utilize servers for various ta |
| sks, including for Command and Control. Instead of purchasin | | sks, including for Command and Control. Instead of purchasin |
| g a [Server](https://attack.mitre.org/techniques/T1583/004) | | g a [Server](https://attack.mitre.org/techniques/T1583/004) |
| or [Virtual Private Server](https://attack.mitre.org/techniq | | or [Virtual Private Server](https://attack.mitre.org/techniq |
| ues/T1583/003), adversaries may compromise third-party serve | | ues/T1583/003), adversaries may compromise third-party serve |
| rs in support of operations. Adversaries may also compromis | | rs in support of operations. Adversaries may also compromis |
| e web servers to support watering hole operations, as in [Dr | | e web servers to support watering hole operations, as in [Dr |
| ive-by Compromise](https://attack.mitre.org/techniques/T1189 | | ive-by Compromise](https://attack.mitre.org/techniques/T1189 |
| ). | | ), or email servers to support [Phishing](https://attack.mit |
| | | re.org/techniques/T1566) operations. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Dor Edry, Microsoft'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 16:00:16.273000+00:00 | 2023-04-13 00:00:25.676000+00:00 |
| description | Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.
Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). | Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.
Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. |
| external_references[1]['source_name'] | ThreatConnect Infrastructure Dec 2020 | Koczwara Beacon Hunting Sep 2021 |
| external_references[1]['description'] | ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. | Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. |
| external_references[1]['url'] | https://threatconnect.com/blog/infrastructure-research-hunting/ | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 |
| external_references[3]['source_name'] | Koczwara Beacon Hunting Sep 2021 | ThreatConnect Infrastructure Dec 2020 |
| external_references[3]['description'] | Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. | ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. |
| external_references[3]['url'] | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 | https://threatconnect.com/blog/infrastructure-research-hunting/ |
| x_mitre_data_sources[0] | Internet Scan: Response Metadata | Internet Scan: Response Content |
| x_mitre_data_sources[1] | Internet Scan: Response Content | Internet Scan: Response Metadata |
| x_mitre_version | 1.1 | 1.2 |
[T1583.004] Acquire Infrastructure: Server
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may buy, lease, or rent physical servers that ca | t | Adversaries may buy, lease, or rent physical servers that ca |
| n be used during targeting. Use of servers allows an adversa | | n be used during targeting. Use of servers allows an adversa |
| ry to stage, launch, and execute an operation. During post-c | | ry to stage, launch, and execute an operation. During post-c |
| ompromise activity, adversaries may utilize servers for vari | | ompromise activity, adversaries may utilize servers for vari |
| ous tasks, including for Command and Control. Instead of com | | ous tasks, including for Command and Control. Adversaries ma |
| promising a third-party [Server](https://attack.mitre.org/te | | y use web servers to support support watering hole operation |
| chniques/T1584/004) or renting a [Virtual Private Server](ht | | s, as in [Drive-by Compromise](https://attack.mitre.org/tech |
| tps://attack.mitre.org/techniques/T1583/003), adversaries ma | | niques/T1189), or email servers to support [Phishing](https: |
| y opt to configure and run their own servers in support of o | | //attack.mitre.org/techniques/T1566) operations. Instead of |
| perations. Adversaries may only need a lightweight setup if | | compromising a third-party [Server](https://attack.mitre.org |
| most of their activities will take place using online infra | | /techniques/T1584/004) or renting a [Virtual Private Server] |
| structure. Or, they may need to build extensive infrastructu | | (https://attack.mitre.org/techniques/T1583/003), adversaries |
| re if they want to test, communicate, and control other aspe | | may opt to configure and run their own servers in support o |
| cts of their activities on their own systems.(Citation: NYTS | | f operations. Adversaries may only need a lightweight setup |
| tuxnet) | | if most of their activities will take place using online in |
| | | frastructure. Or, they may need to build extensive infrastru |
| | | cture if they want to test, communicate, and control other a |
| | | spects of their activities on their own systems.(Citation: N |
| | | YTStuxnet) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Dor Edry, Microsoft'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 15:39:45.736000+00:00 | 2023-04-12 20:18:42.003000+00:00 |
| description | Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.
Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet) | Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.
Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet) |
| external_references[1]['source_name'] | NYTStuxnet | Koczwara Beacon Hunting Sep 2021 |
| external_references[1]['description'] | William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017. | Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. |
| external_references[1]['url'] | https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 |
| external_references[2]['source_name'] | ThreatConnect Infrastructure Dec 2020 | Mandiant SCANdalous Jul 2020 |
| external_references[2]['description'] | ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. |
| external_references[2]['url'] | https://threatconnect.com/blog/infrastructure-research-hunting/ | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation |
| external_references[3]['source_name'] | Mandiant SCANdalous Jul 2020 | ThreatConnect Infrastructure Dec 2020 |
| external_references[3]['description'] | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. | ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. |
| external_references[3]['url'] | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation | https://threatconnect.com/blog/infrastructure-research-hunting/ |
| external_references[4]['source_name'] | Koczwara Beacon Hunting Sep 2021 | NYTStuxnet |
| external_references[4]['description'] | Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. | William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017. |
| external_references[4]['url'] | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 | https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html |
| x_mitre_data_sources[0] | Internet Scan: Response Metadata | Internet Scan: Response Content |
| x_mitre_data_sources[1] | Internet Scan: Response Content | Internet Scan: Response Metadata |
| x_mitre_version | 1.1 | 1.2 |
[T1598.003] Phishing for Information: Spearphishing Link
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may send spearphishing messages with a malicious | t | Adversaries may send spearphishing messages with a malicious |
| link to elicit sensitive information that can be used durin | | link to elicit sensitive information that can be used durin |
| g targeting. Spearphishing for information is an attempt to | | g targeting. Spearphishing for information is an attempt to |
| trick targets into divulging information, frequently credent | | trick targets into divulging information, frequently credent |
| ials or other actionable information. Spearphishing for info | | ials or other actionable information. Spearphishing for info |
| rmation frequently involves social engineering techniques, s | | rmation frequently involves social engineering techniques, s |
| uch as posing as a source with a reason to collect informati | | uch as posing as a source with a reason to collect informati |
| on (ex: [Establish Accounts](https://attack.mitre.org/techni | | on (ex: [Establish Accounts](https://attack.mitre.org/techni |
| ques/T1585) or [Compromise Accounts](https://attack.mitre.or | | ques/T1585) or [Compromise Accounts](https://attack.mitre.or |
| g/techniques/T1586)) and/or sending multiple, seemingly urge | | g/techniques/T1586)) and/or sending multiple, seemingly urge |
| nt messages. All forms of spearphishing are electronically | | nt messages. All forms of spearphishing are electronically |
| delivered social engineering targeted at a specific individu | | delivered social engineering targeted at a specific individu |
| al, company, or industry. In this scenario, the malicious em | | al, company, or industry. In this scenario, the malicious em |
| ails contain links generally accompanied by social engineeri | | ails contain links generally accompanied by social engineeri |
| ng text to coax the user to actively click or copy and paste | | ng text to coax the user to actively click or copy and paste |
| a URL into a browser.(Citation: TrendMictro Phishing)(Citat | | a URL into a browser.(Citation: TrendMictro Phishing)(Citat |
| ion: PCMag FakeLogin) The given website may be a clone of a | | ion: PCMag FakeLogin) The given website may be a clone of a |
| legitimate site (such as an online or corporate login portal | | legitimate site (such as an online or corporate login portal |
| ) or may closely resemble a legitimate site in appearance an | | ) or may closely resemble a legitimate site in appearance an |
| d have a URL containing elements from the real site. From | | d have a URL containing elements from the real site. Advers |
| the fake website, information is gathered in web forms and s | | aries may also link to "web bugs" or "web beacons" within ph |
| ent to the adversary. Adversaries may also use information f | | ishing messages to verify the receipt of an email, while als |
| rom previous reconnaissance efforts (ex: [Search Open Websit | | o potentially profiling and tracking victim information such |
| es/Domains](https://attack.mitre.org/techniques/T1593) or [S | | as IP address.(Citation: NIST Web Bug) Adversaries may als |
| earch Victim-Owned Websites](https://attack.mitre.org/techni | | o be able to spoof a complete website using what is known as |
| ques/T1594)) to craft persuasive and believable lures. | | a "browser-in-the-browser" (BitB) attack. By generating a f |
| | | ake browser popup window with an HTML-based address bar that |
| | | appears to contain a legitimate URL (such as an authenticat |
| | | ion portal), they may be able to prompt users to enter their |
| | | credentials while bypassing typical URL verification method |
| | | s.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) |
| | | From the fake website, information is gathered in web form |
| | | s and sent to the adversary. Adversaries may also use inform |
| | | ation from previous reconnaissance efforts (ex: [Search Open |
| | | Websites/Domains](https://attack.mitre.org/techniques/T1593 |
| | | ) or [Search Victim-Owned Websites](https://attack.mitre.org |
| | | /techniques/T1594)) to craft persuasive and believable lures |
| | | . |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 16:01:47.611000+00:00 | 2023-04-15 17:38:48.406000+00:00 |
| description | Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site.
From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. | Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site.
Adversaries may also link to "web bugs" or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)
Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)
From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_contributors[4] | Menachem Goldstein | Elpidoforos Maragkos, @emaragkos |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Flow | Application Log: Application Log Content |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Mr. D0x BitB 2022', 'description': 'mr.d0x. (2022, March 15). Browser In The Browser (BITB) Attack. Retrieved March 8, 2023.', 'url': 'https://mrd0x.com/browser-in-the-browser-phishing-attack/'} |
| external_references | | {'source_name': 'NIST Web Bug', 'description': 'NIST Information Technology Laboratory. (n.d.). web bug. Retrieved March 22, 2023.', 'url': 'https://csrc.nist.gov/glossary/term/web_bug'} |
| external_references | | {'source_name': 'ZScaler BitB 2020', 'description': 'ZScaler. (2020, February 11). Fake Sites Stealing Steam Credentials. Retrieved March 8, 2023.', 'url': 'https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials'} |
| x_mitre_contributors | | Menachem Goldstein |
| x_mitre_contributors | | Joas Antonio dos Santos, @C0d3Cr4zy |
[T1566.002] Phishing: Spearphishing Link
Current version: 2.4
Version changed from: 2.3 → 2.4
|
|
|---|
| t | Adversaries may send spearphishing emails with a malicious l | t | Adversaries may send spearphishing emails with a malicious l |
| ink in an attempt to gain access to victim systems. Spearphi | | ink in an attempt to gain access to victim systems. Spearphi |
| shing with a link is a specific variant of spearphishing. It | | shing with a link is a specific variant of spearphishing. It |
| is different from other forms of spearphishing in that it e | | is different from other forms of spearphishing in that it e |
| mploys the use of links to download malware contained in ema | | mploys the use of links to download malware contained in ema |
| il, instead of attaching malicious files to the email itself | | il, instead of attaching malicious files to the email itself |
| , to avoid defenses that may inspect email attachments. Spea | | , to avoid defenses that may inspect email attachments. Spea |
| rphishing may also involve social engineering techniques, su | | rphishing may also involve social engineering techniques, su |
| ch as posing as a trusted source. All forms of spearphishin | | ch as posing as a trusted source. All forms of spearphishin |
| g are electronically delivered social engineering targeted a | | g are electronically delivered social engineering targeted a |
| t a specific individual, company, or industry. In this case, | | t a specific individual, company, or industry. In this case, |
| the malicious emails contain links. Generally, the links wi | | the malicious emails contain links. Generally, the links wi |
| ll be accompanied by social engineering text and require the | | ll be accompanied by social engineering text and require the |
| user to actively click or copy and paste a URL into a brows | | user to actively click or copy and paste a URL into a brows |
| er, leveraging [User Execution](https://attack.mitre.org/tec | | er, leveraging [User Execution](https://attack.mitre.org/tec |
| hniques/T1204). The visited website may compromise the web b | | hniques/T1204). The visited website may compromise the web b |
| rowser using an exploit, or the user will be prompted to dow | | rowser using an exploit, or the user will be prompted to dow |
| nload applications, documents, zip files, or even executable | | nload applications, documents, zip files, or even executable |
| s depending on the pretext for the email in the first place. | | s depending on the pretext for the email in the first place. |
| Adversaries may also include links that are intended to int | | Adversaries may also include links that are intended to int |
| eract directly with an email reader, including embedded imag | | eract directly with an email reader, including embedded imag |
| es intended to exploit the end system directly or verify the | | es intended to exploit the end system directly. Additionally |
| receipt of an email (i.e. web bugs/web beacons). Additional | | , adversaries may use seemingly benign links that abuse spec |
| ly, adversaries may use seemingly benign links that abuse sp | | ial characters to mimic legitimate websites (known as an "ID |
| ecial characters to mimic legitimate websites (known as an " | | N homograph attack").(Citation: CISA IDN ST05-016) Adversar |
| IDN homograph attack").(Citation: CISA IDN ST05-016) Advers | | ies may also utilize links to perform consent phishing, typi |
| aries may also utilize links to perform consent phishing, ty | | cally with OAuth 2.0 request URLs that when accepted by the |
| pically with OAuth 2.0 request URLs that when accepted by th | | user provide permissions/access for malicious applications, |
| e user provide permissions/access for malicious applications | | allowing adversaries to [Steal Application Access Token](ht |
| , allowing adversaries to [Steal Application Access Token]( | | tps://attack.mitre.org/techniques/T1528)s.(Citation: Trend M |
| https://attack.mitre.org/techniques/T1528)s.(Citation: Trend | | icro Pawn Storm OAuth 2017) These stolen access tokens allow |
| Micro Pawn Storm OAuth 2017) These stolen access tokens all | | the adversary to perform various actions on behalf of the u |
| ow the adversary to perform various actions on behalf of the | | ser via API calls. (Citation: Microsoft OAuth 2.0 Consent Ph |
| user via API calls. (Citation: Microsoft OAuth 2.0 Consent | | ishing 2021) |
| Phishing 2021) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 16:01:45.500000+00:00 | 2023-04-11 00:44:21.193000+00:00 |
| description | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016)
Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021) | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016)
Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.3 | 2.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Application Log: Application Log Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/163.html', 'external_id': 'CAPEC-163'} | |
| x_mitre_data_sources | Application Log: Application Log Content | |
[T1649] Steal or Forge Authentication Certificates
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may steal or forge certificates used for authent | t | Adversaries may steal or forge certificates used for authent |
| ication to access remote systems or resources. Digital certi | | ication to access remote systems or resources. Digital certi |
| ficates are often used to sign and encrypt messages and/or f | | ficates are often used to sign and encrypt messages and/or f |
| iles. Certificates are also used as authentication material. | | iles. Certificates are also used as authentication material. |
| For example, Azure AD device certificates and Active Direct | | For example, Azure AD device certificates and Active Direct |
| ory Certificate Services (AD CS) certificates bind to an ide | | ory Certificate Services (AD CS) certificates bind to an ide |
| ntity and can be used as credentials for domain accounts.(Ci | | ntity and can be used as credentials for domain accounts.(Ci |
| tation: O365 Blog Azure AD Device IDs)(Citation: Microsoft A | | tation: O365 Blog Azure AD Device IDs)(Citation: Microsoft A |
| D CS Overview) Authentication certificates can be both stol | | D CS Overview) Authentication certificates can be both stol |
| en and forged. For example, AD CS certificates can be stolen | | en and forged. For example, AD CS certificates can be stolen |
| from encrypted storage (in the Registry or files), misplace | | from encrypted storage (in the Registry or files)(Citation: |
| d certificate files (i.e. [Unsecured Credentials](https://at | | APT29 Deep Look at Credential Roaming), misplaced certifica |
| tack.mitre.org/techniques/T1552)), or directly from the Wind | | te files (i.e. [Unsecured Credentials](https://attack.mitre. |
| ows certificate store via various crypto APIs.(Citation: Spe | | org/techniques/T1552)), or directly from the Windows certifi |
| cterOps Certified Pre Owned)(Citation: GitHub CertStealer)(C | | cate store via various crypto APIs.(Citation: SpecterOps Cer |
| itation: GitHub GhostPack Certificates) With appropriate enr | | tified Pre Owned)(Citation: GitHub CertStealer)(Citation: Gi |
| ollment rights, users and/or machines within a domain can al | | tHub GhostPack Certificates) With appropriate enrollment rig |
| so request and/or manually renew certificates from enterpris | | hts, users and/or machines within a domain can also request |
| e certificate authorities (CA). This enrollment process defi | | and/or manually renew certificates from enterprise certifica |
| nes various settings and permissions associated with the cer | | te authorities (CA). This enrollment process defines various |
| tificate. Of note, the certificate’s extended key usage (EKU | | settings and permissions associated with the certificate. O |
| ) values define signing, encryption, and authentication use | | f note, the certificate’s extended key usage (EKU) values de |
| cases, while the certificate’s subject alternative name (SAN | | fine signing, encryption, and authentication use cases, whil |
| ) values define the certificate owner’s alternate names.(Cit | | e the certificate’s subject alternative name (SAN) values de |
| ation: Medium Certified Pre Owned) Abusing certificates for | | fine the certificate owner’s alternate names.(Citation: Medi |
| authentication credentials may enable other behaviors such | | um Certified Pre Owned) Abusing certificates for authentica |
| as [Lateral Movement](https://attack.mitre.org/tactics/TA000 | | tion credentials may enable other behaviors such as [Lateral |
| 8). Certificate-related misconfigurations may also enable op | | Movement](https://attack.mitre.org/tactics/TA0008). Certifi |
| portunities for [Privilege Escalation](https://attack.mitre. | | cate-related misconfigurations may also enable opportunities |
| org/tactics/TA0004), by way of allowing users to impersonate | | for [Privilege Escalation](https://attack.mitre.org/tactics |
| or assume privileged accounts or permissions via the identi | | /TA0004), by way of allowing users to impersonate or assume |
| ties (SANs) associated with a certificate. These abuses may | | privileged accounts or permissions via the identities (SANs) |
| also enable [Persistence](https://attack.mitre.org/tactics/T | | associated with a certificate. These abuses may also enable |
| A0003) via stealing or forging certificates that can be used | | [Persistence](https://attack.mitre.org/tactics/TA0003) via |
| as [Valid Accounts](https://attack.mitre.org/techniques/T10 | | stealing or forging certificates that can be used as [Valid |
| 78) for the duration of the certificate's validity, despite | | Accounts](https://attack.mitre.org/techniques/T1078) for the |
| user password resets. Authentication certificates can also b | | duration of the certificate's validity, despite user passwo |
| e stolen and forged for machine accounts. Adversaries who h | | rd resets. Authentication certificates can also be stolen an |
| ave access to root (or subordinate) CA certificate private k | | d forged for machine accounts. Adversaries who have access |
| eys (or mechanisms protecting/managing these keys) may also | | to root (or subordinate) CA certificate private keys (or mec |
| establish [Persistence](https://attack.mitre.org/tactics/TA0 | | hanisms protecting/managing these keys) may also establish [ |
| 003) by forging arbitrary authentication certificates for th | | Persistence](https://attack.mitre.org/tactics/TA0003) by for |
| e victim domain (known as “golden” certificates).(Citation: | | ging arbitrary authentication certificates for the victim do |
| Medium Certified Pre Owned) Adversaries may also target cert | | main (known as “golden” certificates).(Citation: Medium Cert |
| ificates and related services in order to access other forms | | ified Pre Owned) Adversaries may also target certificates an |
| of credentials, such as [Golden Ticket](https://attack.mitr | | d related services in order to access other forms of credent |
| e.org/techniques/T1558/001) ticket-granting tickets (TGT) or | | ials, such as [Golden Ticket](https://attack.mitre.org/techn |
| NTLM plaintext.(Citation: Medium Certified Pre Owned) | | iques/T1558/001) ticket-granting tickets (TGT) or NTLM plain |
| | | text.(Citation: Medium Certified Pre Owned) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 21:02:00.546000+00:00 | 2023-03-02 19:06:41.828000+00:00 |
| description | Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
Abusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.
Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned) | Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
Abusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.
Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned) |
| external_references[1]['description'] | HarmJ0y & subat0mik. (2018, August 22). SharpDPAPI - Certificates. Retrieved August 2, 2022. | HarmJ0y. (2018, August 22). SharpDPAPI - Certificates. Retrieved August 2, 2022. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | Command: Command Execution | Active Directory: Active Directory Object Modification |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'APT29 Deep Look at Credential Roaming', 'description': 'Thibault Van Geluwe De Berlaere. (2022, November 8). They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming. Retrieved November 9, 2022.', 'url': 'https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming'} |
| x_mitre_data_sources | | Application Log: Application Log Content |
| x_mitre_data_sources | | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Application Log: Application Log Content | |
| x_mitre_data_sources | Active Directory: Active Directory Object Modification | |
[T1033] System Owner/User Discovery
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may attempt to identify the primary user, curren | t | Adversaries may attempt to identify the primary user, curren |
| tly logged in user, set of users that commonly uses a system | | tly logged in user, set of users that commonly uses a system |
| , or whether a user is actively using the system. They may d | | , or whether a user is actively using the system. They may d |
| o this, for example, by retrieving account usernames or by u | | o this, for example, by retrieving account usernames or by u |
| sing [OS Credential Dumping](https://attack.mitre.org/techni | | sing [OS Credential Dumping](https://attack.mitre.org/techni |
| ques/T1003). The information may be collected in a number of | | ques/T1003). The information may be collected in a number of |
| different ways using other Discovery techniques, because us | | different ways using other Discovery techniques, because us |
| er and username details are prevalent throughout a system an | | er and username details are prevalent throughout a system an |
| d include running process ownership, file/directory ownershi | | d include running process ownership, file/directory ownershi |
| p, session information, and system logs. Adversaries may use | | p, session information, and system logs. Adversaries may use |
| the information from [System Owner/User Discovery](https:// | | the information from [System Owner/User Discovery](https:// |
| attack.mitre.org/techniques/T1033) during automated discover | | attack.mitre.org/techniques/T1033) during automated discover |
| y to shape follow-on behaviors, including whether or not the | | y to shape follow-on behaviors, including whether or not the |
| adversary fully infects the target and/or attempts specific | | adversary fully infects the target and/or attempts specific |
| actions. Various utilities and commands may acquire this i | | actions. Various utilities and commands may acquire this i |
| nformation, including <code>whoami</code>. In macOS and Linu | | nformation, including <code>whoami</code>. In macOS and Linu |
| x, the currently logged in user can be identified with <code | | x, the currently logged in user can be identified with <code |
| >w</code> and <code>who</code>. On macOS the <code>dscl . li | | >w</code> and <code>who</code>. On macOS the <code>dscl . li |
| st /Users | grep -v '_'</code> command can also be used to e | | st /Users | grep -v '_'</code> command can also be used to e |
| numerate user accounts. Environment variables, such as <code | | numerate user accounts. Environment variables, such as <code |
| >%USERNAME%</code> and <code>$USER</code>, may also be used | | >%USERNAME%</code> and <code>$USER</code>, may also be used |
| to access this information. | | to access this information. On network devices, [Network De |
| | | vice CLI](https://attack.mitre.org/techniques/T1059/008) com |
| | | mands such as `show users` and `show ssh` can be used to dis |
| | | play users currently logged into the device.(Citation: show_ |
| | | ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Inf |
| | | rastructure Devices 2018) |
Dropped Mitigations:
- T1033: System Owner/User Discovery Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Austin Clark, @c2defense'] |
| external_references | | Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-577 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 19:04:03.271000+00:00 | 2023-04-12 23:35:40.261000+00:00 |
| description | Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information. | Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.
On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) |
| external_references[1]['source_name'] | capec | show_ssh_users_cmd_cisco |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/577.html | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Access | Process: OS API Execution |
| x_mitre_data_sources[7] | Process: OS API Execution | Windows Registry: Windows Registry Key Access |
| x_mitre_data_sources[8] | Active Directory: Active Directory Object Access | Command: Command Execution |
| x_mitre_detection | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). | `System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
For network infrastructure devices, collect AAA logging to monitor `show` commands being run by non-standard users from non-standard locations. |
| x_mitre_version | 1.3 | 1.4 |
| x_mitre_data_sources[3] | Command: Command Execution | Active Directory: Active Directory Object Access |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'US-CERT TA18-106A Network Infrastructure Devices 2018', 'description': 'US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://us-cert.cisa.gov/ncas/alerts/TA18-106A'} |
| x_mitre_data_sources | | Network Traffic: Network Traffic Content |
| x_mitre_platforms | | Network |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Content | |
[T1007] System Service Discovery
Current version: 1.5
Version changed from: 1.4 → 1.5
Dropped Mitigations:
- T1007: System Service Discovery Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-15 13:35:54.740000+00:00 | 2023-04-03 18:55:18.326000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/574.html', 'external_id': 'CAPEC-574'} | |
| x_mitre_data_sources | Command: Command Execution | |
[T1529] System Shutdown/Reboot
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may shutdown/reboot systems to interrupt access | t | Adversaries may shutdown/reboot systems to interrupt access |
| to, or aid in the destruction of, those systems. Operating s | | to, or aid in the destruction of, those systems. Operating s |
| ystems may contain commands to initiate a shutdown/reboot of | | ystems may contain commands to initiate a shutdown/reboot of |
| a machine or network device. In some cases, these commands | | a machine or network device. In some cases, these commands |
| may also be used to initiate a shutdown/reboot of a remote c | | may also be used to initiate a shutdown/reboot of a remote c |
| omputer or network device via [Network Device CLI](https://a | | omputer or network device via [Network Device CLI](https://a |
| ttack.mitre.org/techniques/T1059/008) (e.g. <code>reload</co | | ttack.mitre.org/techniques/T1059/008) (e.g. <code>reload</co |
| de>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert | | de>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert |
| _TA18_106A) Shutting down or rebooting systems may disrupt a | | _TA18_106A) Shutting down or rebooting systems may disrupt |
| ccess to computer resources for legitimate users. Adversari | | access to computer resources for legitimate users while also |
| es may attempt to shutdown/reboot a system after impacting i | | impeding incident response/recovery. Adversaries may attem |
| t in other ways, such as [Disk Structure Wipe](https://attac | | pt to shutdown/reboot a system after impacting it in other w |
| k.mitre.org/techniques/T1561/002) or [Inhibit System Recover | | ays, such as [Disk Structure Wipe](https://attack.mitre.org/ |
| y](https://attack.mitre.org/techniques/T1490), to hasten the | | techniques/T1561/002) or [Inhibit System Recovery](https://a |
| intended effects on system availability.(Citation: Talos Ny | | ttack.mitre.org/techniques/T1490), to hasten the intended ef |
| etya June 2017)(Citation: Talos Olympic Destroyer 2018) | | fects on system availability.(Citation: Talos Nyetya June 20 |
| | | 17)(Citation: Talos Olympic Destroyer 2018) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:27:57.587000+00:00 | 2023-03-22 20:45:22.531000+00:00 |
| description | Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) | Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Process: Process Creation |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Hubert Mank |
[T1124] System Time Discovery
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | An adversary may gather the system time and/or time zone fro | t | An adversary may gather the system time and/or time zone fro |
| m a local or remote system. The system time is set and store | | m a local or remote system. The system time is set and store |
| d by the Windows Time Service within a domain to maintain ti | | d by the Windows Time Service within a domain to maintain ti |
| me synchronization between systems and services in an enterp | | me synchronization between systems and services in an enterp |
| rise network. (Citation: MSDN System Time) (Citation: Techne | | rise network. (Citation: MSDN System Time)(Citation: Technet |
| t Windows Time Service) System time information may be gath | | Windows Time Service) System time information may be gathe |
| ered in a number of ways, such as with [Net](https://attack. | | red in a number of ways, such as with [Net](https://attack.m |
| mitre.org/software/S0039) on Windows by performing <code>net | | itre.org/software/S0039) on Windows by performing <code>net |
| time \\hostname</code> to gather the system time on a remot | | time \\hostname</code> to gather the system time on a remote |
| e system. The victim's time zone may also be inferred from t | | system. The victim's time zone may also be inferred from th |
| he current system time or gathered by using <code>w32tm /tz< | | e current system time or gathered by using <code>w32tm /tz</ |
| /code>. (Citation: Technet Windows Time Service) This infor | | code>.(Citation: Technet Windows Time Service) On network d |
| mation could be useful for performing other techniques, such | | evices, [Network Device CLI](https://attack.mitre.org/techni |
| as executing a file with a [Scheduled Task/Job](https://att | | ques/T1059/008) commands such as `show clock detail` can be |
| ack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're | | used to see the current time configuration.(Citation: show_c |
| Inside), or to discover locality information based on time z | | lock_detail_cisco_cmd) This information could be useful for |
| one to assist in victim targeting (i.e. [System Location Dis | | performing other techniques, such as executing a file with |
| covery](https://attack.mitre.org/techniques/T1614)). Adversa | | a [Scheduled Task/Job](https://attack.mitre.org/techniques/T |
| ries may also use knowledge of system time as part of a time | | 1053)(Citation: RSA EU12 They're Inside), or to discover loc |
| bomb, or delaying execution until a specified date/time.(Ci | | ality information based on time zone to assist in victim tar |
| tation: AnyRun TimeBomb) | | geting (i.e. [System Location Discovery](https://attack.mitr |
| | | e.org/techniques/T1614)). Adversaries may also use knowledge |
| | | of system time as part of a time bomb, or delaying executio |
| | | n until a specified date/time.(Citation: AnyRun TimeBomb) |
Dropped Mitigations:
- T1124: System Time Discovery Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | Cisco. (2023, March 6). show clock detail - Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-295 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-22 23:09:24.799000+00:00 | 2023-04-12 23:37:22.508000+00:00 |
| description | An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)
System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service)
This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb) | An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)
System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service)
On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)
This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb) |
| external_references[1]['source_name'] | capec | show_clock_detail_cisco_cmd |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/295.html | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674 |
| external_references[2]['source_name'] | MSDN System Time | AnyRun TimeBomb |
| external_references[2]['description'] | Microsoft. (n.d.). System Time. Retrieved November 25, 2016. | Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021. |
| external_references[2]['url'] | https://msdn.microsoft.com/ms724961.aspx | https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/ |
| external_references[4]['source_name'] | RSA EU12 They're Inside | MSDN System Time |
| external_references[4]['description'] | Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016. | Microsoft. (n.d.). System Time. Retrieved November 25, 2016. |
| external_references[4]['url'] | https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf | https://msdn.microsoft.com/ms724961.aspx |
| external_references[5]['source_name'] | AnyRun TimeBomb | RSA EU12 They're Inside |
| external_references[5]['description'] | Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021. | Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016. |
| external_references[5]['url'] | https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/ | https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf |
| x_mitre_data_sources[1] | Process: Process Creation | Process: OS API Execution |
| x_mitre_data_sources[2] | Process: OS API Execution | Process: Process Creation |
| x_mitre_detection | Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software. | Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.
For network infrastructure devices, collect AAA logging to monitor `show` commands being run by non-standard users from non-standard locations. |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Austin Clark, @c2defense |
| x_mitre_platforms | | Network |
[T1543.002] Create or Modify System Process: Systemd Service
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may create or modify systemd services to repeate | t | Adversaries may create or modify systemd services to repeate |
| dly execute malicious payloads as part of persistence. The s | | dly execute malicious payloads as part of persistence. Syste |
| ystemd service manager is commonly used for managing backgro | | md is a system and service manager commonly used for managin |
| und daemon processes (also known as services) and other syst | | g background daemon processes (also known as services) and o |
| em resources.(Citation: Linux man-pages: systemd January 201 | | ther system resources.(Citation: Linux man-pages: systemd Ja |
| 4)(Citation: Freedesktop.org Linux systemd 29SEP2018) System | | nuary 2014) Systemd is the default initialization (init) sys |
| d is the default initialization (init) system on many Linux | | tem on many Linux distributions replacing legacy init system |
| distributions starting with Debian 8, Ubuntu 15.04, CentOS 7 | | s, including SysVinit and Upstart, while remaining backwards |
| , RHEL 7, Fedora 15, and replaces legacy init systems includ | | compatible. Systemd utilizes unit configuration files wi |
| ing SysVinit and Upstart while remaining backwards compatibl | | th the `.service` file extension to encode information about |
| e with the aforementioned init systems. Systemd utilizes co | | a service's process. By default, system level unit files ar |
| nfiguration files known as service units to control how serv | | e stored in the `/systemd/system` directory of the root owne |
| ices boot and under what conditions. By default, these unit | | d directories (`/`). User level unit files are stored in the |
| files are stored in the <code>/etc/systemd/system</code> and | | `/systemd/user` directories of the user owned directories ( |
| <code>/usr/lib/systemd/system</code> directories and have t | | `$HOME`). (Citation: lambert systemd 2022) Service unit fi |
| he file extension <code>.service</code>. Each service unit f | | les use the following directives to execute system commands: |
| ile may contain numerous directives that can execute system | | (Citation: freedesktop systemd.service) * `ExecStart`, `E |
| commands: * ExecStart, ExecStartPre, and ExecStartPost dire | | xecStartPre`, and `ExecStartPost` directives cover execution |
| ctives cover execution of commands when a services is starte | | of commands when a service is started manually by `systemct |
| d manually by 'systemctl' or on system start if the service | | l`, or on system start if the service is set to automaticall |
| is set to automatically start. * ExecReload directive cover | | y start. * `ExecReload` directive covers when a service rest |
| s when a service restarts. * ExecStop and ExecStopPost dire | | arts. * `ExecStop`, `ExecStopPre`, and `ExecStopPost` direc |
| ctives cover when a service is stopped or manually by 'syste | | tives cover when a service is stopped. Adversaries may ab |
| mctl'. Adversaries have used systemd functionality to estab | | use systemd functionality to establish persistent access to |
| lish persistent access to victim systems by creating and/or | | victim systems by creating and/or modifying service unit fil |
| modifying service unit files that cause systemd to execute m | | es systemd uses upon reboot or starting a service.(Citation: |
| alicious commands at system boot.(Citation: Anomali Rocke Ma | | Anomali Rocke March 2019) Adversaries may also place symbol |
| rch 2019) While adversaries typically require root privileg | | ic links in these directories, enabling systemd to find thes |
| es to create/modify service unit files in the <code>/etc/sys | | e payloads regardless of where they reside on the filesystem |
| temd/system</code> and <code>/usr/lib/systemd/system</code> | | . The `.service` file’s `User` directive can be used to run |
| directories, low privilege users can create/modify service u | | service as a specific user, which could result in privilege |
| nit files in directories such as <code>~/.config/systemd/use | | escalation based on specific user/group permissions.(Citati |
| r/</code> to achieve user-level persistence.(Citation: Rapid | | on: Rapid7 Service Persistence 22JUNE2016) |
| 7 Service Persistence 22JUNE2016) | | |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. |
| external_references | | Free Desktop. (n.d.). systemd.service — Service unit configuration. Retrieved March 20, 2023. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-550 | |
| external_references | CAPEC-551 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-09 13:46:29.701000+00:00 | 2023-04-12 20:13:07.604000+00:00 |
| description | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:
* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.
* ExecReload directive covers when a service restarts.
* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.
Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)
While adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016) | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022)
Service unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service)
* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start.
* `ExecReload` directive covers when a service restarts.
* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped.
Adversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.
The `.service` file’s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) |
| external_references[1]['source_name'] | capec | Anomali Rocke March 2019 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/550.html | https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang |
| external_references[2]['source_name'] | capec | freedesktop systemd.service |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/551.html | https://www.freedesktop.org/software/systemd/man/systemd.service.html |
| external_references[4]['source_name'] | Freedesktop.org Linux systemd 29SEP2018 | Berba hunting linux systemd |
| external_references[4]['description'] | Freedesktop.org. (2018, September 29). systemd System and Service Manager. Retrieved April 23, 2019. | Pepe Berba. (2022, January 30). Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023. |
| external_references[4]['url'] | https://www.freedesktop.org/wiki/Software/systemd/ | https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ |
| external_references[5]['source_name'] | Anomali Rocke March 2019 | Rapid7 Service Persistence 22JUNE2016 |
| external_references[5]['description'] | Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. | Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019. |
| external_references[5]['url'] | https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang | https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence |
| external_references[6]['source_name'] | Rapid7 Service Persistence 22JUNE2016 | lambert systemd 2022 |
| external_references[6]['description'] | Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019. | Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding systemd service persistence. Retrieved March 20, 2023. |
| external_references[6]['url'] | https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence | https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/ |
| x_mitre_data_sources[0] | Process: Process Creation | Service: Service Modification |
| x_mitre_data_sources[2] | Service: Service Creation | File: File Creation |
| x_mitre_data_sources[3] | File: File Creation | Service: Service Creation |
| x_mitre_data_sources[4] | File: File Modification | Process: Process Creation |
| x_mitre_data_sources[5] | Service: Service Modification | File: File Modification |
| x_mitre_detection | Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.
Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.
Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution. | Monitor file creation and modification events of Systemd service unit configuration files in the default directory locations for `root` & `user` level permissions. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the `root` user.(Citation: lambert systemd 2022)
Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: `systemctl list-units -–type=service –all`. Analyze the contents of `.service` files present on the file system and ensure that they refer to legitimate, expected executables, and symbolic links.(Citation: Berba hunting linux systemd)
Auditing the execution and command-line arguments of the `systemctl` utility, as well related utilities such as `/usr/sbin/service` may reveal malicious systemd service execution. |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Emad Al-Mousa, Saudi Aramco |
[T1134.001] Access Token Manipulation: Token Impersonation/Theft
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may duplicate then impersonate another user's to | t | Adversaries may duplicate then impersonate another user's ex |
| ken to escalate privileges and bypass access controls. An ad | | isting token to escalate privileges and bypass access contro |
| versary can create a new access token that duplicates an exi | | ls. For example, an adversary can duplicate an existing toke |
| sting token using <code>DuplicateToken(Ex)</code>. The token | | n using `DuplicateToken` or `DuplicateTokenEx`. The token ca |
| can then be used with <code>ImpersonateLoggedOnUser</code> | | n then be used with `ImpersonateLoggedOnUser` to allow the c |
| to allow the calling thread to impersonate a logged on user' | | alling thread to impersonate a logged on user's security con |
| s security context, or with <code>SetThreadToken</code> to a | | text, or with `SetThreadToken` to assign the impersonated to |
| ssign the impersonated token to a thread. An adversary may | | ken to a thread. An adversary may perform [Token Impersonat |
| do this when they have a specific, existing process they wan | | ion/Theft](https://attack.mitre.org/techniques/T1134/001) wh |
| t to assign the new token to. For example, this may be usefu | | en they have a specific, existing process they want to assig |
| l for when the target user has a non-network logon session o | | n the duplicated token to. For example, this may be useful f |
| n the system. | | or when the target user has a non-network logon session on t |
| | | he system. When an adversary would instead use a duplicated |
| | | token to create a new process rather than attaching to an e |
| | | xisting process, they can additionally [Create Process with |
| | | Token](https://attack.mitre.org/techniques/T1134/002) using |
| | | `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token |
| | | Impersonation/Theft](https://attack.mitre.org/techniques/T11 |
| | | 34/001) is also distinct from [Make and Impersonate Token](h |
| | | ttps://attack.mitre.org/techniques/T1134/003) in that it ref |
| | | ers to duplicating an existing token, rather than creating a |
| | | new one. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Jonny Johnson'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 21:29:18.608000+00:00 | 2023-04-11 21:19:05.544000+00:00 |
| description | Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system. | Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one. |
| x_mitre_version | 1.0 | 1.1 |
[T1020.001] Automated Exfiltration: Traffic Duplication
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may leverage traffic mirroring in order to autom | t | Adversaries may leverage traffic mirroring in order to autom |
| ate data exfiltration over compromised network infrastructur | | ate data exfiltration over compromised infrastructure. Traff |
| e. Traffic mirroring is a native feature for some network d | | ic mirroring is a native feature for some devices, often use |
| evices and used for network analysis and may be configured t | | d for network analysis. For example, devices may be configur |
| o duplicate traffic and forward to one or more destinations | | ed to forward network traffic to one or more destinations fo |
| for analysis by a network analyzer or other monitoring devic | | r analysis by a network analyzer or other monitoring device. |
| e. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Tra | | (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traff |
| ffic Mirroring) Adversaries may abuse traffic mirroring to | | ic Mirroring) Adversaries may abuse traffic mirroring to mi |
| mirror or redirect network traffic through other network inf | | rror or redirect network traffic through other infrastructur |
| rastructure they control. Malicious modifications to network | | e they control. Malicious modifications to network devices t |
| devices to enable traffic redirection may be possible throu | | o enable traffic redirection may be possible through [ROMMON |
| gh [ROMMONkit](https://attack.mitre.org/techniques/T1542/004 | | kit](https://attack.mitre.org/techniques/T1542/004) or [Patc |
| ) or [Patch System Image](https://attack.mitre.org/technique | | h System Image](https://attack.mitre.org/techniques/T1601/00 |
| s/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco B | | 1).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy |
| log Legacy Device Attacks) Adversaries may use traffic dupli | | Device Attacks) Many cloud-based environments also support |
| cation in conjunction with [Network Sniffing](https://attack | | traffic mirroring. For example, AWS Traffic Mirroring, GCP |
| .mitre.org/techniques/T1040), [Input Capture](https://attack | | Packet Mirroring, and Azure vTap allow users to define speci |
| .mitre.org/techniques/T1056), or [Adversary-in-the-Middle](h | | fied instances to collect traffic from and specified targets |
| ttps://attack.mitre.org/techniques/T1557) depending on the g | | to send collected traffic to.(Citation: AWS Traffic Mirrori |
| oals and objectives of the adversary. | | ng)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual |
| | | Network TAP) Adversaries may use traffic duplication in con |
| | | junction with [Network Sniffing](https://attack.mitre.org/te |
| | | chniques/T1040), [Input Capture](https://attack.mitre.org/te |
| | | chniques/T1056), or [Adversary-in-the-Middle](https://attack |
| | | .mitre.org/techniques/T1557) depending on the goals and obje |
| | | ctives of the adversary. |
New Mitigations:
- M1018: User Account Management
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_network_requirements | | False |
| external_references | | Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-117 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-18 22:16:51.359000+00:00 | 2023-04-14 23:23:30.327000+00:00 |
| description | Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary. | Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)
Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP)
Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary. |
| external_references[1]['source_name'] | Cisco Traffic Mirroring | AWS Traffic Mirroring |
| external_references[1]['description'] | Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020. | Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022. |
| external_references[1]['url'] | https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html | https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html |
| external_references[2]['source_name'] | Juniper Traffic Mirroring | Cisco Traffic Mirroring |
| external_references[2]['description'] | Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020. | Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020. |
| external_references[2]['url'] | https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html | https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html |
| external_references[3]['source_name'] | Cisco Blog Legacy Device Attacks | GCP Packet Mirroring |
| external_references[3]['description'] | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. | Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022. |
| external_references[3]['url'] | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 | https://cloud.google.com/vpc/docs/packet-mirroring |
| external_references[4]['source_name'] | US-CERT-TA18-106A | Juniper Traffic Mirroring |
| external_references[4]['description'] | US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. | Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020. |
| external_references[4]['url'] | https://www.us-cert.gov/ncas/alerts/TA18-106A | https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html |
| external_references[5]['source_name'] | capec | Azure Virtual Network TAP |
| external_references[5]['url'] | https://capec.mitre.org/data/definitions/117.html | https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[1] | Network Traffic: Network Connection Creation | Network Traffic: Network Traffic Flow |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Cisco Blog Legacy Device Attacks', 'description': 'Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.', 'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'} |
| external_references | | {'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'} |
| x_mitre_platforms | | IaaS |
[T1552] Unsecured Credentials
Current version: 1.3
Version changed from: 1.2 → 1.3
New Mitigations:
- M1035: Limit Access to Resource Over Network
New Detections:
- DS0015: Application Log (Application Log Content)
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Austin Clark, @c2defense'] |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 13:11:11.386000+00:00 | 2023-04-13 00:29:53.605000+00:00 |
| x_mitre_data_sources[2] | User Account: User Account Authentication | File: File Access |
| x_mitre_data_sources[4] | File: File Access | Application Log: Application Log Content |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | User Account: User Account Authentication |
| x_mitre_platforms | | Network |
[T1608.001] Stage Capabilities: Upload Malware
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may upload malware to third-party or adversary c | t | Adversaries may upload malware to third-party or adversary c |
| ontrolled infrastructure to make it accessible during target | | ontrolled infrastructure to make it accessible during target |
| ing. Malicious software can include payloads, droppers, post | | ing. Malicious software can include payloads, droppers, post |
| -compromise tools, backdoors, and a variety of other malicio | | -compromise tools, backdoors, and a variety of other malicio |
| us content. Adversaries may upload malware to support their | | us content. Adversaries may upload malware to support their |
| operations, such as making a payload available to a victim n | | operations, such as making a payload available to a victim n |
| etwork to enable [Ingress Tool Transfer](https://attack.mitr | | etwork to enable [Ingress Tool Transfer](https://attack.mitr |
| e.org/techniques/T1105) by placing it on an Internet accessi | | e.org/techniques/T1105) by placing it on an Internet accessi |
| ble web server. Malware may be placed on infrastructure tha | | ble web server. Malware may be placed on infrastructure tha |
| t was previously purchased/rented by the adversary ([Acquire | | t was previously purchased/rented by the adversary ([Acquire |
| Infrastructure](https://attack.mitre.org/techniques/T1583)) | | Infrastructure](https://attack.mitre.org/techniques/T1583)) |
| or was otherwise compromised by them ([Compromise Infrastru | | or was otherwise compromised by them ([Compromise Infrastru |
| cture](https://attack.mitre.org/techniques/T1584)). Malware | | cture](https://attack.mitre.org/techniques/T1584)). Malware |
| can also be staged on web services, such as GitHub or Pasteb | | can also be staged on web services, such as GitHub or Pasteb |
| in.(Citation: Volexity Ocean Lotus November 2020) Adversari | | in, or hosted on the InterPlanetary File System (IPFS), wher |
| es may upload backdoored files, such as application binaries | | e decentralized content storage makes the removal of malicio |
| , virtual machine images, or container images, to third-part | | us files difficult.(Citation: Volexity Ocean Lotus November |
| y software stores or repositories (ex: GitHub, CNET, AWS Com | | 2020)(Citation: Talos IPFS 2022) Adversaries may upload bac |
| munity AMIs, Docker Hub). By chance encounter, victims may d | | kdoored files, such as application binaries, virtual machine |
| irectly download/install these backdoored files via [User Ex | | images, or container images, to third-party software stores |
| ecution](https://attack.mitre.org/techniques/T1204). [Masque | | or repositories (ex: GitHub, CNET, AWS Community AMIs, Dock |
| rading](https://attack.mitre.org/techniques/T1036) may incre | | er Hub). By chance encounter, victims may directly download/ |
| ase the chance of users mistakenly executing these files. | | install these backdoored files via [User Execution](https:// |
| | | attack.mitre.org/techniques/T1204). [Masquerading](https://a |
| | | ttack.mitre.org/techniques/T1036) may increase the chance of |
| | | users mistakenly executing these files. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 16:24:48.949000+00:00 | 2023-04-11 23:22:49.534000+00:00 |
| description | Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020)
Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files. | Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)
Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files. |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Talos IPFS 2022', 'description': 'Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023.', 'url': 'https://blog.talosintelligence.com/ipfs-abuse/'} |
| x_mitre_contributors | | Goldstein Menachem |
[T1078] Valid Accounts
Current version: 2.6
Version changed from: 2.5 → 2.6
New Mitigations:
- M1015: Active Directory Configuration
- M1036: Account Use Policies
Dropped Mitigations:
- T1078: Valid Accounts Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 19:57:39.849000+00:00 | 2023-03-30 21:01:51.631000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.5 | 2.6 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Goldstein Menachem |
| x_mitre_data_sources | | User Account: User Account Authentication |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/560.html', 'external_id': 'CAPEC-560'} | |
| x_mitre_data_sources | User Account: User Account Authentication | |
[T1059.005] Command and Scripting Interpreter: Visual Basic
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| x_mitre_remote_support | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-07 19:43:49.315000+00:00 | 2023-04-07 17:13:03.738000+00:00 |
| external_references[2]['source_name'] | VB Microsoft | Default VBS macros Blocking |
| external_references[2]['description'] | Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020. | Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022. |
| external_references[2]['url'] | https://docs.microsoft.com/dotnet/visual-basic/ | https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805 |
| external_references[3]['source_name'] | Microsoft VBA | Microsoft VBScript |
| external_references[3]['description'] | Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020. | Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020. |
| external_references[3]['url'] | https://docs.microsoft.com/office/vba/api/overview/ | https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85) |
| external_references[4]['source_name'] | Wikipedia VBA | Microsoft VBA |
| external_references[4]['description'] | Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020. | Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020. |
| external_references[4]['url'] | https://en.wikipedia.org/wiki/Visual_Basic_for_Applications | https://docs.microsoft.com/office/vba/api/overview/ |
| external_references[5]['source_name'] | Microsoft VBScript | VB Microsoft |
| external_references[5]['description'] | Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020. | Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020. |
| external_references[5]['url'] | https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85) | https://docs.microsoft.com/dotnet/visual-basic/ |
| external_references[6]['source_name'] | Default VBS macros Blocking | Wikipedia VBA |
| external_references[6]['description'] | Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022. | Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020. |
| external_references[6]['url'] | https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805 | https://en.wikipedia.org/wiki/Visual_Basic_for_Applications |
| x_mitre_data_sources[0] | Process: Process Creation | Module: Module Load |
| x_mitre_data_sources[1] | Module: Module Load | Command: Command Execution |
| x_mitre_data_sources[2] | Script: Script Execution | Process: Process Creation |
| x_mitre_data_sources[3] | Command: Command Execution | Script: Script Execution |
| x_mitre_version | 1.3 | 1.4 |
[T1071.001] Application Layer Protocol: Web Protocols
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may communicate using application layer protocol | t | Adversaries may communicate using application layer protocol |
| s associated with web traffic to avoid detection/network fil | | s associated with web traffic to avoid detection/network fil |
| tering by blending in with existing traffic. Commands to the | | tering by blending in with existing traffic. Commands to the |
| remote system, and often the results of those commands, wil | | remote system, and often the results of those commands, wil |
| l be embedded within the protocol traffic between the client | | l be embedded within the protocol traffic between the client |
| and server. Protocols such as HTTP and HTTPS that carry w | | and server. Protocols such as HTTP/S(Citation: CrowdStrik |
| eb traffic may be very common in environments. HTTP/S packet | | e Putter Panda) and WebSocket(Citation: Brazking-Websockets) |
| s have many fields and headers in which data can be conceale | | that carry web traffic may be very common in environments. |
| d. An adversary may abuse these protocols to communicate wit | | HTTP/S packets have many fields and headers in which data ca |
| h systems under their control within a victim network while | | n be concealed. An adversary may abuse these protocols to co |
| also mimicking normal, expected traffic. | | mmunicate with systems under their control within a victim n |
| | | etwork while also mimicking normal, expected traffic. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['TruKno'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 20:15:35.821000+00:00 | 2023-04-11 15:21:27.965000+00:00 |
| description | Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. | Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. |
| external_references[1]['source_name'] | University of Birmingham C2 | CrowdStrike Putter Panda |
| external_references[1]['description'] | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. | Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. |
| external_references[1]['url'] | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf | http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'University of Birmingham C2', 'description': 'Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.', 'url': 'https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf'} |
| external_references | | {'source_name': 'Brazking-Websockets', 'description': 'Shahar Tavor. (n.d.). BrazKing Android Malware Upgraded and Targeting Brazilian Banks. Retrieved March 24, 2023.', 'url': 'https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/'} |
[T1584.006] Compromise Infrastructure: Web Services
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may compromise access to third-party web service | t | Adversaries may compromise access to third-party web service |
| s that can be used during targeting. A variety of popular we | | s that can be used during targeting. A variety of popular we |
| bsites exist for legitimate users to register for web-based | | bsites exist for legitimate users to register for web-based |
| services, such as GitHub, Twitter, Dropbox, Google, etc. Adv | | services, such as GitHub, Twitter, Dropbox, Google, SendGrid |
| ersaries may try to take ownership of a legitimate user's ac | | , etc. Adversaries may try to take ownership of a legitimate |
| cess to a web service and use that web service as infrastruc | | user's access to a web service and use that web service as |
| ture in support of cyber operations. Such web services can b | | infrastructure in support of cyber operations. Such web serv |
| e abused during later stages of the adversary lifecycle, suc | | ices can be abused during later stages of the adversary life |
| h as during Command and Control ([Web Service](https://attac | | cycle, such as during Command and Control ([Web Service](htt |
| k.mitre.org/techniques/T1102)) or [Exfiltration Over Web Ser | | ps://attack.mitre.org/techniques/T1102)), [Exfiltration Over |
| vice](https://attack.mitre.org/techniques/T1567).(Citation: | | Web Service](https://attack.mitre.org/techniques/T1567), or |
| Recorded Future Turla Infra 2020) Using common services, suc | | [Phishing](https://attack.mitre.org/techniques/T1566).(Cita |
| h as those offered by Google or Twitter, makes it easier for | | tion: Recorded Future Turla Infra 2020) Using common service |
| adversaries to hide in expected noise. By utilizing a web s | | s, such as those offered by Google or Twitter, makes it easi |
| ervice, particularly when access is stolen from legitimate u | | er for adversaries to hide in expected noise. By utilizing a |
| sers, adversaries can make it difficult to physically tie ba | | web service, particularly when access is stolen from legiti |
| ck operations to them. | | mate users, adversaries can make it difficult to physically |
| | | tie back operations to them. Additionally, leveraging compro |
| | | mised web-based email services may allow adversaries to leve |
| | | rage the trust associated with legitimate domains. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Dor Edry, Microsoft'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 16:01:48.047000+00:00 | 2023-04-12 20:19:21.620000+00:00 |
| description | Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. | Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains. |
| x_mitre_version | 1.1 | 1.2 |
[T1583.006] Acquire Infrastructure: Web Services
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may register for web services that can be used d | t | Adversaries may register for web services that can be used d |
| uring targeting. A variety of popular websites exist for adv | | uring targeting. A variety of popular websites exist for adv |
| ersaries to register for a web-based service that can be abu | | ersaries to register for a web-based service that can be abu |
| sed during later stages of the adversary lifecycle, such as | | sed during later stages of the adversary lifecycle, such as |
| during Command and Control ([Web Service](https://attack.mit | | during Command and Control ([Web Service](https://attack.mit |
| re.org/techniques/T1102)) or [Exfiltration Over Web Service] | | re.org/techniques/T1102)), [Exfiltration Over Web Service](h |
| (https://attack.mitre.org/techniques/T1567). Using common se | | ttps://attack.mitre.org/techniques/T1567), or [Phishing](htt |
| rvices, such as those offered by Google or Twitter, makes it | | ps://attack.mitre.org/techniques/T1566). Using common servic |
| easier for adversaries to hide in expected noise. By utiliz | | es, such as those offered by Google or Twitter, makes it eas |
| ing a web service, adversaries can make it difficult to phys | | ier for adversaries to hide in expected noise. By utilizing |
| ically tie back operations to them. | | a web service, adversaries can make it difficult to physical |
| | | ly tie back operations to them. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_contributors | | ['Dor Edry, Microsoft'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 15:45:01.956000+00:00 | 2023-04-12 20:19:07.916000+00:00 |
| description | Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them. | Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them. |
| x_mitre_version | 1.1 | 1.2 |
[T1222.001] File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-01 20:05:05.268000+00:00 | 2023-04-21 12:27:04.900000+00:00 |
| external_references[3]['source_name'] | Microsoft DACL May 2018 | Microsoft Access Control Lists May 2018 |
| external_references[3]['description'] | Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018. | M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020. |
| external_references[3]['url'] | https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces | https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists |
| external_references[4]['source_name'] | Microsoft Access Control Lists May 2018 | Microsoft DACL May 2018 |
| external_references[4]['description'] | M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020. | Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists | https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces |
| x_mitre_data_sources[2] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[3] | Command: Command Execution | Process: Process Creation |
| x_mitre_version | 1.1 | 1.2 |
[T1047] Windows Management Instrumentation
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 16:25:21.348000+00:00 | 2023-04-07 17:10:13.696000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Process: Process Creation |
| x_mitre_version | 1.2 | 1.3 |
[T1546.003] Event Triggered Execution: Windows Management Instrumentation Event Subscription
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 17:01:37.760000+00:00 | 2023-04-21 12:32:38.796000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
[T1543.003] Create or Modify System Process: Windows Service
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-30 20:17:33.824000+00:00 | 2023-04-21 12:30:35.872000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Modification | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[1] | Driver: Driver Load | Process: Process Creation |
| x_mitre_data_sources[2] | Service: Service Modification | Service: Service Creation |
| x_mitre_data_sources[3] | Windows Registry: Windows Registry Key Creation | Command: Command Execution |
| x_mitre_data_sources[5] | Command: Command Execution | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[6] | Process: Process Creation | Service: Service Modification |
| x_mitre_data_sources[7] | Service: Service Creation | Driver: Driver Load |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/478.html', 'external_id': 'CAPEC-478'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/550.html', 'external_id': 'CAPEC-550'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/551.html', 'external_id': 'CAPEC-551'} | |
Patches
[T1134] Access Token Manipulation
Current version: 2.0
Dropped Mitigations:
- T1134: Access Token Manipulation Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-03 02:14:43.557000+00:00 | 2023-03-30 21:01:47.762000+00:00 |
| x_mitre_data_sources[3] | Process: Process Creation | Active Directory: Active Directory Object Modification |
| x_mitre_data_sources[5] | Active Directory: Active Directory Object Modification | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/633.html', 'external_id': 'CAPEC-633'} | |
[T1547.014] Boot or Logon Autostart Execution: Active Setup
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-05 22:36:37.414000+00:00 | 2023-03-22 14:17:17.353000+00:00 |
| external_references[1]['source_name'] | Klein Active Setup 2010 | SECURELIST Bright Star 2015 |
| external_references[1]['description'] | Klein, H. (2010, April 22). Active Setup Explained. Retrieved December 18, 2020. | Baumgartner, K., Guerrero-Saade, J. (2015, March 4). Who’s Really Spreading through the Bright Star?. Retrieved December 18, 2020. |
| external_references[1]['url'] | https://helgeklein.com/blog/2010/04/active-setup-explained/ | https://securelist.com/whos-really-spreading-through-the-bright-star/68978/ |
| external_references[2]['description'] | Glyer, C. (2010). Examples of Recent APT Persitence Mechanism. Retrieved December 18, 2020. | Glyer, C. (2010). Examples of Recent APT Persistence Mechanism. Retrieved December 18, 2020. |
| external_references[3]['source_name'] | Citizenlab Packrat 2015 | FireEye CFR Watering Hole 2012 |
| external_references[3]['description'] | Scott-Railton, J., et al. (2015, December 8). Packrat. Retrieved December 18, 2020. | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020. |
| external_references[3]['url'] | https://citizenlab.ca/2015/12/packrat-report/ | https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html |
| external_references[4]['source_name'] | FireEye CFR Watering Hole 2012 | Klein Active Setup 2010 |
| external_references[4]['description'] | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020. | Klein, H. (2010, April 22). Active Setup Explained. Retrieved December 18, 2020. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html | https://helgeklein.com/blog/2010/04/active-setup-explained/ |
| external_references[5]['source_name'] | SECURELIST Bright Star 2015 | paloalto Tropic Trooper 2016 |
| external_references[5]['description'] | Baumgartner, K., Guerrero-Saade, J. (2015, March 4). Who’s Really Spreading through the Bright Star?. Retrieved December 18, 2020. | Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020. |
| external_references[5]['url'] | https://securelist.com/whos-really-spreading-through-the-bright-star/68978/ | https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/ |
| external_references[6]['source_name'] | paloalto Tropic Trooper 2016 | TechNet Autoruns |
| external_references[6]['description'] | Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020. | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. |
| external_references[6]['url'] | https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/ | https://technet.microsoft.com/en-us/sysinternals/bb963902 |
| external_references[7]['source_name'] | TechNet Autoruns | Citizenlab Packrat 2015 |
| external_references[7]['description'] | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. | Scott-Railton, J., et al. (2015, December 8). Packrat. Retrieved December 18, 2020. |
| external_references[7]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb963902 | https://citizenlab.ca/2015/12/packrat-report/ |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Modification | Process: Process Creation |
| x_mitre_data_sources[1] | Process: Process Creation | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[3] | Windows Registry: Windows Registry Key Creation | Windows Registry: Windows Registry Key Modification |
[T1557] Adversary-in-the-Middle
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 19:51:41.858000+00:00 | 2023-03-30 21:01:37.568000+00:00 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Application Log: Application Log Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/94.html', 'external_id': 'CAPEC-94'} | |
| x_mitre_data_sources | Application Log: Application Log Content | |
[T1123] Audio Capture
Current version: 1.0
Dropped Mitigations:
- T1123: Audio Capture Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-07-14 19:42:10.235000+00:00 | 2023-03-30 21:01:36.503000+00:00 |
| x_mitre_data_sources[0] | Process: OS API Execution | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Process: OS API Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/634.html', 'external_id': 'CAPEC-634'} | |
[T1027.001] Obfuscated Files or Information: Binary Padding
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. |
| external_references | | Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-572 | |
| external_references | CAPEC-655 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 13:53:02.135000+00:00 | 2023-03-30 21:01:53.857000+00:00 |
| external_references[1]['source_name'] | capec | ESET OceanLotus |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/572.html | https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/ |
| external_references[2]['source_name'] | capec | Securelist Malware Tricks April 2017 |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/655.html | https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/ |
| external_references[3]['source_name'] | ESET OceanLotus | VirusTotal FAQ |
| external_references[3]['description'] | Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. | VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019. |
| external_references[3]['url'] | https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/ | https://www.virustotal.com/en/faq/ |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Securelist Malware Tricks April 2017', 'description': 'Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.', 'url': 'https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/'} | |
| external_references | {'source_name': 'VirusTotal FAQ', 'description': 'VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.', 'url': 'https://www.virustotal.com/en/faq/'} | |
[T1547] Boot or Logon Autostart Execution
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-18 22:21:27.840000+00:00 | 2023-03-30 21:01:42.099000+00:00 |
| x_mitre_data_sources[0] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[1] | Driver: Driver Load | File: File Creation |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Creation | Process: OS API Execution |
| x_mitre_data_sources[4] | Module: Module Load | File: File Modification |
| x_mitre_data_sources[5] | Windows Registry: Windows Registry Key Modification | Process: Process Creation |
| x_mitre_data_sources[6] | Command: Command Execution | Driver: Driver Load |
| x_mitre_data_sources[7] | File: File Creation | Command: Command Execution |
| x_mitre_data_sources[8] | File: File Modification | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[9] | Process: OS API Execution | Module: Module Load |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/564.html', 'external_id': 'CAPEC-564'} | |
[T1037] Boot or Logon Initialization Scripts
Current version: 2.1
Dropped Mitigations:
- T1037: Logon Scripts Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 19:04:02.610000+00:00 | 2023-03-30 21:01:38.295000+00:00 |
| x_mitre_data_sources[0] | Active Directory: Active Directory Object Modification | Process: Process Creation |
| x_mitre_data_sources[1] | Process: Process Creation | File: File Modification |
| x_mitre_data_sources[2] | File: File Creation | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[3] | Command: Command Execution | Active Directory: Active Directory Object Modification |
| x_mitre_data_sources[4] | File: File Modification | File: File Creation |
| x_mitre_data_sources[5] | Windows Registry: Windows Registry Key Creation | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/564.html', 'external_id': 'CAPEC-564'} | |
[T1542.003] Pre-OS Boot: Bootkit
Current version: 1.1
Dropped Mitigations:
- T1067: Bootkit Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-552 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-17 19:47:14.338000+00:00 | 2023-03-30 21:01:47.417000+00:00 |
| external_references[1]['source_name'] | capec | Mandiant M Trends 2016 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/552.html | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf |
| external_references[2]['source_name'] | Mandiant M Trends 2016 | Lau 2011 |
| external_references[2]['description'] | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. | Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014. |
| external_references[2]['url'] | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf | http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Lau 2011', 'description': 'Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.', 'url': 'http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion'} | |
[T1546.001] Event Triggered Execution: Change Default File Association
Current version: 1.0
Dropped Mitigations:
- T1042: Change Default File Association Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 16:55:49.219000+00:00 | 2023-03-30 21:01:40.699000+00:00 |
| x_mitre_data_sources[1] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Modification | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/556.html', 'external_id': 'CAPEC-556'} | |
[T1552.001] Unsecured Credentials: Credentials In Files
Current version: 1.1
Dropped Mitigations:
- T1081: Credentials in Files Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | CG. (2014, May 20). Mimikatz Against Virtual Machine Memory Part 1. Retrieved November 12, 2014. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-639 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-12 18:32:32.803000+00:00 | 2023-03-30 21:01:44.951000+00:00 |
| external_references[1]['source_name'] | capec | CG 2014 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/639.html | http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html |
| external_references[2]['source_name'] | CG 2014 | SRD GPP |
| external_references[2]['description'] | CG. (2014, May 20). Mimikatz Against Virtual Machine Memory Part 1. Retrieved November 12, 2014. | Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015. |
| external_references[2]['url'] | http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html | http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx |
| external_references[3]['source_name'] | SRD GPP | Unit 42 Hildegard Malware |
| external_references[3]['description'] | Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015. | Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. |
| external_references[3]['url'] | http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx | https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ |
| external_references[4]['source_name'] | Unit 42 Hildegard Malware | Unit 42 Unsecured Docker Daemons |
| external_references[4]['description'] | Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. | Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021. |
| external_references[4]['url'] | https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ | https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/ |
| external_references[5]['source_name'] | Unit 42 Unsecured Docker Daemons | Specter Ops - Cloud Credential Storage |
| external_references[5]['description'] | Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021. | Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019. |
| external_references[5]['url'] | https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/ | https://posts.specterops.io/head-in-the-clouds-bd038bb69e48 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Specter Ops - Cloud Credential Storage', 'description': 'Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019.', 'url': 'https://posts.specterops.io/head-in-the-clouds-bd038bb69e48'} | |
[T1574.001] Hijack Execution Flow: DLL Search Order Hijacking
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-471 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 18:37:03.748000+00:00 | 2023-03-30 21:01:51.098000+00:00 |
| external_references[1]['source_name'] | capec | Microsoft Dynamic Link Library Search Order |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/471.html | https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN |
| external_references[2]['source_name'] | Microsoft Dynamic Link Library Search Order | FireEye Hijacking July 2010 |
| external_references[2]['description'] | Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014. | Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN | https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html |
| external_references[3]['source_name'] | FireEye Hijacking July 2010 | OWASP Binary Planting |
| external_references[3]['description'] | Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020. | OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html | https://www.owasp.org/index.php/Binary_planting |
| external_references[4]['source_name'] | OWASP Binary Planting | FireEye fxsst June 2011 |
| external_references[4]['description'] | OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016. | Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020. |
| external_references[4]['url'] | https://www.owasp.org/index.php/Binary_planting | https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html |
| external_references[5]['source_name'] | FireEye fxsst June 2011 | Microsoft Security Advisory 2269637 |
| external_references[5]['description'] | Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020. | Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html | https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637 |
| external_references[6]['source_name'] | Microsoft Security Advisory 2269637 | Microsoft Dynamic-Link Library Redirection |
| external_references[6]['description'] | Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020. | Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020. |
| external_references[6]['url'] | https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637 | https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN |
| external_references[7]['source_name'] | Microsoft Dynamic-Link Library Redirection | Microsoft Manifests |
| external_references[7]['description'] | Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020. | Microsoft. (n.d.). Manifests. Retrieved December 5, 2014. |
| external_references[7]['url'] | https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN | https://msdn.microsoft.com/en-US/library/aa375365 |
| external_references[8]['source_name'] | Microsoft Manifests | FireEye DLL Search Order Hijacking |
| external_references[8]['description'] | Microsoft. (n.d.). Manifests. Retrieved December 5, 2014. | Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020. |
| external_references[8]['url'] | https://msdn.microsoft.com/en-US/library/aa375365 | https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Module: Module Load |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'FireEye DLL Search Order Hijacking', 'description': 'Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html'} | |
| x_mitre_data_sources | Module: Module Load | |
[T1574.002] Hijack Execution Flow: DLL Side-Loading
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 04:07:48.912000+00:00 | 2023-03-30 21:01:47.241000+00:00 |
| x_mitre_data_sources[0] | File: File Modification | File: File Creation |
| x_mitre_data_sources[1] | File: File Creation | Process: Process Creation |
| x_mitre_data_sources[3] | Process: Process Creation | File: File Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/641.html', 'external_id': 'CAPEC-641'} | |
[T1039] Data from Network Shared Drive
Current version: 1.3
Dropped Mitigations:
- T1039: Data from Network Shared Drive Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-16 13:08:03.209000+00:00 | 2023-03-30 21:01:35.611000+00:00 |
| x_mitre_data_sources[0] | Network Share: Network Share Access | Command: Command Execution |
| x_mitre_data_sources[1] | Network Traffic: Network Connection Creation | Network Share: Network Share Access |
| x_mitre_data_sources[2] | Command: Command Execution | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[4] | Network Traffic: Network Traffic Content | Network Traffic: Network Connection Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/639.html', 'external_id': 'CAPEC-639'} | |
[T1078.001] Valid Accounts: Default Accounts
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-70 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-05 20:14:26.846000+00:00 | 2023-03-30 21:01:44.382000+00:00 |
| external_references[1]['source_name'] | capec | Microsoft Local Accounts Feb 2019 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/70.html | https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts |
| external_references[2]['source_name'] | Microsoft Local Accounts Feb 2019 | AWS Root User |
| external_references[2]['description'] | Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019. | Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html |
| external_references[3]['source_name'] | AWS Root User | Threat Matrix for Kubernetes |
| external_references[3]['description'] | Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021. | Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021. |
| external_references[3]['url'] | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html | https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ |
| external_references[4]['source_name'] | Threat Matrix for Kubernetes | Metasploit SSH Module |
| external_references[4]['description'] | Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021. | undefined. (n.d.). Retrieved April 12, 2019. |
| external_references[4]['url'] | https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ | https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Metasploit SSH Module', 'description': 'undefined. (n.d.). Retrieved April 12, 2019.', 'url': 'https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh'} | |
[T1498.001] Network Denial of Service: Direct Network Flood
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 23:28:52.908000+00:00 | 2023-03-30 21:01:53.685000+00:00 |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow | Sensor Health: Host Status |
| x_mitre_data_sources[1] | Sensor Health: Host Status | Network Traffic: Network Traffic Flow |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/125.html', 'external_id': 'CAPEC-125'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/486.html', 'external_id': 'CAPEC-486'} | |
[T1561.001] Disk Wipe: Disk Content Wipe
Current version: 1.0
|
|
|---|
| t | Adversaries may erase the contents of storage devices on spe | t | Adversaries may erase the contents of storage devices on spe |
| cific systems or in large numbers in a network to interrupt | | cific systems or in large numbers in a network to interrupt |
| availability to system and network resources. Adversaries m | | availability to system and network resources. Adversaries m |
| ay partially or completely overwrite the contents of a stora | | ay partially or completely overwrite the contents of a stora |
| ge device rendering the data irrecoverable through the stora | | ge device rendering the data irrecoverable through the stora |
| ge interface.(Citation: Novetta Blockbuster)(Citation: Novet | | ge interface.(Citation: Novetta Blockbuster)(Citation: Novet |
| ta Blockbuster Destructive Malware)(Citation: DOJ Lazarus So | | ta Blockbuster Destructive Malware)(Citation: DOJ Lazarus So |
| ny 2018) Instead of wiping specific disk structures or files | | ny 2018) Instead of wiping specific disk structures or files |
| , adversaries with destructive intent may wipe arbitrary por | | , adversaries with destructive intent may wipe arbitrary por |
| tions of disk content. To wipe disk content, adversaries may | | tions of disk content. To wipe disk content, adversaries may |
| acquire direct access to the hard drive in order to overwri | | acquire direct access to the hard drive in order to overwri |
| te arbitrarily sized portions of disk with random data.(Cita | | te arbitrarily sized portions of disk with random data.(Cita |
| tion: Novetta Blockbuster Destructive Malware) Adversaries h | | tion: Novetta Blockbuster Destructive Malware) Adversaries h |
| ave been observed leveraging third-party drivers like [RawDi | | ave also been observed leveraging third-party drivers like [ |
| sk](https://attack.mitre.org/software/S0364) to directly acc | | RawDisk](https://attack.mitre.org/software/S0364) to directl |
| ess disk content.(Citation: Novetta Blockbuster)(Citation: N | | y access disk content.(Citation: Novetta Blockbuster)(Citati |
| ovetta Blockbuster Destructive Malware) This behavior is dis | | on: Novetta Blockbuster Destructive Malware) This behavior i |
| tinct from [Data Destruction](https://attack.mitre.org/techn | | s distinct from [Data Destruction](https://attack.mitre.org/ |
| iques/T1485) because sections of the disk are erased instead | | techniques/T1485) because sections of the disk are erased in |
| of individual files. To maximize impact on the target orga | | stead of individual files. To maximize impact on the target |
| nization in operations where network-wide availability inter | | organization in operations where network-wide availability |
| ruption is the goal, malware used for wiping disk content ma | | interruption is the goal, malware used for wiping disk conte |
| y have worm-like features to propagate across a network by l | | nt may have worm-like features to propagate across a network |
| everaging additional techniques like [Valid Accounts](https: | | by leveraging additional techniques like [Valid Accounts](h |
| //attack.mitre.org/techniques/T1078), [OS Credential Dumping | | ttps://attack.mitre.org/techniques/T1078), [OS Credential Du |
| ](https://attack.mitre.org/techniques/T1003), and [SMB/Windo | | mping](https://attack.mitre.org/techniques/T1003), and [SMB/ |
| ws Admin Shares](https://attack.mitre.org/techniques/T1021/0 | | Windows Admin Shares](https://attack.mitre.org/techniques/T1 |
| 02).(Citation: Novetta Blockbuster Destructive Malware) | | 021/002).(Citation: Novetta Blockbuster Destructive Malware) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-28 18:55:35.989000+00:00 | 2023-04-12 23:42:59.868000+00:00 |
| description | Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware) | Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have also been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Driver: Driver Load | Drive: Drive Modification |
| x_mitre_data_sources[1] | Drive: Drive Modification | Command: Command Execution |
| x_mitre_data_sources[2] | Drive: Drive Access | Driver: Driver Load |
| x_mitre_data_sources[4] | Command: Command Execution | Drive: Drive Access |
| x_mitre_detection | Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity. | Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.
For network infrastructure devices, collect AAA logging to monitor for `erase` commands that delete critical configuration files. |
[T1090.004] Proxy: Domain Fronting
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-481 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-16 19:30:54.226000+00:00 | 2023-03-30 21:01:52.356000+00:00 |
| external_references[1]['source_name'] | capec | Fifield Blocking Resistent Communication through domain fronting 2015 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/481.html | http://www.icir.org/vern/papers/meek-PETS-2015.pdf |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Fifield Blocking Resistent Communication through domain fronting 2015', 'description': 'David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.', 'url': 'http://www.icir.org/vern/papers/meek-PETS-2015.pdf'} | |
[T1583.001] Acquire Infrastructure: Domains
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 19:21:38.441000+00:00 | 2023-03-30 21:01:37.379000+00:00 |
| external_references[5]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| external_references[12]['url'] | https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/ | https://web.archive.org/web/20171223000420/https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/ |
| external_references[13]['url'] | https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/ | https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Domain Name: Domain Registration |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/630.html', 'external_id': 'CAPEC-630'} | |
| x_mitre_data_sources | Domain Name: Domain Registration | |
[T1574.004] Hijack Execution Flow: Dylib Hijacking
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 04:08:30.203000+00:00 | 2023-03-30 21:01:39.601000+00:00 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/471.html', 'external_id': 'CAPEC-471'} | |
[T1574.006] Hijack Execution Flow: Dynamic Linker Hijacking
Current version: 2.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020. |
| external_references | | The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-13 | |
| external_references | CAPEC-640 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-27 19:55:18.453000+00:00 | 2023-03-30 21:01:40.146000+00:00 |
| external_references[1]['source_name'] | capec | Man LD.SO |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/13.html | https://www.man7.org/linux/man-pages/man8/ld.so.8.html |
| external_references[2]['source_name'] | capec | TLDP Shared Libraries |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/640.html | https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html |
| external_references[3]['source_name'] | Man LD.SO | Apple Doco Archive Dynamic Libraries |
| external_references[3]['description'] | Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020. | Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021. |
| external_references[3]['url'] | https://www.man7.org/linux/man-pages/man8/ld.so.8.html | https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html |
| external_references[4]['source_name'] | TLDP Shared Libraries | Baeldung LD_PRELOAD |
| external_references[4]['description'] | The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020. | baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021. |
| external_references[4]['url'] | https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html | https://www.baeldung.com/linux/ld_preload-trick-what-is |
| external_references[5]['source_name'] | Apple Doco Archive Dynamic Libraries | Code Injection on Linux and macOS |
| external_references[5]['description'] | Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021. | Itamar Turner-Trauring. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017. |
| external_references[5]['url'] | https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html | https://www.datawire.io/code-injection-on-linux-and-macos/ |
| external_references[6]['source_name'] | Baeldung LD_PRELOAD | Uninformed Needle |
| external_references[6]['description'] | baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021. | skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017. |
| external_references[6]['url'] | https://www.baeldung.com/linux/ld_preload-trick-what-is | http://hick.org/code/skape/papers/needle.txt |
| external_references[7]['source_name'] | Code Injection on Linux and macOS | Phrack halfdead 1997 |
| external_references[7]['description'] | Itamar Turner-Trauring. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017. | halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017. |
| external_references[7]['url'] | https://www.datawire.io/code-injection-on-linux-and-macos/ | http://phrack.org/issues/51/8.html |
| external_references[8]['source_name'] | Uninformed Needle | Brown Exploiting Linkers |
| external_references[8]['description'] | skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017. | Tim Brown. (2011, June 29). Breaking the links: Exploiting the linker. Retrieved March 29, 2021. |
| external_references[8]['url'] | http://hick.org/code/skape/papers/needle.txt | http://www.nth-dimension.org.uk/pub/BTL.pdf |
| external_references[9]['source_name'] | Phrack halfdead 1997 | TheEvilBit DYLD_INSERT_LIBRARIES |
| external_references[9]['description'] | halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017. | Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020. |
| external_references[9]['url'] | http://phrack.org/issues/51/8.html | https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/ |
| external_references[10]['source_name'] | Brown Exploiting Linkers | Timac DYLD_INSERT_LIBRARIES |
| external_references[10]['description'] | Tim Brown. (2011, June 29). Breaking the links: Exploiting the linker. Retrieved March 29, 2021. | Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020. |
| external_references[10]['url'] | http://www.nth-dimension.org.uk/pub/BTL.pdf | https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/ |
| external_references[11]['source_name'] | TheEvilBit DYLD_INSERT_LIBRARIES | Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass |
| external_references[11]['description'] | Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020. | Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021. |
| external_references[11]['url'] | https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/ | https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191 |
| x_mitre_data_sources[0] | Module: Module Load | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | File: File Modification |
| x_mitre_data_sources[2] | Process: Process Creation | File: File Creation |
| x_mitre_data_sources[3] | File: File Creation | Module: Module Load |
| x_mitre_data_sources[4] | File: File Modification | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Timac DYLD_INSERT_LIBRARIES', 'description': 'Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020.', 'url': 'https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/'} | |
| external_references | {'source_name': 'Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass', 'description': 'Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021.', 'url': 'https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191'} | |
[T1499] Endpoint Denial of Service
Current version: 1.1
Dropped Mitigations:
- T1499: Endpoint Denial of Service Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-12 14:48:40.313000+00:00 | 2023-03-30 21:01:44.038000+00:00 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/227.html', 'external_id': 'CAPEC-227'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/131.html', 'external_id': 'CAPEC-131'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/130.html', 'external_id': 'CAPEC-130'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/125.html', 'external_id': 'CAPEC-125'} | |
[T1133] External Remote Services
Current version: 2.4
Dropped Mitigations:
- T1133: External Remote Services Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-16 19:15:22.221000+00:00 | 2023-03-30 21:01:36.318000+00:00 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Network Traffic: Network Traffic Content |
| x_mitre_data_sources | | Network Traffic: Network Connection Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/555.html', 'external_id': 'CAPEC-555'} | |
| x_mitre_data_sources | Network Traffic: Network Connection Creation | |
| x_mitre_data_sources | Network Traffic: Network Traffic Content | |
[T1083] File and Directory Discovery
Current version: 1.5
Dropped Mitigations:
- T1083: File and Directory Discovery Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-06 21:55:41.262000+00:00 | 2023-03-30 21:01:42.631000+00:00 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: OS API Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/127.html', 'external_id': 'CAPEC-127'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/497.html', 'external_id': 'CAPEC-497'} | |
| x_mitre_data_sources | Process: OS API Execution | |
[T1056.002] Input Capture: GUI Input Capture
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-659 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:05:20.136000+00:00 | 2023-03-30 21:01:48.279000+00:00 |
| external_references[1]['source_name'] | capec | OSX Malware Exploits MacKeeper |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/659.html | https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html |
| external_references[2]['source_name'] | OSX Malware Exploits MacKeeper | LogRhythm Do You Trust Oct 2014 |
| external_references[2]['description'] | Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017. | Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018. |
| external_references[2]['url'] | https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html | https://logrhythm.com/blog/do-you-trust-your-computer/ |
| external_references[3]['source_name'] | LogRhythm Do You Trust Oct 2014 | OSX Keydnap malware |
| external_references[3]['description'] | Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018. | Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017. |
| external_references[3]['url'] | https://logrhythm.com/blog/do-you-trust-your-computer/ | https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ |
| external_references[4]['source_name'] | OSX Keydnap malware | Spoofing credential dialogs |
| external_references[4]['description'] | Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017. | Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021. |
| external_references[4]['url'] | https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ | https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/ |
| external_references[5]['source_name'] | Spoofing credential dialogs | Enigma Phishing for Credentials Jan 2015 |
| external_references[5]['description'] | Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021. | Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018. |
| external_references[5]['url'] | https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/ | https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/ |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Script: Script Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Enigma Phishing for Credentials Jan 2015', 'description': 'Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.', 'url': 'https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/'} | |
| x_mitre_data_sources | Script: Script Execution | |
[T1484.001] Domain Policy Modification: Group Policy Modification
Current version: 1.0
|
|
|---|
| t | Adversaries may modify Group Policy Objects (GPOs) to subver | t | Adversaries may modify Group Policy Objects (GPOs) to subver |
| t the intended discretionary access controls for a domain, u | | t the intended discretionary access controls for a domain, u |
| sually with the intention of escalating privileges on the do | | sually with the intention of escalating privileges on the do |
| main. Group policy allows for centralized management of user | | main. Group policy allows for centralized management of user |
| and computer settings in Active Directory (AD). GPOs are co | | and computer settings in Active Directory (AD). GPOs are co |
| ntainers for group policy settings made up of files stored w | | ntainers for group policy settings made up of files stored w |
| ithin a predicable network path <code>\\<DOMAIN>\SYSVO | | ithin a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\ |
| L\<DOMAIN>\Policies\</code>.(Citation: TechNet Group P | | Policies\`.(Citation: TechNet Group Policy Basics)(Citation: |
| olicy Basics)(Citation: ADSecurity GPO Persistence 2016) L | | ADSecurity GPO Persistence 2016) Like other objects in AD |
| ike other objects in AD, GPOs have access controls associate | | , GPOs have access controls associated with them. By default |
| d with them. By default all user accounts in the domain have | | all user accounts in the domain have permission to read GPO |
| permission to read GPOs. It is possible to delegate GPO acc | | s. It is possible to delegate GPO access control permissions |
| ess control permissions, e.g. write access, to specific user | | , e.g. write access, to specific users or groups in the doma |
| s or groups in the domain. Malicious GPO modifications can | | in. Malicious GPO modifications can be used to implement ma |
| be used to implement many other malicious behaviors such as | | ny other malicious behaviors such as [Scheduled Task/Job](ht |
| [Scheduled Task/Job](https://attack.mitre.org/techniques/T10 | | tps://attack.mitre.org/techniques/T1053), [Disable or Modify |
| 53), [Disable or Modify Tools](https://attack.mitre.org/tech | | Tools](https://attack.mitre.org/techniques/T1562/001), [Ing |
| niques/T1562/001), [Ingress Tool Transfer](https://attack.mi | | ress Tool Transfer](https://attack.mitre.org/techniques/T110 |
| tre.org/techniques/T1105), [Create Account](https://attack.m | | 5), [Create Account](https://attack.mitre.org/techniques/T11 |
| itre.org/techniques/T1136), [Service Execution](https://atta | | 36), [Service Execution](https://attack.mitre.org/techniques |
| ck.mitre.org/techniques/T1569/002), and more.(Citation: ADS | | /T1569/002), and more.(Citation: ADSecurity GPO Persistence |
| ecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs) | | 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abus |
| (Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandia | | ing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citat |
| nt M Trends 2016)(Citation: Microsoft Hacking Team Breach) S | | ion: Microsoft Hacking Team Breach) Since GPOs can control s |
| ince GPOs can control so many user and machine settings in t | | o many user and machine settings in the AD environment, ther |
| he AD environment, there are a great number of potential att | | e are a great number of potential attacks that can stem from |
| acks that can stem from this GPO abuse.(Citation: Wald0 Guid | | this GPO abuse.(Citation: Wald0 Guide to GPOs) For example |
| e to GPOs) For example, publicly available scripts such as | | , publicly available scripts such as <code>New-GPOImmediateT |
| <code>New-GPOImmediateTask</code> can be leveraged to automa | | ask</code> can be leveraged to automate the creation of a ma |
| te the creation of a malicious [Scheduled Task/Job](https:// | | licious [Scheduled Task/Job](https://attack.mitre.org/techni |
| attack.mitre.org/techniques/T1053) by modifying GPO settings | | ques/T1053) by modifying GPO settings, in this case modifyin |
| , in this case modifying <code><GPO_PATH>\Machine\Pref | | g <code><GPO_PATH>\Machine\Preferences\ScheduledTasks\ |
| erences\ScheduledTasks\ScheduledTasks.xml</code>.(Citation: | | ScheduledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Ci |
| Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissio | | tation: Harmj0y Abusing GPO Permissions) In some cases an ad |
| ns) In some cases an adversary might modify specific user ri | | versary might modify specific user rights like SeEnableDeleg |
| ghts like SeEnableDelegationPrivilege, set in <code><GPO_ | | ationPrivilege, set in <code><GPO_PATH>\MACHINE\Micros |
| PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf</c | | oft\Windows NT\SecEdit\GptTmpl.inf</code>, to achieve a subt |
| ode>, to achieve a subtle AD backdoor with complete control | | le AD backdoor with complete control of the domain because t |
| of the domain because the user account under the adversary's | | he user account under the adversary's control would then be |
| control would then be able to modify GPOs.(Citation: Harmj0 | | able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPri |
| y SeEnableDelegationPrivilege Right) | | vilege Right) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 15:52:24.315000+00:00 | 2023-01-06 12:44:15.707000+00:00 |
| description | Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.
Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)
For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right) | Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.
Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)
For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right) |
| external_references[1]['source_name'] | TechNet Group Policy Basics | Mandiant M Trends 2016 |
| external_references[1]['description'] | srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019. | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. |
| external_references[1]['url'] | https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf |
| external_references[3]['source_name'] | Wald0 Guide to GPOs | Microsoft Hacking Team Breach |
| external_references[3]['description'] | Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019. | Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019. |
| external_references[3]['url'] | https://wald0.com/?p=179 | https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/ |
| external_references[4]['source_name'] | Harmj0y Abusing GPO Permissions | Wald0 Guide to GPOs |
| external_references[4]['description'] | Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019. | Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019. |
| external_references[4]['url'] | http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ | https://wald0.com/?p=179 |
| external_references[5]['source_name'] | Mandiant M Trends 2016 | Harmj0y Abusing GPO Permissions |
| external_references[5]['description'] | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. | Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019. |
| external_references[5]['url'] | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf | http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ |
| external_references[6]['source_name'] | Microsoft Hacking Team Breach | Harmj0y SeEnableDelegationPrivilege Right |
| external_references[6]['description'] | Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019. | Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved March 5, 2019. |
| external_references[6]['url'] | https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/ | http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ |
| external_references[7]['source_name'] | Harmj0y SeEnableDelegationPrivilege Right | TechNet Group Policy Basics |
| external_references[7]['description'] | Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved March 5, 2019. | srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019. |
| external_references[7]['url'] | http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ | https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ |
| x_mitre_data_sources[0] | Active Directory: Active Directory Object Creation | Active Directory: Active Directory Object Modification |
| x_mitre_data_sources[1] | Command: Command Execution | Active Directory: Active Directory Object Deletion |
| x_mitre_data_sources[2] | Active Directory: Active Directory Object Deletion | Active Directory: Active Directory Object Creation |
| x_mitre_data_sources[3] | Active Directory: Active Directory Object Modification | Command: Command Execution |
[T1200] Hardware Additions
Current version: 1.6
Dropped Mitigations:
- T1200: Hardware Additions Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-28 16:09:12.782000+00:00 | 2023-03-30 21:01:40.332000+00:00 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/440.html', 'external_id': 'CAPEC-440'} | |
[T1562.003] Impair Defenses: Impair Command History Logging
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-01 20:48:29.785000+00:00 | 2023-03-30 21:01:47.940000+00:00 |
| x_mitre_data_sources[0] | Sensor Health: Host Status | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Sensor Health: Host Status |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/13.html', 'external_id': 'CAPEC-13'} | |
[T1056] Input Capture
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-569 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:05:20.658000+00:00 | 2023-03-30 21:01:41.752000+00:00 |
| external_references[1]['source_name'] | capec | Adventures of a Keystroke |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/569.html | http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf |
| x_mitre_data_sources[1] | Process: Process Creation | Driver: Driver Load |
| x_mitre_data_sources[5] | Process: Process Metadata | Process: Process Creation |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Metadata |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Adventures of a Keystroke', 'description': 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.', 'url': 'http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf'} | |
| x_mitre_data_sources | Driver: Driver Load | |
[T1553.004] Subvert Trust Controls: Install Root Certificate
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-479 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-25 19:39:07.001000+00:00 | 2023-03-30 21:01:45.661000+00:00 |
| external_references[1]['source_name'] | capec | Wikipedia Root Certificate |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/479.html | https://en.wikipedia.org/wiki/Root_certificate |
| external_references[2]['source_name'] | Wikipedia Root Certificate | Operation Emmental |
| external_references[2]['description'] | Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017. | Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016. |
| external_references[2]['url'] | https://en.wikipedia.org/wiki/Root_certificate | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf |
| external_references[3]['source_name'] | Operation Emmental | Kaspersky Superfish |
| external_references[3]['description'] | Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016. | Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017. |
| external_references[3]['url'] | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf | https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/ |
| external_references[4]['source_name'] | Kaspersky Superfish | SpectorOps Code Signing Dec 2017 |
| external_references[4]['description'] | Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017. | Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. |
| external_references[4]['url'] | https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/ | https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec |
| external_references[5]['source_name'] | SpectorOps Code Signing Dec 2017 | objective-see ay mami 2018 |
| external_references[5]['description'] | Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. | Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018. |
| external_references[5]['url'] | https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec | https://objective-see.com/blog/blog_0x26.html |
| external_references[6]['source_name'] | objective-see ay mami 2018 | Microsoft Sigcheck May 2017 |
| external_references[6]['description'] | Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018. | Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018. |
| external_references[6]['url'] | https://objective-see.com/blog/blog_0x26.html | https://docs.microsoft.com/sysinternals/downloads/sigcheck |
| external_references[7]['source_name'] | Microsoft Sigcheck May 2017 | Tripwire AppUNBlocker |
| external_references[7]['description'] | Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018. | Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017. |
| external_references[7]['url'] | https://docs.microsoft.com/sysinternals/downloads/sigcheck | https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/ |
| x_mitre_data_sources[0] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[3] | Windows Registry: Windows Registry Key Modification | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Tripwire AppUNBlocker', 'description': 'Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.', 'url': 'https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/'} | |
[T1558.003] Steal or Forge Kerberos Tickets: Kerberoasting
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-509 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:52:42.405000+00:00 | 2023-03-30 21:01:46.538000+00:00 |
| external_references[1]['source_name'] | capec | Empire InvokeKerberoast Oct 2016 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/509.html | https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 |
| external_references[2]['source_name'] | Empire InvokeKerberoast Oct 2016 | AdSecurity Cracking Kerberos Dec 2015 |
| external_references[2]['description'] | EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018. | Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. |
| external_references[2]['url'] | https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 | https://adsecurity.org/?p=2293 |
| external_references[3]['source_name'] | AdSecurity Cracking Kerberos Dec 2015 | Microsoft Detecting Kerberoasting Feb 2018 |
| external_references[3]['description'] | Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. | Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. |
| external_references[3]['url'] | https://adsecurity.org/?p=2293 | https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/ |
| external_references[4]['source_name'] | Microsoft Detecting Kerberoasting Feb 2018 | Microsoft SPN |
| external_references[4]['description'] | Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. | Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018. |
| external_references[4]['url'] | https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/ | https://msdn.microsoft.com/library/ms677949.aspx |
| external_references[5]['source_name'] | Microsoft SPN | Microsoft SetSPN |
| external_references[5]['description'] | Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018. | Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018. |
| external_references[5]['url'] | https://msdn.microsoft.com/library/ms677949.aspx | https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx |
| external_references[6]['source_name'] | Microsoft SetSPN | SANS Attacking Kerberos Nov 2014 |
| external_references[6]['description'] | Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018. | Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018. |
| external_references[6]['url'] | https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx | https://redsiege.com/kerberoast-slides |
| external_references[7]['source_name'] | SANS Attacking Kerberos Nov 2014 | Harmj0y Kerberoast Nov 2016 |
| external_references[7]['description'] | Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018. | Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018. |
| external_references[7]['url'] | https://redsiege.com/kerberoast-slides | https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Harmj0y Kerberoast Nov 2016', 'description': 'Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018.', 'url': 'https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/'} | |
[T1056.001] Input Capture: Keylogging
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-568 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-21 01:30:56.227000+00:00 | 2023-03-30 21:01:37.930000+00:00 |
| external_references[1]['source_name'] | capec | Adventures of a Keystroke |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/568.html | http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf |
| external_references[2]['source_name'] | Adventures of a Keystroke | Cisco Blog Legacy Device Attacks |
| external_references[2]['description'] | Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016. | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. |
| external_references[2]['url'] | http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Windows Registry: Windows Registry Key Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Cisco Blog Legacy Device Attacks', 'description': 'Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.', 'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'} | |
| x_mitre_data_sources | Windows Registry: Windows Registry Key Modification | |
[T1543.004] Create or Modify System Process: Launch Daemon
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017. |
| external_references | | Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-550 | |
| external_references | CAPEC-551 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-07 22:10:55.653000+00:00 | 2023-03-30 21:01:48.453000+00:00 |
| external_references[1]['source_name'] | capec | AppleDocs Launch Agent Daemons |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/550.html | https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html |
| external_references[2]['source_name'] | capec | Methods of Mac Malware Persistence |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/551.html | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf |
| external_references[3]['source_name'] | AppleDocs Launch Agent Daemons | launchd Keywords for plists |
| external_references[3]['description'] | Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017. | Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021. |
| external_references[3]['url'] | https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html | https://www.real-world-systems.com/docs/launchdPlist.1.html |
| external_references[4]['source_name'] | Methods of Mac Malware Persistence | WireLurker |
| external_references[4]['description'] | Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. | Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017. |
| external_references[4]['url'] | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf | https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf |
| external_references[5]['source_name'] | launchd Keywords for plists | OSX Malware Detection |
| external_references[5]['description'] | Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021. | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017. |
| external_references[5]['url'] | https://www.real-world-systems.com/docs/launchdPlist.1.html | https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf |
| external_references[6]['source_name'] | WireLurker | LaunchDaemon Hijacking |
| external_references[6]['description'] | Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017. | Bradley Kemp. (2021, May 10). LaunchDaemon Hijacking: privilege escalation and persistence via insecure folder permissions. Retrieved July 26, 2021. |
| external_references[6]['url'] | https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf | https://bradleyjkemp.dev/post/launchdaemon-hijacking/ |
| external_references[7]['source_name'] | OSX Malware Detection | sentinelone macos persist Jun 2019 |
| external_references[7]['description'] | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017. | Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019. |
| external_references[7]['url'] | https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf | https://www.sentinelone.com/blog/how-malware-persists-on-macos/ |
| x_mitre_data_sources[1] | File: File Modification | Service: Service Creation |
| x_mitre_data_sources[2] | Service: Service Modification | File: File Creation |
| x_mitre_data_sources[4] | File: File Creation | Service: Service Modification |
| x_mitre_data_sources[5] | Service: Service Creation | File: File Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'LaunchDaemon Hijacking', 'description': 'Bradley Kemp. (2021, May 10). LaunchDaemon Hijacking: privilege escalation and persistence via insecure folder permissions. Retrieved July 26, 2021.', 'url': 'https://bradleyjkemp.dev/post/launchdaemon-hijacking/'} | |
| external_references | {'source_name': 'sentinelone macos persist Jun 2019', 'description': 'Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.', 'url': 'https://www.sentinelone.com/blog/how-malware-persists-on-macos/'} | |
[T1553.005] Subvert Trust Controls: Mark-of-the-Web Bypass
Current version: 1.1
|
|
|---|
| t | Adversaries may abuse specific file formats to subvert Mark- | t | Adversaries may abuse specific file formats to subvert Mark- |
| of-the-Web (MOTW) controls. In Windows, when files are downl | | of-the-Web (MOTW) controls. In Windows, when files are downl |
| oaded from the Internet, they are tagged with a hidden NTFS | | oaded from the Internet, they are tagged with a hidden NTFS |
| Alternate Data Stream (ADS) named <code>Zone.Identifier</cod | | Alternate Data Stream (ADS) named <code>Zone.Identifier</cod |
| e> with a specific value known as the MOTW.(Citation: Micros | | e> with a specific value known as the MOTW.(Citation: Micros |
| oft Zone.Identifier 2020) Files that are tagged with MOTW ar | | oft Zone.Identifier 2020) Files that are tagged with MOTW ar |
| e protected and cannot perform certain actions. For example, | | e protected and cannot perform certain actions. For example, |
| starting in MS Office 10, if a MS Office file has the MOTW, | | starting in MS Office 10, if a MS Office file has the MOTW, |
| it will open in Protected View. Executables tagged with the | | it will open in Protected View. Executables tagged with the |
| MOTW will be processed by Windows Defender SmartScreen that | | MOTW will be processed by Windows Defender SmartScreen that |
| compares files with an allowlist of well-known executables. | | compares files with an allowlist of well-known executables. |
| If the file in not known/trusted, SmartScreen will prevent | | If the file is not known/trusted, SmartScreen will prevent |
| the execution and warn the user not to run it.(Citation: Bee | | the execution and warn the user not to run it.(Citation: Bee |
| k Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citatio | | k Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citatio |
| n: Intezer Russian APT Dec 2020) Adversaries may abuse cont | | n: Intezer Russian APT Dec 2020) Adversaries may abuse cont |
| ainer files such as compressed/archive (.arj, .gzip) and/or | | ainer files such as compressed/archive (.arj, .gzip) and/or |
| disk image (.iso, .vhd) file formats to deliver malicious pa | | disk image (.iso, .vhd) file formats to deliver malicious pa |
| yloads that may not be tagged with MOTW. Container files dow | | yloads that may not be tagged with MOTW. Container files dow |
| nloaded from the Internet will be marked with MOTW but the f | | nloaded from the Internet will be marked with MOTW but the f |
| iles within may not inherit the MOTW after the container fil | | iles within may not inherit the MOTW after the container fil |
| es are extracted and/or mounted. MOTW is a NTFS feature and | | es are extracted and/or mounted. MOTW is a NTFS feature and |
| many container files do not support NTFS alternative data st | | many container files do not support NTFS alternative data st |
| reams. After a container file is extracted and/or mounted, t | | reams. After a container file is extracted and/or mounted, t |
| he files contained within them may be treated as local files | | he files contained within them may be treated as local files |
| on disk and run without protections.(Citation: Beek Use of | | on disk and run without protections.(Citation: Beek Use of |
| VHD Dec 2020)(Citation: Outflank MotW 2020) | | VHD Dec 2020)(Citation: Outflank MotW 2020) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 04:59:32.535000+00:00 | 2023-03-22 14:19:50.768000+00:00 |
| description | Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020) | Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | File: File Creation | File: File Metadata |
| x_mitre_data_sources[1] | File: File Metadata | File: File Creation |
[T1036.005] Masquerading: Match Legitimate Name or Location
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 04:56:50.197000+00:00 | 2023-03-30 21:01:42.277000+00:00 |
| x_mitre_data_sources[1] | Image: Image Metadata | Process: Process Metadata |
| x_mitre_data_sources[2] | Process: Process Metadata | Image: Image Metadata |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/177.html', 'external_id': 'CAPEC-177'} | |
[T1556.006] Modify Authentication Process: Multi-Factor Authentication
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 19:19:07.519000+00:00 | 2023-02-09 14:18:59.080000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | User Account: User Account Modification | User Account: User Account Authentication |
| x_mitre_data_sources[1] | User Account: User Account Authentication | User Account: User Account Modification |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Muhammad Moiz Arshad, @5T34L7H |
[T1621] Multi-Factor Authentication Request Generation
Current version: 1.0
|
|
|---|
| t | Adversaries may attempt to bypass multi-factor authenticatio | t | Adversaries may attempt to bypass multi-factor authenticatio |
| n (MFA) mechanisms and gain access to accounts by generating | | n (MFA) mechanisms and gain access to accounts by generating |
| MFA requests sent to users. Adversaries in possession cred | | MFA requests sent to users. Adversaries in possession of c |
| entials to [Valid Accounts](https://attack.mitre.org/techniq | | redentials to [Valid Accounts](https://attack.mitre.org/tech |
| ues/T1078) may be unable to complete the login process if th | | niques/T1078) may be unable to complete the login process if |
| ey lack access to the 2FA or MFA mechanisms required as an a | | they lack access to the 2FA or MFA mechanisms required as a |
| dditional credential and security control. To circumvent thi | | n additional credential and security control. To circumvent |
| s, adversaries may abuse the automatic generation of push no | | this, adversaries may abuse the automatic generation of push |
| tifications to MFA services such as Duo Push, Microsoft Auth | | notifications to MFA services such as Duo Push, Microsoft A |
| enticator, Okta, or similar services to have the user grant | | uthenticator, Okta, or similar services to have the user gra |
| access to their account. In some cases, adversaries may con | | nt access to their account. In some cases, adversaries may |
| tinuously repeat login attempts in order to bombard users wi | | continuously repeat login attempts in order to bombard users |
| th MFA push notifications, SMS messages, and phone calls, po | | with MFA push notifications, SMS messages, and phone calls, |
| tentially resulting in the user finally accepting the authen | | potentially resulting in the user finally accepting the aut |
| tication request in response to “MFA fatigue.”(Citation: Rus | | hentication request in response to “MFA fatigue.”(Citation: |
| sian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Att | | Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue |
| acks - PortSwigger)(Citation: Suspected Russian Activity Tar | | Attacks - PortSwigger)(Citation: Suspected Russian Activity |
| geting Government and Business Entities Around the Globe) | | Targeting Government and Business Entities Around the Globe) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-05 13:55:20.002000+00:00 | 2023-04-04 03:06:34.448000+00:00 |
| description | Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
Adversaries in possession credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.
In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe) | Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
Adversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.
In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Logon Session: Logon Session Metadata | User Account: User Account Authentication |
| x_mitre_data_sources[1] | Logon Session: Logon Session Creation | Application Log: Application Log Content |
| x_mitre_data_sources[2] | Application Log: Application Log Content | Logon Session: Logon Session Metadata |
| x_mitre_data_sources[3] | User Account: User Account Authentication | Logon Session: Logon Session Creation |
[T1046] Network Service Discovery
Current version: 3.0
Dropped Mitigations:
- T1046: Network Service Scanning Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 16:05:30.960000+00:00 | 2023-03-30 21:01:43.682000+00:00 |
| x_mitre_data_sources[0] | Cloud Service: Cloud Service Enumeration | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Cloud Service: Cloud Service Enumeration |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/300.html', 'external_id': 'CAPEC-300'} | |
[T1135] Network Share Discovery
Current version: 3.1
Dropped Mitigations:
- T1135: Network Share Discovery Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Wikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-643 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-13 18:10:57.185000+00:00 | 2023-03-30 21:01:46.370000+00:00 |
| external_references[1]['source_name'] | capec | Wikipedia Shared Resource |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/643.html | https://en.wikipedia.org/wiki/Shared_resource |
| external_references[2]['source_name'] | Wikipedia Shared Resource | TechNet Shared Folder |
| external_references[2]['description'] | Wikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017. | Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017. |
| external_references[2]['url'] | https://en.wikipedia.org/wiki/Shared_resource | https://technet.microsoft.com/library/cc770880.aspx |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: OS API Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'TechNet Shared Folder', 'description': 'Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.', 'url': 'https://technet.microsoft.com/library/cc770880.aspx'} | |
| x_mitre_data_sources | Process: OS API Execution | |
[T1499.001] Endpoint Denial of Service: OS Exhaustion Flood
Current version: 1.2
Dropped Mitigations:
- T1499: Endpoint Denial of Service Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 23:12:31.329000+00:00 | 2023-03-30 21:01:51.289000+00:00 |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Sensor Health: Host Status |
| x_mitre_data_sources[2] | Sensor Health: Host Status | Network Traffic: Network Traffic Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/469.html', 'external_id': 'CAPEC-469'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/482.html', 'external_id': 'CAPEC-482'} | |
[T1550.002] Use Alternate Authentication Material: Pass the Hash
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-644 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-31 19:55:02.702000+00:00 | 2023-03-30 21:01:45.141000+00:00 |
| external_references[1]['source_name'] | capec | Stealthbits Overpass-the-Hash |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/644.html | https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | User Account: User Account Authentication |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Stealthbits Overpass-the-Hash', 'description': 'Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.', 'url': 'https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/'} | |
| x_mitre_data_sources | User Account: User Account Authentication | |
[T1550.003] Use Alternate Authentication Material: Pass the Ticket
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-645 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-31 19:56:31.341000+00:00 | 2023-03-30 21:01:38.108000+00:00 |
| external_references[1]['source_name'] | capec | ADSecurity AD Kerberos Attacks |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/645.html | https://adsecurity.org/?p=556 |
| external_references[2]['source_name'] | ADSecurity AD Kerberos Attacks | GentilKiwi Pass the Ticket |
| external_references[2]['description'] | Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016. | Deply, B. (2014, January 13). Pass the ticket. Retrieved June 2, 2016. |
| external_references[2]['url'] | https://adsecurity.org/?p=556 | http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos |
| external_references[3]['source_name'] | GentilKiwi Pass the Ticket | Campbell 2014 |
| external_references[3]['description'] | Deply, B. (2014, January 13). Pass the ticket. Retrieved June 2, 2016. | Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December 4, 2014. |
| external_references[3]['url'] | http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos | http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf |
| external_references[4]['source_name'] | Campbell 2014 | Stealthbits Overpass-the-Hash |
| external_references[4]['description'] | Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December 4, 2014. | Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021. |
| external_references[4]['url'] | http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf | https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ |
| external_references[5]['source_name'] | Stealthbits Overpass-the-Hash | CERT-EU Golden Ticket Protection |
| external_references[5]['description'] | Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021. | Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. |
| external_references[5]['url'] | https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ | https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Logon Session: Logon Session Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'CERT-EU Golden Ticket Protection', 'description': 'Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.', 'url': 'https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf'} | |
| x_mitre_data_sources | Logon Session: Logon Session Creation | |
[T1110.002] Brute Force: Password Cracking
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 21:33:46.023000+00:00 | 2023-03-30 21:01:48.643000+00:00 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/55.html', 'external_id': 'CAPEC-55'} | |
[T1574.007] Hijack Execution Flow: Path Interception by PATH Environment Variable
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 04:08:56.402000+00:00 | 2023-03-30 21:01:39.426000+00:00 |
| x_mitre_data_sources[0] | File: File Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Modification | File: File Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/13.html', 'external_id': 'CAPEC-13'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/38.html', 'external_id': 'CAPEC-38'} | |
[T1574.008] Hijack Execution Flow: Path Interception by Search Order Hijacking
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-159 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-17 19:03:35.217000+00:00 | 2023-03-30 21:01:44.781000+00:00 |
| external_references[1]['source_name'] | capec | Microsoft CreateProcess |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/159.html | http://msdn.microsoft.com/en-us/library/ms682425 |
| external_references[2]['source_name'] | Microsoft CreateProcess | Windows NT Command Shell |
| external_references[2]['description'] | Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. | Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014. |
| external_references[2]['url'] | http://msdn.microsoft.com/en-us/library/ms682425 | https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120 |
| external_references[3]['source_name'] | Windows NT Command Shell | Microsoft WinExec |
| external_references[3]['description'] | Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014. | Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120 | http://msdn.microsoft.com/en-us/library/ms687393 |
| external_references[4]['source_name'] | Microsoft WinExec | Microsoft Environment Property |
| external_references[4]['description'] | Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. | Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016. |
| external_references[4]['url'] | http://msdn.microsoft.com/en-us/library/ms687393 | https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Microsoft Environment Property', 'description': 'Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.', 'url': 'https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN'} | |
[T1574.009] Hijack Execution Flow: Path Interception by Unquoted Path
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 20:51:38.118000+00:00 | 2023-03-30 21:01:35.788000+00:00 |
| x_mitre_data_sources[0] | File: File Creation | Process: Process Creation |
| x_mitre_data_sources[2] | Process: Process Creation | File: File Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/38.html', 'external_id': 'CAPEC-38'} | |
[T1120] Peripheral Device Discovery
Current version: 1.3
Dropped Mitigations:
- T1120: Peripheral Device Discovery Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-646 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 18:39:11.763000+00:00 | 2023-03-30 21:01:41.575000+00:00 |
| external_references[1]['source_name'] | capec | Peripheral Discovery Linux |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/646.html | https://linuxhint.com/list-usb-devices-linux/ |
| external_references[2]['source_name'] | Peripheral Discovery Linux | Peripheral Discovery macOS |
| external_references[2]['description'] | Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022. | SS64. (n.d.). system_profiler. Retrieved March 11, 2022. |
| external_references[2]['url'] | https://linuxhint.com/list-usb-devices-linux/ | https://ss64.com/osx/system_profiler.html |
| x_mitre_data_sources[0] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[2] | Process: Process Creation | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Peripheral Discovery macOS', 'description': 'SS64. (n.d.). system_profiler. Retrieved March 11, 2022.', 'url': 'https://ss64.com/osx/system_profiler.html'} | |
[T1055] Process Injection
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 20:58:50.105000+00:00 | 2023-03-30 21:01:45.488000+00:00 |
| x_mitre_data_sources[0] | Process: Process Modification | Module: Module Load |
| x_mitre_data_sources[6] | Module: Module Load | File: File Modification |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/640.html', 'external_id': 'CAPEC-640'} | |
| x_mitre_data_sources | File: File Modification | |
[T1498.002] Network Denial of Service: Reflection Amplification
Current version: 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-490 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-25 20:05:38.883000+00:00 | 2023-03-30 21:01:41.052000+00:00 |
| external_references[1]['source_name'] | capec | Cloudflare ReflectionDoS May 2017 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/490.html | https://blog.cloudflare.com/reflections-on-reflections/ |
| external_references[2]['source_name'] | Cloudflare ReflectionDoS May 2017 | Cloudflare DNSamplficationDoS |
| external_references[2]['description'] | Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019. | Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019. |
| external_references[2]['url'] | https://blog.cloudflare.com/reflections-on-reflections/ | https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ |
| external_references[3]['source_name'] | Cloudflare DNSamplficationDoS | Cloudflare NTPamplifciationDoS |
| external_references[3]['description'] | Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019. | Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019. |
| external_references[3]['url'] | https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ | https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/ |
| external_references[4]['source_name'] | Cloudflare NTPamplifciationDoS | Arbor AnnualDoSreport Jan 2018 |
| external_references[4]['description'] | Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019. | Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019. |
| external_references[4]['url'] | https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/ | https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf |
| external_references[5]['source_name'] | Arbor AnnualDoSreport Jan 2018 | Cloudflare Memcrashed Feb 2018 |
| external_references[5]['description'] | Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019. | Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019. |
| external_references[5]['url'] | https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf | https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ |
| external_references[6]['source_name'] | Cloudflare Memcrashed Feb 2018 | Cisco DoSdetectNetflow |
| external_references[6]['description'] | Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019. | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. |
| external_references[6]['url'] | https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Cisco DoSdetectNetflow', 'description': 'Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.', 'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf'} | |
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-16 13:06:00.638000+00:00 | 2023-03-30 21:01:52.183000+00:00 |
| x_mitre_data_sources[2] | Command: Command Execution | Windows Registry: Windows Registry Key Creation |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/270.html', 'external_id': 'CAPEC-270'} | |
| x_mitre_data_sources | Windows Registry: Windows Registry Key Creation | |
[T1021.001] Remote Services: Remote Desktop Protocol
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-555 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-28 16:07:44.605000+00:00 | 2023-03-30 21:01:41.927000+00:00 |
| external_references[1]['source_name'] | capec | TechNet Remote Desktop Services |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/555.html | https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx |
| external_references[2]['source_name'] | TechNet Remote Desktop Services | Alperovitch Malware |
| external_references[2]['description'] | Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016. | Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 4, 2014. |
| external_references[2]['url'] | https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx | http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/ |
| x_mitre_data_sources[0] | Network Traffic: Network Connection Creation | Logon Session: Logon Session Creation |
| x_mitre_data_sources[1] | Logon Session: Logon Session Creation | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[2] | Process: Process Creation | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Flow | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Alperovitch Malware', 'description': 'Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 4, 2014.', 'url': 'http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/'} | |
[T1018] Remote System Discovery
Current version: 3.4
Dropped Mitigations:
- T1018: Remote System Discovery Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-06 22:04:59.486000+00:00 | 2023-03-30 21:01:50.033000+00:00 |
| x_mitre_data_sources[0] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[2] | Process: Process Creation | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/292.html', 'external_id': 'CAPEC-292'} | |
[T1014] Rootkit
Current version: 1.1
Dropped Mitigations:
- T1014: Rootkit Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 05:09:39.723000+00:00 | 2023-03-30 21:01:50.568000+00:00 |
| x_mitre_data_sources[0] | Drive: Drive Modification | File: File Modification |
| x_mitre_data_sources[2] | File: File Modification | Drive: Drive Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/552.html', 'external_id': 'CAPEC-552'} | |
[T1608.006] Stage Capabilities: SEO Poisoning
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-27 14:16:24.490000+00:00 | 2023-03-13 20:35:52.302000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.1.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Hiroki Nagahama, NEC Corporation |
| x_mitre_contributors | | Manikantan Srinivasan, NEC Corporation India |
| x_mitre_contributors | | Pooja Natarajan, NEC Corporation India |
[T1021.004] Remote Services: SSH
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-555 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 14:15:06.853000+00:00 | 2023-03-30 21:01:49.323000+00:00 |
| external_references[1]['source_name'] | capec | Apple Unified Log Analysis Remote Login and Screen Sharing |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/555.html | https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins |
| x_mitre_data_sources[1] | Logon Session: Logon Session Creation | Process: Process Creation |
| x_mitre_data_sources[2] | Process: Process Creation | Logon Session: Logon Session Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Apple Unified Log Analysis Remote Login and Screen Sharing', 'description': 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.', 'url': 'https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins'} | |
[T1053] Scheduled Task/Job
Current version: 2.2
Dropped Mitigations:
- T1053: Scheduled Task Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-14 20:59:52.686000+00:00 | 2023-03-30 21:01:52.697000+00:00 |
| x_mitre_data_sources[0] | Scheduled Job: Scheduled Job Creation | Process: Process Creation |
| x_mitre_data_sources[1] | Container: Container Creation | Scheduled Job: Scheduled Job Creation |
| x_mitre_data_sources[2] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[5] | Command: Command Execution | Container: Container Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/557.html', 'external_id': 'CAPEC-557'} | |
[T1113] Screen Capture
Current version: 1.1
Dropped Mitigations:
- T1113: Screen Capture Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-648 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-24 19:56:37.627000+00:00 | 2023-03-30 21:01:39.967000+00:00 |
| external_references[1]['source_name'] | capec | CopyFromScreen .NET |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/648.html | https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8 |
| external_references[2]['source_name'] | CopyFromScreen .NET | Antiquated Mac Malware |
| external_references[2]['description'] | Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020. | Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8 | https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Antiquated Mac Malware', 'description': 'Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.', 'url': 'https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/'} | |
[T1499.002] Endpoint Denial of Service: Service Exhaustion Flood
Current version: 1.3
Dropped Mitigations:
- T1499: Endpoint Denial of Service Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 23:20:50.470000+00:00 | 2023-03-30 21:01:43.164000+00:00 |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Sensor Health: Host Status |
| x_mitre_data_sources[3] | Sensor Health: Host Status | Application Log: Application Log Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/488.html', 'external_id': 'CAPEC-488'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/489.html', 'external_id': 'CAPEC-489'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/528.html', 'external_id': 'CAPEC-528'} | |
[T1574.010] Hijack Execution Flow: Services File Permissions Weakness
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-16 19:10:04.262000+00:00 | 2023-03-30 21:01:37.026000+00:00 |
| x_mitre_data_sources[0] | Service: Service Metadata | File: File Creation |
| x_mitre_data_sources[2] | File: File Creation | Service: Service Metadata |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/17.html', 'external_id': 'CAPEC-17'} | |
[T1574.011] Hijack Execution Flow: Services Registry Permissions Weakness
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 04:53:45.640000+00:00 | 2023-03-30 21:01:38.651000+00:00 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Command: Command Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/478.html', 'external_id': 'CAPEC-478'} | |
| x_mitre_data_sources | Command: Command Execution | |
[T1548.001] Abuse Elevation Control Mechanism: Setuid and Setgid
Current version: 1.1
|
|
|---|
| t | An adversary may abuse configurations where an application h | t | An adversary may abuse configurations where an application h |
| as the setuid or setgid bits set in order to get code runnin | | as the setuid or setgid bits set in order to get code runnin |
| g in a different (and possibly more privileged) user’s conte | | g in a different (and possibly more privileged) user’s conte |
| xt. On Linux or macOS, when the setuid or setgid bits are se | | xt. On Linux or macOS, when the setuid or setgid bits are se |
| t for an application binary, the application will run with t | | t for an application binary, the application will run with t |
| he privileges of the owning user or group respectively.(Cita | | he privileges of the owning user or group respectively.(Cita |
| tion: setuid man page) Normally an application is run in the | | tion: setuid man page) Normally an application is run in the |
| current user’s context, regardless of which user or group o | | current user’s context, regardless of which user or group o |
| wns the application. However, there are instances where prog | | wns the application. However, there are instances where prog |
| rams need to be executed in an elevated context to function | | rams need to be executed in an elevated context to function |
| properly, but the user running them may not have the specifi | | properly, but the user running them may not have the specifi |
| c required privileges. Instead of creating an entry in the | | c required privileges. Instead of creating an entry in the |
| sudoers file, which must be done by root, any user can speci | | sudoers file, which must be done by root, any user can speci |
| fy the setuid or setgid flag to be set for their own applica | | fy the setuid or setgid flag to be set for their own applica |
| tions (i.e. [Linux and Mac File and Directory Permissions Mo | | tions (i.e. [Linux and Mac File and Directory Permissions Mo |
| dification](https://attack.mitre.org/techniques/T1222/002)). | | dification](https://attack.mitre.org/techniques/T1222/002)). |
| The <code>chmod</code> command can set these bits with bitm | | The <code>chmod</code> command can set these bits with bitm |
| asking, <code>chmod 4777 [file]</code> or via shorthand nami | | asking, <code>chmod 4777 [file]</code> or via shorthand nami |
| ng, <code>chmod u+s [file]</code>. This will enable the setu | | ng, <code>chmod u+s [file]</code>. This will enable the setu |
| id bit. To enable the setgit bit, <code>chmod 2775</code> an | | id bit. To enable the setgid bit, <code>chmod 2775</code> an |
| d <code>chmod g+s</code> can be used. Adversaries can use t | | d <code>chmod g+s</code> can be used. Adversaries can use t |
| his mechanism on their own malware to make sure they're able | | his mechanism on their own malware to make sure they're able |
| to execute in elevated contexts in the future.(Citation: OS | | to execute in elevated contexts in the future.(Citation: OS |
| X Keydnap malware) This abuse is often part of a "shell esca | | X Keydnap malware) This abuse is often part of a "shell esca |
| pe" or other actions to bypass an execution environment with | | pe" or other actions to bypass an execution environment with |
| restricted permissions. Alternatively, adversaries may cho | | restricted permissions. Alternatively, adversaries may cho |
| ose to find and target vulnerable binaries with the setuid o | | ose to find and target vulnerable binaries with the setuid o |
| r setgid bits already enabled (i.e. [File and Directory Disc | | r setgid bits already enabled (i.e. [File and Directory Disc |
| overy](https://attack.mitre.org/techniques/T1083)). The setu | | overy](https://attack.mitre.org/techniques/T1083)). The setu |
| id and setguid bits are indicated with an "s" instead of an | | id and setguid bits are indicated with an "s" instead of an |
| "x" when viewing a file's attributes via <code>ls -l</code>. | | "x" when viewing a file's attributes via <code>ls -l</code>. |
| The <code>find</code> command can also be used to search fo | | The <code>find</code> command can also be used to search fo |
| r such files. For example, <code>find / -perm +4000 2>/dev/n | | r such files. For example, <code>find / -perm +4000 2>/dev/n |
| ull</code> can be used to find files with setuid set and <co | | ull</code> can be used to find files with setuid set and <co |
| de>find / -perm +2000 2>/dev/null</code> may be used for set | | de>find / -perm +2000 2>/dev/null</code> may be used for set |
| gid. Binaries that have these bits set may then be abused by | | gid. Binaries that have these bits set may then be abused by |
| adversaries.(Citation: GTFOBins Suid) | | adversaries.(Citation: GTFOBins Suid) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 15:07:53.060000+00:00 | 2023-03-15 18:43:20.995000+00:00 |
| description | An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgit bit, chmod 2775 and chmod g+s can be used.
Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.
Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid) | An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.
Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.
Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | File: File Modification | File: File Metadata |
| x_mitre_data_sources[1] | File: File Metadata | File: File Modification |
[T1547.009] Boot or Logon Autostart Execution: Shortcut Modification
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 22:29:46.175000+00:00 | 2023-03-30 21:01:49.848000+00:00 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/132.html', 'external_id': 'CAPEC-132'} | |
| x_mitre_data_sources | Process: Process Creation | |
[T1072] Software Deployment Tools
Current version: 2.1
Dropped Mitigations:
- T1072: Third-party Software Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-11 17:00:00.938000+00:00 | 2023-03-30 21:01:36.669000+00:00 |
| x_mitre_data_sources[0] | Process: Process Creation | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/187.html', 'external_id': 'CAPEC-187'} | |
[T1518] Software Discovery
Current version: 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-01-29 00:02:24.150000+00:00 | 2023-03-30 21:01:50.920000+00:00 |
| x_mitre_data_sources[1] | Firewall: Firewall Enumeration | Firewall: Firewall Metadata |
| x_mitre_data_sources[3] | Firewall: Firewall Metadata | Process: Process Creation |
| x_mitre_data_sources[4] | Process: Process Creation | Firewall: Firewall Enumeration |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/580.html', 'external_id': 'CAPEC-580'} | |
[T1027.002] Obfuscated Files or Information: Software Packing
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 02:09:27.046000+00:00 | 2023-03-30 21:01:48.113000+00:00 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/570.html', 'external_id': 'CAPEC-570'} | |
[T1036.006] Masquerading: Space after Filename
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-649 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-29 20:26:01.690000+00:00 | 2023-03-30 21:01:52.873000+00:00 |
| external_references[1]['source_name'] | capec | Mac Backdoors are back |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/649.html | https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/ |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Mac Backdoors are back', 'description': 'Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.', 'url': 'https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/'} | |
[T1566.001] Phishing: Spearphishing Attachment
Current version: 2.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-163 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 17:39:12.452000+00:00 | 2023-03-30 21:01:42.995000+00:00 |
| external_references[1]['source_name'] | capec | Microsoft Anti Spoofing |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/163.html | https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide |
| external_references[2]['source_name'] | Microsoft Anti Spoofing | ACSC Email Spoofing |
| external_references[2]['description'] | Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf |
| external_references[3]['source_name'] | ACSC Email Spoofing | Elastic - Koadiac Detection with EQL |
| external_references[3]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. |
| external_references[3]['url'] | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf | https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql |
| x_mitre_data_sources[0] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Elastic - Koadiac Detection with EQL', 'description': 'Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.', 'url': 'https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql'} | |
[T1566.003] Phishing: Spearphishing via Service
Current version: 2.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-18 01:55:02.988000+00:00 | 2023-03-30 21:01:50.401000+00:00 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/163.html', 'external_id': 'CAPEC-163'} | |
[T1132.001] Data Encoding: Standard Encoding
Current version: 1.0
|
|
|---|
| t | Adversaries may encode data with a standard data encoding sy | t | Adversaries may encode data with a standard data encoding sy |
| stem to make the content of command and control traffic more | | stem to make the content of command and control traffic more |
| difficult to detect. Command and control (C2) information c | | difficult to detect. Command and control (C2) information c |
| an be encoded using a standard data encoding system that adh | | an be encoded using a standard data encoding system that adh |
| eres to existing protocol specifications. Common data encodi | | eres to existing protocol specifications. Common data encodi |
| ng schemes include ASCII, Unicode, hexadecimal, Base64, and | | ng schemes include ASCII, Unicode, hexadecimal, Base64, and |
| MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation | | MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: |
| : Wikipedia Character Encoding) Some data encoding systems m | | Wikipedia Character Encoding) Some data encoding systems ma |
| ay also result in data compression, such as gzip. | | y also result in data compression, such as gzip. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-14 23:36:52.095000+00:00 | 2023-03-03 00:31:33.071000+00:00 |
| description | Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip. | Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip. |
| external_references[1]['source_name'] | Wikipedia Binary-to-text Encoding | University of Birmingham C2 |
| external_references[1]['description'] | Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017. | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Binary-to-text_encoding | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf |
| external_references[2]['source_name'] | Wikipedia Character Encoding | Wikipedia Binary-to-text Encoding |
| external_references[2]['description'] | Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017. | Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017. |
| external_references[2]['url'] | https://en.wikipedia.org/wiki/Character_encoding | https://en.wikipedia.org/wiki/Binary-to-text_encoding |
| external_references[3]['source_name'] | University of Birmingham C2 | Wikipedia Character Encoding |
| external_references[3]['description'] | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. | Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017. |
| external_references[3]['url'] | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf | https://en.wikipedia.org/wiki/Character_encoding |
[T1558] Steal or Forge Kerberos Tickets
Current version: 1.4
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s Secret Decoder Ring. Retrieved February 27, 2020. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-652 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:45:01.934000+00:00 | 2023-03-30 21:01:50.214000+00:00 |
| external_references[1]['source_name'] | capec | ADSecurity Kerberos Ring Decoder |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/652.html | https://adsecurity.org/?p=227 |
| external_references[2]['source_name'] | ADSecurity Kerberos Ring Decoder | Microsoft Klist |
| external_references[2]['description'] | Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s Secret Decoder Ring. Retrieved February 27, 2020. | Microsoft. (2021, March 3). klist. Retrieved October 14, 2021. |
| external_references[2]['url'] | https://adsecurity.org/?p=227 | https://docs.microsoft.com/windows-server/administration/windows-commands/klist |
| external_references[3]['source_name'] | Microsoft Klist | MIT ccache |
| external_references[3]['description'] | Microsoft. (2021, March 3). klist. Retrieved October 14, 2021. | Massachusetts Institute of Technology. (n.d.). MIT Kerberos Documentation: Credential Cache. Retrieved October 4, 2021. |
| external_references[3]['url'] | https://docs.microsoft.com/windows-server/administration/windows-commands/klist | https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html |
| external_references[4]['source_name'] | MIT ccache | Linux Kerberos Tickets |
| external_references[4]['description'] | Massachusetts Institute of Technology. (n.d.). MIT Kerberos Documentation: Credential Cache. Retrieved October 4, 2021. | Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red Teams. Retrieved October 4, 2021. |
| external_references[4]['url'] | https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html | https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html |
| external_references[5]['source_name'] | Linux Kerberos Tickets | Brining MimiKatz to Unix |
| external_references[5]['description'] | Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red Teams. Retrieved October 4, 2021. | Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html | https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf |
| external_references[6]['source_name'] | Brining MimiKatz to Unix | Kekeo |
| external_references[6]['description'] | Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021. | Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021. |
| external_references[6]['url'] | https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf | https://github.com/gentilkiwi/kekeo |
| external_references[7]['source_name'] | Kekeo | SpectorOps Bifrost Kerberos macOS 2019 |
| external_references[7]['description'] | Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021. | Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost. Retrieved October 6, 2021. |
| external_references[7]['url'] | https://github.com/gentilkiwi/kekeo | https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f |
| external_references[8]['source_name'] | SpectorOps Bifrost Kerberos macOS 2019 | macOS kerberos framework MIT |
| external_references[8]['description'] | Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost. Retrieved October 6, 2021. | Massachusetts Institute of Technology. (2007, October 27). Kerberos for Macintosh Preferences Documentation. Retrieved October 6, 2021. |
| external_references[8]['url'] | https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f | http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html |
| external_references[9]['source_name'] | macOS kerberos framework MIT | ADSecurity Detecting Forged Tickets |
| external_references[9]['description'] | Massachusetts Institute of Technology. (2007, October 27). Kerberos for Macintosh Preferences Documentation. Retrieved October 6, 2021. | Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. |
| external_references[9]['url'] | http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html | https://adsecurity.org/?p=1515 |
| external_references[10]['source_name'] | ADSecurity Detecting Forged Tickets | Stealthbits Detect PtT 2019 |
| external_references[10]['description'] | Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. | Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020. |
| external_references[10]['url'] | https://adsecurity.org/?p=1515 | https://blog.stealthbits.com/detect-pass-the-ticket-attacks |
| external_references[11]['source_name'] | Stealthbits Detect PtT 2019 | CERT-EU Golden Ticket Protection |
| external_references[11]['description'] | Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020. | Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. |
| external_references[11]['url'] | https://blog.stealthbits.com/detect-pass-the-ticket-attacks | https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf |
| external_references[12]['source_name'] | CERT-EU Golden Ticket Protection | Microsoft Kerberos Golden Ticket |
| external_references[12]['description'] | Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. | Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020. |
| external_references[12]['url'] | https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf | https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285 |
| external_references[13]['source_name'] | Microsoft Kerberos Golden Ticket | Microsoft Detecting Kerberoasting Feb 2018 |
| external_references[13]['description'] | Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020. | Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. |
| external_references[13]['url'] | https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285 | https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/ |
| external_references[14]['source_name'] | Microsoft Detecting Kerberoasting Feb 2018 | AdSecurity Cracking Kerberos Dec 2015 |
| external_references[14]['description'] | Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. | Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. |
| external_references[14]['url'] | https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/ | https://adsecurity.org/?p=2293 |
| external_references[15]['source_name'] | AdSecurity Cracking Kerberos Dec 2015 | Medium Detecting Attempts to Steal Passwords from Memory |
| external_references[15]['description'] | Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. | French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019. |
| external_references[15]['url'] | https://adsecurity.org/?p=2293 | https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea |
| x_mitre_data_sources[0] | Command: Command Execution | Active Directory: Active Directory Credential Request |
| x_mitre_data_sources[1] | Logon Session: Logon Session Metadata | File: File Access |
| x_mitre_data_sources[2] | Active Directory: Active Directory Credential Request | Command: Command Execution |
| x_mitre_data_sources[3] | File: File Access | Logon Session: Logon Session Metadata |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Medium Detecting Attempts to Steal Passwords from Memory', 'description': 'French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.', 'url': 'https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea'} | |
[T1027.003] Obfuscated Files or Information: Steganography
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-636 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 16:46:56.760000+00:00 | 2023-03-30 21:01:48.815000+00:00 |
| external_references[1]['source_name'] | capec | Wikipedia Duqu |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/636.html | https://en.wikipedia.org/wiki/Duqu |
| external_references[2]['source_name'] | Wikipedia Duqu | McAfee Malicious Doc Targets Pyeongchang Olympics |
| external_references[2]['description'] | Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018. | Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018. |
| external_references[2]['url'] | https://en.wikipedia.org/wiki/Duqu | https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/ |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'McAfee Malicious Doc Targets Pyeongchang Olympics', 'description': 'Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.', 'url': 'https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/'} | |
[T1195] Supply Chain Compromise
Current version: 1.5
Dropped Mitigations:
- T1195: Supply Chain Compromise Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-28 16:03:22.870000+00:00 | 2023-03-30 21:01:42.446000+00:00 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/437.html', 'external_id': 'CAPEC-437'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/438.html', 'external_id': 'CAPEC-438'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/439.html', 'external_id': 'CAPEC-439'} | |
[T1542.001] Pre-OS Boot: System Firmware
Current version: 1.0
Dropped Mitigations:
- T1019: System Firmware Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-532 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-19 21:22:37.865000+00:00 | 2023-03-30 21:01:49.493000+00:00 |
| external_references[1]['source_name'] | capec | Wikipedia BIOS |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/532.html | https://en.wikipedia.org/wiki/BIOS |
| external_references[2]['source_name'] | Wikipedia BIOS | Wikipedia UEFI |
| external_references[2]['description'] | Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016. | Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017. |
| external_references[2]['url'] | https://en.wikipedia.org/wiki/BIOS | https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface |
| external_references[3]['source_name'] | Wikipedia UEFI | About UEFI |
| external_references[3]['description'] | Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017. | UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016. |
| external_references[3]['url'] | https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface | http://www.uefi.org/about |
| external_references[4]['source_name'] | About UEFI | MITRE Trustworthy Firmware Measurement |
| external_references[4]['description'] | UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016. | Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016. |
| external_references[4]['url'] | http://www.uefi.org/about | http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research |
| external_references[5]['source_name'] | MITRE Trustworthy Firmware Measurement | MITRE Copernicus |
| external_references[5]['description'] | Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016. | Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015. |
| external_references[5]['url'] | http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research | http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about |
| external_references[6]['source_name'] | MITRE Copernicus | McAfee CHIPSEC Blog |
| external_references[6]['description'] | Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015. | Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017. |
| external_references[6]['url'] | http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about | https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/ |
| external_references[7]['source_name'] | McAfee CHIPSEC Blog | Github CHIPSEC |
| external_references[7]['description'] | Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017. | Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017. |
| external_references[7]['url'] | https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/ | https://github.com/chipsec/chipsec |
| external_references[8]['source_name'] | Github CHIPSEC | Intel HackingTeam UEFI Rootkit |
| external_references[8]['description'] | Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017. | Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017. |
| external_references[8]['url'] | https://github.com/chipsec/chipsec | http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Intel HackingTeam UEFI Rootkit', 'description': "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", 'url': 'http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html'} | |
[T1082] System Information Discovery
Current version: 2.5
Dropped Mitigations:
- T1082: System Information Discovery Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-06 22:11:56.413000+00:00 | 2023-03-30 21:01:40.871000+00:00 |
| x_mitre_data_sources[0] | Process: OS API Execution | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Process: OS API Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/312.html', 'external_id': 'CAPEC-312'} | |
[T1016] System Network Configuration Discovery
Current version: 1.5
Dropped Mitigations:
- T1016: System Network Configuration Discovery Mitigation
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-06 22:32:35.833000+00:00 | 2023-03-30 21:01:38.842000+00:00 |
| x_mitre_data_sources[0] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[1] | Script: Script Execution | Command: Command Execution |
| x_mitre_data_sources[2] | Process: Process Creation | Process: OS API Execution |
| x_mitre_data_sources[3] | Process: OS API Execution | Script: Script Execution |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/309.html', 'external_id': 'CAPEC-309'} | |
[T1080] Taint Shared Content
Current version: 1.3
Dropped Mitigations:
- T1080: Taint Shared Content Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Routin, D. (2017, November 13). Abusing network shares for efficient lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-562 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 14:12:33.188000+00:00 | 2023-03-30 21:01:36.145000+00:00 |
| external_references[1]['source_name'] | capec | Retwin Directory Share Pivot |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/562.html | https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Retwin Directory Share Pivot', 'description': 'Routin, D. (2017, November 13). Abusing network shares for efficient lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018.', 'url': 'https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html'} | |
| x_mitre_data_sources | Process: Process Creation | |
[T1021.005] Remote Services: VNC
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-555 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-07 22:14:25.528000+00:00 | 2023-03-30 21:01:46.879000+00:00 |
| external_references[1]['source_name'] | capec | The Remote Framebuffer Protocol |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/555.html | https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2 |
| external_references[2]['source_name'] | The Remote Framebuffer Protocol | MacOS VNC software for Remote Desktop |
| external_references[2]['description'] | T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021. | Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021. |
| external_references[2]['url'] | https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2 | https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac |
| external_references[3]['source_name'] | MacOS VNC software for Remote Desktop | VNC Authentication |
| external_references[3]['description'] | Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021. | Tegan. (2019, August 15). Setting up System Authentication. Retrieved September 20, 2021. |
| external_references[3]['url'] | https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac | https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication |
| external_references[4]['source_name'] | VNC Authentication | Hijacking VNC |
| external_references[4]['description'] | Tegan. (2019, August 15). Setting up System Authentication. Retrieved September 20, 2021. | Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021. |
| external_references[4]['url'] | https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication | https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc |
| external_references[5]['source_name'] | Hijacking VNC | macOS root VNC login without authentication |
| external_references[5]['description'] | Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021. | Nick Miles. (2017, November 30). Detecting macOS High Sierra root account without authentication. Retrieved September 20, 2021. |
| external_references[5]['url'] | https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc | https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication |
| external_references[6]['source_name'] | macOS root VNC login without authentication | VNC Vulnerabilities |
| external_references[6]['description'] | Nick Miles. (2017, November 30). Detecting macOS High Sierra root account without authentication. Retrieved September 20, 2021. | Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021. |
| external_references[6]['url'] | https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication | https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/ |
| external_references[7]['source_name'] | VNC Vulnerabilities | Offensive Security VNC Authentication Check |
| external_references[7]['description'] | Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021. | Offensive Security. (n.d.). VNC Authentication. Retrieved October 6, 2021. |
| external_references[7]['url'] | https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/ | https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/ |
| external_references[8]['source_name'] | Offensive Security VNC Authentication Check | Attacking VNC Servers PentestLab |
| external_references[8]['description'] | Offensive Security. (n.d.). VNC Authentication. Retrieved October 6, 2021. | Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021. |
| external_references[8]['url'] | https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/ | https://pentestlab.blog/2012/10/30/attacking-vnc-servers/ |
| external_references[9]['source_name'] | Attacking VNC Servers PentestLab | Havana authentication bug |
| external_references[9]['description'] | Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021. | Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021. |
| external_references[9]['url'] | https://pentestlab.blog/2012/10/30/attacking-vnc-servers/ | http://lists.openstack.org/pipermail/openstack/2013-December/004138.html |
| external_references[10]['source_name'] | Havana authentication bug | Apple Unified Log Analysis Remote Login and Screen Sharing |
| external_references[10]['description'] | Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021. | Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. |
| external_references[10]['url'] | http://lists.openstack.org/pipermail/openstack/2013-December/004138.html | https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins |
| external_references[11]['source_name'] | Apple Unified Log Analysis Remote Login and Screen Sharing | Gnome Remote Desktop grd-settings |
| external_references[11]['description'] | Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. | Pascal Nowack. (n.d.). Retrieved September 21, 2021. |
| external_references[11]['url'] | https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins | https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207 |
| external_references[12]['source_name'] | Gnome Remote Desktop grd-settings | Gnome Remote Desktop gschema |
| external_references[12]['url'] | https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207 | https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in |
| x_mitre_data_sources[1] | Logon Session: Logon Session Creation | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[2] | Network Traffic: Network Connection Creation | Logon Session: Logon Session Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Gnome Remote Desktop gschema', 'description': 'Pascal Nowack. (n.d.). Retrieved September 21, 2021.', 'url': 'https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in'} | |
[T1125] Video Capture
Current version: 1.1
Dropped Mitigations:
- T1125: Video Capture Mitigation
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Patrick Wardle. (n.d.). Retrieved March 20, 2018. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-634 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-15 20:06:04.793000+00:00 | 2023-03-30 21:01:37.205000+00:00 |
| external_references[1]['source_name'] | capec | objective-see 2017 review |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/634.html | https://objective-see.com/blog/blog_0x25.html |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'objective-see 2017 review', 'description': 'Patrick Wardle. (n.d.). Retrieved March 20, 2018.', 'url': 'https://objective-see.com/blog/blog_0x25.html'} | |
[T1595.002] Active Scanning: Vulnerability Scanning
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:20:09.446000+00:00 | 2023-03-13 20:46:31.907000+00:00 |
| external_references[1]['description'] | OWASP Wiki. (2018, February 16). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020. | OWASP. (n.d.). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020. |
| external_references[1]['url'] | https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanning | https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
[T1056.003] Input Capture: Web Portal Capture
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-569 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-24 21:16:16.580000+00:00 | 2023-03-30 21:01:46.711000+00:00 |
| external_references[1]['source_name'] | capec | Volexity Virtual Private Keylogging |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/569.html | https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/ |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Volexity Virtual Private Keylogging', 'description': 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.', 'url': 'https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/'} | |
[T1550.004] Use Alternate Authentication Material: Web Session Cookie
Current version: 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| external_references | | Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019. |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | CAPEC-60 | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 14:22:09.650000+00:00 | 2023-03-30 21:01:51.836000+00:00 |
| external_references[1]['source_name'] | capec | Pass The Cookie |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/60.html | https://wunderwuzzi23.github.io/blog/passthecookie.html |
| external_references[2]['source_name'] | Pass The Cookie | Unit 42 Mac Crypto Cookies January 2019 |
| external_references[2]['description'] | Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019. | Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. |
| external_references[2]['url'] | https://wunderwuzzi23.github.io/blog/passthecookie.html | https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ |
| x_mitre_data_sources[0] | Web Credential: Web Credential Usage | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Web Credential: Web Credential Usage |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Unit 42 Mac Crypto Cookies January 2019', 'description': 'Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.', 'url': 'https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/'} | |
[T1505.003] Server Software Component: Web Shell
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 20:11:07.800000+00:00 | 2023-03-30 21:01:53.223000+00:00 |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Process: Process Creation |
| x_mitre_data_sources[1] | File: File Modification | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Flow | Application Log: Application Log Content |
| x_mitre_data_sources[3] | Application Log: Application Log Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[5] | Process: Process Creation | File: File Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/650.html', 'external_id': 'CAPEC-650'} | |
[T1547.004] Boot or Logon Autostart Execution: Winlogon Helper DLL
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 16:32:14.691000+00:00 | 2023-03-30 21:01:47.069000+00:00 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/579.html', 'external_id': 'CAPEC-579'} | |
mobile-attack
Minor Version Changes
[T1626] Abuse Elevation Control Mechanism
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (Permissions Request)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:53:29.994000+00:00 | 2023-03-15 16:23:59.281000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1517] Access Notifications
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 15:54:08.965000+00:00 | 2023-03-15 16:26:05.050000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1640] Account Access Removal
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 13:29:47.590000+00:00 | 2023-03-15 16:34:51.917000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1638] Adversary-in-the-Middle
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0029: Network Traffic (Network Connection Creation)
- DS0041: Application Vetting (Protected Configuration)
- DS0042: User Interface (Permissions Request)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 19:27:44.048000+00:00 | 2023-03-15 16:39:32.207000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1429] Audio Capture
Current version: 3.1
Version changed from: 3.0 → 3.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-29 17:29:49.023000+00:00 | 2023-03-16 13:31:29.924000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.0 | 3.1 |
[T1481.002] Web Service: Bidirectional Communication
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0029: Network Traffic (Network Connection Creation)
- DS0041: Application Vetting (Network Communication)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 15:47:06.071000+00:00 | 2023-03-16 13:32:55.266000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1398] Boot or Logon Initialization Scripts
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0013: Sensor Health (Host Status)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 14:33:11.096000+00:00 | 2023-03-16 18:26:46.043000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1624.001] Event Triggered Execution: Broadcast Receivers
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 16:49:10.650000+00:00 | 2023-03-16 18:27:42.752000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1636.001] Protected User Data: Calendar Entries
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 19:33:41.984000+00:00 | 2023-03-16 18:28:28.234000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1616] Call Control
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| external_references | | Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021. |
| external_references | | CEL-18 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | APP-41 | |
| external_references | Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021. | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-16 18:31:37.189000+00:00 |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Android Permissions |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html | https://developer.android.com/reference/android/Manifest.permission |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html |
| external_references[2]['external_id'] | CEL-42 | APP-41 |
| external_references[3]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html |
| external_references[3]['external_id'] | CEL-36 | CEL-42 |
| external_references[4]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html |
| external_references[4]['external_id'] | CEL-18 | CEL-36 |
| external_references[5]['source_name'] | Android Permissions | NIST Mobile Threat Catalogue |
| external_references[5]['url'] | https://developer.android.com/reference/android/Manifest.permission | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1636.002] Protected User Data: Call Log
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-29 17:29:34.081000+00:00 | 2023-03-16 18:32:30.150000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1414] Clipboard Data
Current version: 3.1
Version changed from: 3.0 → 3.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 19:29:45.323000+00:00 | 2023-03-16 18:33:20.042000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.0 | 3.1 |
[T1632.001] Subvert Trust Controls: Code Signing Policy Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 17:31:50.071000+00:00 | 2023-03-16 18:37:55.822000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1623] Command and Scripting Interpreter
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0009: Process (Process Creation)
- DS0009: Process (Process Metadata)
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 12:14:24.393000+00:00 | 2023-03-20 15:16:19.547000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1645] Compromise Client Software Binary
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0013: Sensor Health (Host Status)
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-08 15:38:38.744000+00:00 | 2023-03-20 15:20:11.752000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1474.002] Supply Chain Compromise: Compromise Hardware Supply Chain
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0013: Sensor Health (Host Status)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:40:45.961000+00:00 | 2023-03-20 15:21:12.603000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1474.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:39:08.984000+00:00 | 2023-03-20 15:28:54.940000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1474.003] Supply Chain Compromise: Compromise Software Supply Chain
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0013: Sensor Health (Host Status)
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:43:41.342000+00:00 | 2023-03-20 15:32:37.109000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1636.003] Protected User Data: Contact List
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 19:38:50.942000+00:00 | 2023-03-20 15:40:11.937000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1634] Credentials from Password Store
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0013: Sensor Health (Host Status)
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 17:08:36.315000+00:00 | 2023-03-20 15:45:44.103000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1471] Data Encrypted for Impact
Current version: 3.2
Version changed from: 3.1 → 3.2
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 13:31:22.485000+00:00 | 2023-03-20 15:55:09.397000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.1 | 3.2 |
[T1641] Data Manipulation
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 13:35:57.044000+00:00 | 2023-03-20 15:55:32.497000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1481.001] Web Service: Dead Drop Resolver
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Network Communication)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 15:41:03.914000+00:00 | 2023-03-20 15:56:04.790000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1626.001] Abuse Elevation Control Mechanism: Device Administrator Permissions
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (Permissions Request)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 14:19:17.679000+00:00 | 2023-03-20 15:56:34.537000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1629.002] Impair Defenses: Device Lockout
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:59:33.363000+00:00 | 2023-03-20 18:39:10.201000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1629.003] Impair Defenses: Disable or Modify Tools
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:59:57.851000+00:00 | 2023-03-20 18:40:12.912000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1630.003] Indicator Removal on Host: Disguise Root/Jailbreak Indicators
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0013: Sensor Health (Host Status)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 15:46:23.223000+00:00 | 2023-03-20 18:18:29.556000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1407] Download New Code at Runtime
Current version: 1.4
Version changed from: 1.3 → 1.4
New Detections:
- DS0029: Network Traffic (Network Traffic Content)
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 12:26:31.735000+00:00 | 2023-03-20 18:21:59.494000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
[T1456] Drive-By Compromise
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0013: Sensor Health (Host Status)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 15:32:30.837000+00:00 | 2023-03-20 18:24:56.530000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1642] Endpoint Denial of Service
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 21:17:48.281000+00:00 | 2023-03-20 18:41:56.376000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1624] Event Triggered Execution
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-29 17:28:39.379000+00:00 | 2023-03-20 18:43:46.177000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1627] Execution Guardrails
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 15:08:20.821000+00:00 | 2023-03-20 18:44:26.317000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1404] Exploitation for Privilege Escalation
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0013: Sensor Health (Host Status)
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30 15:51:08.258000+00:00 | 2023-03-20 18:49:53.301000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1428] Exploitation of Remote Services
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
- DS0029: Network Traffic (Network Traffic Content)
- DS0041: Application Vetting (Network Communication)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 12:45:44.023000+00:00 | 2023-03-20 18:51:07.651000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1630.002] Indicator Removal on Host: File Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 17:32:45.989000+00:00 | 2023-03-20 18:52:24.758000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1420] File and Directory Discovery
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
- DS0042: User Interface (Permissions Request)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 19:52:12.345000+00:00 | 2023-03-20 18:53:35.087000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1541] Foreground Persistence
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0041: Application Vetting (API Calls)
- DS0042: User Interface (System Notifications)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-08 15:38:03.160000+00:00 | 2023-03-20 18:54:25.564000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1417.002] Input Capture: GUI Input Capture
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 19:48:31.195000+00:00 | 2023-03-20 18:55:51.676000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1643] Generate Traffic from Victim
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 13:55:14.390000+00:00 | 2023-03-20 18:57:17.144000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1627.001] Execution Guardrails: Geofencing
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Notifications)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 17:30:57.081000+00:00 | 2023-03-20 18:58:14.240000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1628] Hide Artifacts
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-08 15:44:24.536000+00:00 | 2023-03-20 18:59:57.485000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1625] Hijack Execution Flow
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0013: Sensor Health (Host Status)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:52:19.152000+00:00 | 2023-03-20 18:59:46.686000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1629] Impair Defenses
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0009: Process (Process Termination)
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:57:50.075000+00:00 | 2023-03-20 18:59:55.849000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1430.002] Location Tracking: Impersonate SS7 Nodes
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0029: Network Traffic (Network Traffic Flow)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 13:44:56.301000+00:00 | 2023-03-20 18:41:45.256000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1630] Indicator Removal on Host
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-08 15:44:56.484000+00:00 | 2023-03-20 18:42:18.121000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1544] Ingress Tool Transfer
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0041: Application Vetting (Network Communication)
- DS0041: Application Vetting (Permissions Requests)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 14:46:25.107000+00:00 | 2023-03-20 18:43:44.687000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1417] Input Capture
Current version: 2.3
Version changed from: 2.2 → 2.3
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 18:48:26.111000+00:00 | 2023-03-20 18:44:36.145000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.2 | 2.3 |
[T1634.001] Credentials from Password Store: Keychain
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0013: Sensor Health (Host Status)
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 17:09:03.861000+00:00 | 2023-03-20 18:45:39.362000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1417.001] Input Capture: Keylogging
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 19:37:19.862000+00:00 | 2023-03-20 18:48:39.936000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1430] Location Tracking
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 17:05:16.493000+00:00 | 2023-03-20 18:50:21.363000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1464] Network Denial of Service
Current version: 1.3
Version changed from: 1.2 → 1.3
New Detections:
- DS0042: User Interface (System Notifications)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 13:26:42.303000+00:00 | 2023-03-20 18:51:23.109000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1509] Non-Standard Port
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0029: Network Traffic (Network Traffic Flow)
- DS0041: Application Vetting (Network Communication)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 14:50:16.409000+00:00 | 2023-03-20 18:51:58.228000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1481.003] Web Service: One-Way Communication
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Network Communication)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 15:52:07.711000+00:00 | 2023-03-20 18:53:34.118000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1644] Out of Band Data
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0042: User Interface (System Notifications)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-29 17:29:15.978000+00:00 | 2023-03-20 18:53:59.025000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1629.001] Impair Defenses: Prevent Application Removal
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:59:01.549000+00:00 | 2023-03-20 18:54:36.502000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1424] Process Discovery
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30 20:32:19.942000+00:00 | 2023-03-20 18:55:23.702000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1631] Process Injection
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 17:05:09.653000+00:00 | 2023-03-20 18:55:54.442000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1636] Protected User Data
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 19:31:34.018000+00:00 | 2023-03-20 18:56:20.270000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1604] Proxy Through Victim
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0029: Network Traffic (Network Traffic Flow)
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-20 18:57:14.285000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1631.001] Process Injection: Ptrace System Calls
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 17:05:37.431000+00:00 | 2023-03-20 18:57:40.571000+00:00 |
| external_references[1]['source_name'] | PTRACE man | BH Linux Inject |
| external_references[1]['description'] | Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020. | Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020. |
| external_references[1]['url'] | http://man7.org/linux/man-pages/man2/ptrace.2.html | https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf |
| external_references[3]['source_name'] | BH Linux Inject | PTRACE man |
| external_references[3]['description'] | Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020. | Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020. |
| external_references[3]['url'] | https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf | http://man7.org/linux/man-pages/man2/ptrace.2.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1430.001] Location Tracking: Remote Device Management Services
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0042: User Interface (System Notifications)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 13:44:31.305000+00:00 | 2023-03-20 18:58:20.113000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1582] SMS Control
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0042: User Interface (System Settings)
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| external_references | | Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020. |
| external_references | | S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020. |
| external_references | | APP-16 |
| external_references | | CEL-41 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | APP-16 | |
| external_references | CEL-41 | |
| external_references | S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020. | |
| external_references | Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020. | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-20 18:58:57.001000+00:00 |
| external_references[1]['source_name'] | NIST Mobile Threat Catalogue | Android SmsProvider |
| external_references[1]['url'] | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html | https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java |
| external_references[2]['source_name'] | NIST Mobile Threat Catalogue | SMS KitKat |
| external_references[2]['url'] | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html | https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html |
| external_references[3]['source_name'] | SMS KitKat | NIST Mobile Threat Catalogue |
| external_references[3]['url'] | https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html | https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html |
| external_references[4]['source_name'] | Android SmsProvider | NIST Mobile Threat Catalogue |
| external_references[4]['url'] | https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java | https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1636.004] Protected User Data: SMS Messages
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 19:40:28.979000+00:00 | 2023-03-20 18:58:33.873000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1513] Screen Capture
Current version: 1.3
Version changed from: 1.2 → 1.3
New Detections:
- DS0041: Application Vetting (API Calls)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 13:31:00.559000+00:00 | 2023-03-20 18:57:43.022000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1418.001] Software Discovery: Security Software Discovery
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 19:17:09.165000+00:00 | 2023-03-20 18:55:33.642000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1418] Software Discovery
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30 20:41:40.719000+00:00 | 2023-03-20 18:55:03.477000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1406.002] Obfuscated Files or Information: Software Packing
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 17:32:15.993000+00:00 | 2023-03-20 18:54:40.501000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1635] Steal Application Access Token
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
- DS0042: User Interface (System Notifications)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 17:11:24.641000+00:00 | 2023-03-20 18:53:52.292000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1409] Stored Application Data
Current version: 3.1
Version changed from: 3.0 → 3.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 19:41:54.022000+00:00 | 2023-03-20 18:53:16.029000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.0 | 3.1 |
[T1632] Subvert Trust Controls
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-08 15:47:12.903000+00:00 | 2023-03-20 18:52:52.097000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1474] Supply Chain Compromise
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-28 19:41:56.018000+00:00 | 2023-03-20 18:52:29.947000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1628.001] Hide Artifacts: Suppress Application Icon
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-20 17:16:08.997000+00:00 | 2023-03-20 18:51:29.931000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1633.001] Virtualization/Sandbox Evasion: System Checks
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 17:34:12.113000+00:00 | 2023-03-20 18:51:04.432000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1422] System Network Configuration Discovery
Current version: 2.3
Version changed from: 2.2 → 2.3
New Detections:
- DS0041: Application Vetting (Permissions Requests)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30 21:04:12.723000+00:00 | 2023-03-20 18:50:32.697000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.2 | 2.3 |
[T1625.001] Hijack Execution Flow: System Runtime API Hijacking
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0013: Sensor Health (Host Status)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:52:49.037000+00:00 | 2023-03-20 18:46:08.412000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1641.001] Data Manipulation: Transmitted Data Manipulation
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 17:34:52.311000+00:00 | 2023-03-20 18:44:26.748000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1635.001] Steal Application Access Token: URI Hijacking
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
- DS0042: User Interface (System Notifications)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 12:44:03.799000+00:00 | 2023-03-20 18:43:49.443000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1630.001] Indicator Removal on Host: Uninstall Malicious Application
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 17:33:44.504000+00:00 | 2023-03-20 18:43:03.218000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1623.001] Command and Scripting Interpreter: Unix Shell
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0009: Process (Process Metadata)
- DS0017: Command (Command Execution)
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 16:45:47.619000+00:00 | 2023-03-20 18:41:18.389000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1512] Video Capture
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
- DS0041: Application Vetting (Permissions Requests)
- DS0042: User Interface (System Settings)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-08 15:58:43.813000+00:00 | 2023-03-20 18:38:27.848000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1633] Virtualization/Sandbox Evasion
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0041: Application Vetting (API Calls)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-08 15:47:37.920000+00:00 | 2023-03-20 18:37:57.884000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1481] Web Service
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
- DS0041: Application Vetting (Network Communication)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 15:35:05.775000+00:00 | 2023-03-20 18:37:13.730000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
ics-attack
New Techniques
[T0892] Change Credential
Current version: 1.0
Description: Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.
An adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device’s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions.
Additionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.
A chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021)
[T0893] Data from Local System
Current version: 1.0
Description: Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.
Adversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system.
Minor Version Changes
[T0878] Alarm Suppression
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may target protection function alarms to prevent | t | Adversaries may target protection function alarms to prevent |
| them from notifying operators of critical conditions. Alarm | | them from notifying operators of critical conditions. Alarm |
| messages may be a part of an overall reporting system and o | | messages may be a part of an overall reporting system and o |
| f particular interest for adversaries. Disruption of the ala | | f particular interest for adversaries. Disruption of the ala |
| rm system does not imply the disruption of the reporting sys | | rm system does not imply the disruption of the reporting sys |
| tem as a whole. A Secura presentation on targeting OT notes | | tem as a whole. A Secura presentation on targeting OT notes |
| a dual fold goal for adversaries attempting alarm suppressi | | a dual fold goal for adversaries attempting alarm suppressi |
| on: prevent outgoing alarms from being raised and prevent in | | on: prevent outgoing alarms from being raised and prevent in |
| coming alarms from being responded to. (Citation: Jos Wetzel | | coming alarms from being responded to. (Citation: Jos Wetzel |
| s, Marina Krotofil 2019) The method of suppression may great | | s, Marina Krotofil 2019) The method of suppression may great |
| ly depend on the type of alarm in question: * An alarm ra | | ly depend on the type of alarm in question: * An alarm ra |
| ised by a protocol message * An alarm signaled with I/O * | | ised by a protocol message * An alarm signaled with I/O * |
| An alarm bit set in a flag (and read) In ICS environments, | | An alarm bit set in a flag (and read) In ICS environments, |
| the adversary may have to suppress or contend with multiple | | the adversary may have to suppress or contend with multiple |
| alarms and/or alarm propagation to achieve a specific goal | | alarms and/or alarm propagation to achieve a specific goal |
| to evade detection or prevent intended responses from occurr | | to evade detection or prevent intended responses from occurr |
| ing. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods | | ing. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods |
| of suppression may involve tampering or altering device disp | | of suppression may involve tampering or altering device disp |
| lays and logs, modifying in memory code to fixed values, or | | lays and logs, modifying in memory code to fixed values, or |
| even tampering with assembly level instruction code. In the | | even tampering with assembly level instruction code. |
| Maroochy Shire attack, the adversary suppressed alarm repor | | |
| ting to the central computer.(Citation: Marshall Abrams July | | |
| 2008) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:15:39.012000+00:00 | 2023-03-30 20:13:55.599000+00:00 |
| description | Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.
A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question:
* An alarm raised by a protocol message
* An alarm signaled with I/O
* An alarm bit set in a flag (and read)
In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.
In the Maroochy Shire attack, the adversary suppressed alarm reporting to the central computer.(Citation: Marshall Abrams July 2008) | Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.
A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question:
* An alarm raised by a protocol message
* An alarm signaled with I/O
* An alarm bit set in a flag (and read)
In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[2] | Operational Databases: Process/Event Alarm | Operational Databases: Process History/Live Data |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Operational Databases: Process/Event Alarm |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Marshall Abrams July 2008', 'description': 'Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ', 'url': 'https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf'} | |
| x_mitre_data_sources | Operational Databases: Process History/Live Data | |
[T0806] Brute Force I/O
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may repetitively or successively change I/O poin | t | Adversaries may repetitively or successively change I/O poin |
| t values to perform an action. Brute Force I/O may be achiev | | t values to perform an action. Brute Force I/O may be achiev |
| ed by changing either a range of I/O point values or a singl | | ed by changing either a range of I/O point values or a singl |
| e point value repeatedly to manipulate a process function. T | | e point value repeatedly to manipulate a process function. T |
| he adversarys goal and the information they have about the t | | he adversary's goal and the information they have about the |
| arget environment will influence which of the options they c | | target environment will influence which of the options they |
| hoose. In the case of brute forcing a range of point values, | | choose. In the case of brute forcing a range of point values |
| the adversary may be able to achieve an impact without targ | | , the adversary may be able to achieve an impact without tar |
| eting a specific point. In the case where a single point is | | geting a specific point. In the case where a single point is |
| targeted, the adversary may be able to generate instability | | targeted, the adversary may be able to generate instability |
| on the process function associated with that particular poin | | on the process function associated with that particular poi |
| t. Adversaries may use Brute Force I/O to cause failures w | | nt. Adversaries may use Brute Force I/O to cause failures |
| ithin various industrial processes. These failures could be | | within various industrial processes. These failures could be |
| the result of wear on equipment or damage to downstream equi | | the result of wear on equipment or damage to downstream equ |
| pment. | | ipment. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-20 19:28:07.225000+00:00 | 2023-03-29 16:17:27.903000+00:00 |
| description | Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversarys goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point.
Adversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment. | Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point.
Adversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Operational Databases: Process History/Live Data | Application Log: Application Log Content |
| x_mitre_data_sources[2] | Application Log: Application Log Content | Operational Databases: Process History/Live Data |
| x_mitre_version | 1.0 | 1.1 |
[T0879] Damage to Property
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may cause damage and destruction of property to | t | Adversaries may cause damage and destruction of property to |
| infrastructure, equipment, and the surrounding environment w | | infrastructure, equipment, and the surrounding environment w |
| hen attacking control systems. This technique may result in | | hen attacking control systems. This technique may result in |
| device and operational equipment breakdown, or represent tan | | device and operational equipment breakdown, or represent tan |
| gential damage from other techniques used in an attack. Depe | | gential damage from other techniques used in an attack. Depe |
| nding on the severity of physical damage and disruption caus | | nding on the severity of physical damage and disruption caus |
| ed to control processes and systems, this technique may resu | | ed to control processes and systems, this technique may resu |
| lt in [Loss of Safety](https://attack.mitre.org/techniques/T | | lt in [Loss of Safety](https://attack.mitre.org/techniques/T |
| 0880). Operations that result in [Loss of Control](https://a | | 0880). Operations that result in [Loss of Control](https://a |
| ttack.mitre.org/techniques/T0827) may also cause damage to p | | ttack.mitre.org/techniques/T0827) may also cause damage to p |
| roperty, which may be directly or indirectly motivated by an | | roperty, which may be directly or indirectly motivated by an |
| adversary seeking to cause impact in the form of [Loss of P | | adversary seeking to cause impact in the form of [Loss of P |
| roductivity and Revenue](https://attack.mitre.org/techniques | | roductivity and Revenue](https://attack.mitre.org/techniques |
| /T0828). In the Maroochy Shire attack, the adversary gaine | | /T0828). The German Federal Office for Information Securi |
| d remote computer access to the control system and altered d | | ty (BSI) reported a targeted attack on a steel mill under an |
| ata so that whatever function should have occurred at affect | | incidents affecting business section of its 2014 IT Securit |
| ed pumping stations did not occur or occurred in a different | | y Report. (Citation: BSI State of IT Security 2014) These t |
| way. This ultimately led to 800,000 liters of raw sewage be | | argeted attacks affected industrial operations and resulted |
| ing spilled out into the community. The raw sewage affected | | in breakdowns of control system components and even entire i |
| local parks, rivers, and even a local hotel. This resulted i | | nstallations. As a result of these breakdowns, massive impac |
| n harm to marine life and produced a sickening stench from t | | t and damage resulted from the uncontrolled shutdown of a bl |
| he community's now blackened rivers.(Citation: Marshall Abra | | ast furnace. A Polish student used a remote controller dev |
| ms July 2008) The German Federal Office for Information Sec | | ice to interface with the Lodz city tram system in Poland. ( |
| urity (BSI) reported a targeted attack on a steel mill under | | Citation: John Bill May 2017) (Citation: Shelley Smith Febru |
| an incidents affecting business section of its 2014 IT Secu | | ary 2008) (Citation: Bruce Schneier January 2008) Using this |
| rity Report. (Citation: BSI State of IT Security 2014) Thes | | remote, the student was able to capture and replay legitima |
| e targeted attacks affected industrial operations and result | | te tram signals. This resulted in damage to impacted trams, |
| ed in breakdowns of control system components and even entir | | people, and the surrounding property. Reportedly, four trams |
| e installations. As a result of these breakdowns, massive im | | were derailed and were forced to make emergency stops. (Cit |
| pact and damage resulted from the uncontrolled shutdown of a | | ation: Shelley Smith February 2008) Commands issued by the s |
| blast furnace. A Polish student used a remote controller | | tudent may have also resulted in tram collisions, causing ha |
| device to interface with the Lodz city tram system in Poland | | rm to those on board and the environment outside. (Citation: |
| . (Citation: John Bill May 2017) (Citation: Shelley Smith Fe | | Bruce Schneier January 2008) |
| bruary 2008) (Citation: Bruce Schneier January 2008) Using t | | |
| his remote, the student was able to capture and replay legit | | |
| imate tram signals. This resulted in damage to impacted tram | | |
| s, people, and the surrounding property. Reportedly, four tr | | |
| ams were derailed and were forced to make emergency stops. ( | | |
| Citation: Shelley Smith February 2008) Commands issued by th | | |
| e student may have also resulted in tram collisions, causing | | |
| harm to those on board and the environment outside. (Citati | | |
| on: Bruce Schneier January 2008) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:12:38.570000+00:00 | 2023-03-30 20:14:42.829000+00:00 |
| description | Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828).
In the Maroochy Shire attack, the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's now blackened rivers.(Citation: Marshall Abrams July 2008)
The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace.
A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008) | Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828).
The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace.
A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008) |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
| external_references[4]['source_name'] | Marshall Abrams July 2008 | Shelley Smith February 2008 |
| external_references[4]['description'] | Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 | Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 |
| external_references[4]['url'] | https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf | https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Shelley Smith February 2008', 'description': 'Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ', 'url': 'https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/'} | |
[T0811] Data from Information Repositories
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may target and collect data from information rep | t | Adversaries may target and collect data from information rep |
| ositories. This can include sensitive data such as specifica | | ositories. This can include sensitive data such as specifica |
| tions, schematics, or diagrams of control system layouts, de | | tions, schematics, or diagrams of control system layouts, de |
| vices, and processes. Examples of information repositories i | | vices, and processes. Examples of information repositories i |
| nclude reference databases or local machines in the process | | nclude reference databases in the process environment, as we |
| environment, as well as workstations and databases in the co | | ll as databases in the corporate network that might contain |
| rporate network that might contain information about the ICS | | information about the ICS.(Citation: Cybersecurity & Infrast |
| .(Citation: Cybersecurity & Infrastructure Security Agency M | | ructure Security Agency March 2018) Information collected f |
| arch 2018) Information collected from these systems may pro | | rom these systems may provide the adversary with a better un |
| vide the adversary with a better understanding of the operat | | derstanding of the operational environment, vendors used, pr |
| ional environment, vendors used, processes, or procedures of | | ocesses, or procedures of the ICS. In a campaign between 20 |
| the ICS. In a campaign between 2011 and 2013 against ONG o | | 11 and 2013 against ONG organizations, Chinese state-sponsor |
| rganizations, Chinese state-sponsored actors searched docume | | ed actors searched document repositories for specific inform |
| nt repositories for specific information such as, system man | | ation such as, system manuals, remote terminal unit (RTU) si |
| uals, remote terminal unit (RTU) sites, personnel lists, doc | | tes, personnel lists, documents that included the string SCA |
| uments that included the string SCAD*, user credentials, and | | D*, user credentials, and remote dial-up access information. |
| remote dial-up access information. (Citation: CISA AA21-201 | | (Citation: CISA AA21-201A Pipeline Intrusion July 2021) |
| A Pipeline Intrusion July 2021) | | |
Dropped Detections:
- DS0009: Process (OS API Execution)
- DS0009: Process (Process Creation)
- DS0012: Script (Script Execution)
- DS0017: Command (Command Execution)
- DS0022: File (File Access)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 18:05:21.731000+00:00 | 2023-03-30 19:09:43.744000+00:00 |
| description | Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases or local machines in the process environment, as well as workstations and databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)
Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.
In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021) | Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)
Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.
In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021) |
| kill_chain_phases[0]['phase_name'] | collection-ics | collection |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | Process: OS API Execution | Application Log: Application Log Content |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Command: Command Execution | |
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_data_sources | Script: Script Execution | |
| x_mitre_data_sources | File: File Access | |
| x_mitre_data_sources | Application Log: Application Log Content | |
| x_mitre_platforms | Control Server | |
| x_mitre_platforms | Engineering Workstation | |
| x_mitre_platforms | Human-Machine Interface | |
[T0813] Denial of Control
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may cause a denial of control to temporarily pre | t | Adversaries may cause a denial of control to temporarily pre |
| vent operators and engineers from interacting with process c | | vent operators and engineers from interacting with process c |
| ontrols. An adversary may attempt to deny process control ac | | ontrols. An adversary may attempt to deny process control ac |
| cess to cause a temporary loss of communication with the con | | cess to cause a temporary loss of communication with the con |
| trol device or to prevent operator adjustment of process con | | trol device or to prevent operator adjustment of process con |
| trols. An affected process may still be operating during the | | trols. An affected process may still be operating during the |
| period of control loss, but not necessarily in a desired st | | period of control loss, but not necessarily in a desired st |
| ate. (Citation: Corero) (Citation: Michael J. Assante and Ro | | ate. (Citation: Corero) (Citation: Michael J. Assante and Ro |
| bert M. Lee) (Citation: Tyson Macaulay) In the Maroochy Shi | | bert M. Lee) (Citation: Tyson Macaulay) In the 2017 Dallas |
| re attack, the adversary temporarily shut an investigator ou | | Siren incident operators were unable to disable the false al |
| t of the network preventing them from issuing any controls.( | | arms from the Office of Emergency Management headquarters. ( |
| Citation: Marshall Abrams July 2008) In the 2017 Dallas Sir | | Citation: Mark Loveless April 2017) |
| en incident operators were unable to disable the false alarm | | |
| s from the Office of Emergency Management headquarters. (Cit | | |
| ation: Mark Loveless April 2017) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:09:55.792000+00:00 | 2023-03-30 20:15:14.260000+00:00 |
| description | Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)
In the Maroochy Shire attack, the adversary temporarily shut an investigator out of the network preventing them from issuing any controls.(Citation: Marshall Abrams July 2008)
In the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017) | Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)
In the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017) |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
| external_references[3]['source_name'] | Marshall Abrams July 2008 | Michael J. Assante and Robert M. Lee |
| external_references[3]['description'] | Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 | Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 |
| external_references[3]['url'] | https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf | https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 |
| external_references[4]['source_name'] | Michael J. Assante and Robert M. Lee | Tyson Macaulay |
| external_references[4]['description'] | Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 | Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 |
| external_references[4]['url'] | https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 | https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Tyson Macaulay', 'description': 'Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ', 'url': 'https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false'} | |
[T0814] Denial of Service
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may perform Denial-of-Service (DoS) attacks to d | t | Adversaries may perform Denial-of-Service (DoS) attacks to d |
| isrupt expected device functionality. Examples of DoS attack | | isrupt expected device functionality. Examples of DoS attack |
| s include overwhelming the target device with a high volume | | s include overwhelming the target device with a high volume |
| of requests in a short time period and sending the target de | | of requests in a short time period and sending the target de |
| vice a request it does not know how to handle. Disrupting de | | vice a request it does not know how to handle. Disrupting de |
| vice state may temporarily render it unresponsive, possibly | | vice state may temporarily render it unresponsive, possibly |
| lasting until a reboot can occur. When placed in this state, | | lasting until a reboot can occur. When placed in this state, |
| devices may be unable to send and receive requests, and may | | devices may be unable to send and receive requests, and may |
| not perform expected response functions in reaction to othe | | not perform expected response functions in reaction to othe |
| r events in the environment. Some ICS devices are particul | | r events in the environment. Some ICS devices are particul |
| arly sensitive to DoS events, and may become unresponsive in | | arly sensitive to DoS events, and may become unresponsive in |
| reaction to even a simple ping sweep. Adversaries may also | | reaction to even a simple ping sweep. Adversaries may also |
| attempt to execute a Permanent Denial-of-Service (PDoS) agai | | attempt to execute a Permanent Denial-of-Service (PDoS) agai |
| nst certain devices, such as in the case of the BrickerBot m | | nst certain devices, such as in the case of the BrickerBot m |
| alware. (Citation: ICS-CERT April 2017) Adversaries may ex | | alware. (Citation: ICS-CERT April 2017) Adversaries may ex |
| ploit a software vulnerability to cause a denial of service | | ploit a software vulnerability to cause a denial of service |
| by taking advantage of a programming error in a program, ser | | by taking advantage of a programming error in a program, ser |
| vice, or within the operating system software or kernel itse | | vice, or within the operating system software or kernel itse |
| lf to execute adversary-controlled code. Vulnerabilities may | | lf to execute adversary-controlled code. Vulnerabilities may |
| exist in software that can be used to cause a denial of ser | | exist in software that can be used to cause a denial of ser |
| vice condition. Adversaries may have prior knowledge about | | vice condition. Adversaries may have prior knowledge about |
| industrial protocols or control devices used in the environ | | industrial protocols or control devices used in the environ |
| ment through [Remote System Information Discovery](https://a | | ment through [Remote System Information Discovery](https://a |
| ttack.mitre.org/techniques/T0888). There are examples of adv | | ttack.mitre.org/techniques/T0888). There are examples of adv |
| ersaries remotely causing a [Device Restart/Shutdown](https: | | ersaries remotely causing a [Device Restart/Shutdown](https: |
| //attack.mitre.org/techniques/T0816) by exploiting a vulnera | | //attack.mitre.org/techniques/T0816) by exploiting a vulnera |
| bility that induces uncontrolled resource consumption. (Cita | | bility that induces uncontrolled resource consumption. (Cita |
| tion: ICS-CERT August 2018) (Citation: Common Weakness Enume | | tion: ICS-CERT August 2018) (Citation: Common Weakness Enume |
| ration January 2019) (Citation: MITRE March 2018) In the M | | ration January 2019) (Citation: MITRE March 2018) |
| aroochy Shire attack, the adversary shut an investigator out | | |
| of the network.(Citation: Marshall Abrams July 2008) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:17:08.160000+00:00 | 2023-03-30 20:16:01.922000+00:00 |
| description | Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment.
Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017)
Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition.
Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018)
In the Maroochy Shire attack, the adversary shut an investigator out of the network.(Citation: Marshall Abrams July 2008) | Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment.
Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017)
Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition.
Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) |
| external_references[4]['source_name'] | Marshall Abrams July 2008 | MITRE March 2018 |
| external_references[4]['description'] | Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 | MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14 |
| external_references[4]['url'] | https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf | https://nvd.nist.gov/vuln/detail/CVE-2015-5374 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Network Traffic: Network Traffic Flow |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'MITRE March 2018', 'description': 'MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14 ', 'url': 'https://nvd.nist.gov/vuln/detail/CVE-2015-5374'} | |
| x_mitre_data_sources | Network Traffic: Network Traffic Flow | |
[T0815] Denial of View
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may cause a denial of view in attempt to disrupt | t | Adversaries may cause a denial of view in attempt to disrupt |
| and prevent operator oversight on the status of an ICS envi | | and prevent operator oversight on the status of an ICS envi |
| ronment. This may manifest itself as a temporary communicati | | ronment. This may manifest itself as a temporary communicati |
| on failure between a device and its control source, where th | | on failure between a device and its control source, where th |
| e interface recovers and becomes available once the interfer | | e interface recovers and becomes available once the interfer |
| ence ceases. (Citation: Corero) (Citation: Michael J. Assant | | ence ceases. (Citation: Corero) (Citation: Michael J. Assant |
| e and Robert M. Lee) (Citation: Tyson Macaulay) An adversa | | e and Robert M. Lee) (Citation: Tyson Macaulay) An adversa |
| ry may attempt to deny operator visibility by preventing the | | ry may attempt to deny operator visibility by preventing the |
| m from receiving status and reporting messages. Denying this | | m from receiving status and reporting messages. Denying this |
| view may temporarily block and prevent operators from notic | | view may temporarily block and prevent operators from notic |
| ing a change in state or anomalous behavior. The environment | | ing a change in state or anomalous behavior. The environment |
| 's data and processes may still be operational, but function | | 's data and processes may still be operational, but function |
| ing in an unintended or adversarial manner. In the Marooch | | ing in an unintended or adversarial manner. |
| y Shire attack, the adversary temporarily shut an investigat | | |
| or out of the network, preventing them from viewing the stat | | |
| e of the system.(Citation: Marshall Abrams July 2008) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:08:38.480000+00:00 | 2023-03-30 20:16:25.031000+00:00 |
| description | Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)
An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner.
In the Maroochy Shire attack, the adversary temporarily shut an investigator out of the network, preventing them from viewing the state of the system.(Citation: Marshall Abrams July 2008) | Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)
An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
| external_references[2]['source_name'] | Marshall Abrams July 2008 | Michael J. Assante and Robert M. Lee |
| external_references[2]['description'] | Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 | Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 |
| external_references[2]['url'] | https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf | https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 |
| external_references[3]['source_name'] | Michael J. Assante and Robert M. Lee | Tyson Macaulay |
| external_references[3]['description'] | Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 | Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 |
| external_references[3]['url'] | https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 | https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Tyson Macaulay', 'description': 'Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ', 'url': 'https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false'} | |
[T0822] External Remote Services
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may leverage external remote services as a point | t | Adversaries may leverage external remote services as a point |
| of initial access into your network. These services allow u | | of initial access into your network. These services allow u |
| sers to connect to internal network resources from external | | sers to connect to internal network resources from external |
| locations. Examples are VPNs, Citrix, and other access mecha | | locations. Examples are VPNs, Citrix, and other access mecha |
| nisms. Remote service gateways often manage connections and | | nisms. Remote service gateways often manage connections and |
| credential authentication for these services. (Citation: Dan | | credential authentication for these services. (Citation: Dan |
| iel Oakley, Travis Smith, Tripwire) External remote service | | iel Oakley, Travis Smith, Tripwire) External remote service |
| s allow administration of a control system from outside the | | s allow administration of a control system from outside the |
| system. Often, vendors and internal engineering groups have | | system. Often, vendors and internal engineering groups have |
| access to external remote services to control system network | | access to external remote services to control system network |
| s via the corporate network. In some cases, this access is e | | s via the corporate network. In some cases, this access is e |
| nabled directly from the internet. While remote access enabl | | nabled directly from the internet. While remote access enabl |
| es ease of maintenance when a control system is in a remote | | es ease of maintenance when a control system is in a remote |
| area, compromise of remote access solutions is a liability. | | area, compromise of remote access solutions is a liability. |
| The adversary may use these services to gain access to and e | | The adversary may use these services to gain access to and e |
| xecute attacks against a control system network. Access to v | | xecute attacks against a control system network. Access to v |
| alid accounts is often a requirement. As they look for an | | alid accounts is often a requirement. As they look for an |
| entry point into the control system network, adversaries may | | entry point into the control system network, adversaries may |
| begin searching for existing point-to-point VPN implementat | | begin searching for existing point-to-point VPN implementat |
| ions at trusted third party networks or through remote suppo | | ions at trusted third party networks or through remote suppo |
| rt employee connections where split tunneling is enabled. (C | | rt employee connections where split tunneling is enabled. (C |
| itation: Electricity Information Sharing and Analysis Center | | itation: Electricity Information Sharing and Analysis Center |
| ; SANS Industrial Control Systems March 2016) In the Marooc | | ; SANS Industrial Control Systems March 2016) |
| hy Shire attack, the adversary gained remote computer access | | |
| to the system over radio.(Citation: Marshall Abrams July 20 | | |
| 08) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:07:53.764000+00:00 | 2023-03-30 20:16:55.602000+00:00 |
| description | Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)
External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement.
As they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)
In the Maroochy Shire attack, the adversary gained remote computer access to the system over radio.(Citation: Marshall Abrams July 2008) | Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)
External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement.
As they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)
|
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Network Traffic: Network Traffic Flow |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Marshall Abrams July 2008', 'description': 'Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ', 'url': 'https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf'} | |
[T0874] Hooking
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may hook into application programming interface | t | Adversaries may hook into application programming interface |
| (API) functions used by processes to redirect calls for exec | | (API) functions used by processes to redirect calls for exec |
| ution and privilege escalation means. Windows processes ofte | | ution and privilege escalation means. Windows processes ofte |
| n leverage these API functions to perform tasks that require | | n leverage these API functions to perform tasks that require |
| reusable system resources. Windows API functions are typica | | reusable system resources. Windows API functions are typica |
| lly stored in dynamic-link libraries (DLLs) as exported func | | lly stored in dynamic-link libraries (DLLs) as exported func |
| tions. (Citation: Enterprise ATT&CK) One type of hooking se | | tions. (Citation: Enterprise ATT&CK) One type of hooking se |
| en in ICS involves redirecting calls to these functions via | | en in ICS involves redirecting calls to these functions via |
| import address table (IAT) hooking. IAT hooking uses modific | | import address table (IAT) hooking. IAT hooking uses modific |
| ations to a processs IAT, where pointers to imported API fun | | ations to a process IAT, where pointers to imported API func |
| ctions are stored. (Citation: Nicolas Falliere, Liam O Murch | | tions are stored. (Citation: Nicolas Falliere, Liam O Murchu |
| u, Eric Chien February 2011) | | , Eric Chien February 2011) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 15:40:42.017000+00:00 | 2023-03-13 13:32:08.619000+00:00 |
| description | Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)
One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a processs IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) | Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)
One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
| kill_chain_phases[0]['phase_name'] | execution-ics | execution |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: OS API Execution | Process: Process Metadata |
| x_mitre_data_sources[1] | Process: Process Metadata | Process: OS API Execution |
| x_mitre_version | 1.1 | 1.2 |
[T0838] Modify Alarm Settings
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may modify alarm settings to prevent alerts that | t | Adversaries may modify alarm settings to prevent alerts that |
| may inform operators of their presence or to prevent respon | | may inform operators of their presence or to prevent respon |
| ses to dangerous and unintended scenarios. Reporting message | | ses to dangerous and unintended scenarios. Reporting message |
| s are a standard part of data acquisition in control systems | | s are a standard part of data acquisition in control systems |
| . Reporting messages are used as a way to transmit system st | | . Reporting messages are used as a way to transmit system st |
| ate information and acknowledgements that specific actions h | | ate information and acknowledgements that specific actions h |
| ave occurred. These messages provide vital information for t | | ave occurred. These messages provide vital information for t |
| he management of a physical process, and keep operators, eng | | he management of a physical process, and keep operators, eng |
| ineers, and administrators aware of the state of system devi | | ineers, and administrators aware of the state of system devi |
| ces and physical processes. If an adversary is able to cha | | ces and physical processes. If an adversary is able to cha |
| nge the reporting settings, certain events could be prevente | | nge the reporting settings, certain events could be prevente |
| d from being reported. This type of modification can also pr | | d from being reported. This type of modification can also pr |
| event operators or devices from performing actions to keep t | | event operators or devices from performing actions to keep t |
| he system in a safe state. If critical reporting messages ca | | he system in a safe state. If critical reporting messages ca |
| nnot trigger these actions then a [Impact](http://attacksite | | nnot trigger these actions then a [Impact](https://attack.mi |
| .mitre.org/tactics/TA0105/) could occur. In ICS environmen | | tre.org/tactics/TA0105) could occur. In ICS environments, |
| ts, the adversary may have to use [Alarm Suppression](https: | | the adversary may have to use [Alarm Suppression](https://at |
| //attack.mitre.org/techniques/T0878) or contend with multipl | | tack.mitre.org/techniques/T0878) or contend with multiple al |
| e alarms and/or alarm propagation to achieve a specific goal | | arms and/or alarm propagation to achieve a specific goal to |
| to evade detection or prevent intended responses from occur | | evade detection or prevent intended responses from occurring |
| ring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods | | . (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of |
| of suppression often rely on modification of alarm settings | | suppression often rely on modification of alarm settings, su |
| , such as modifying in memory code to fixed values or tamper | | ch as modifying in memory code to fixed values or tampering |
| ing with assembly level instruction code. In the Maroochy | | with assembly level instruction code. |
| Shire attack, the adversary disabled alarms at four pumping | | |
| stations. This caused alarms to not be reported to the centr | | |
| al computer.(Citation: Marshall Abrams July 2008) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:14:48.212000+00:00 | 2023-03-30 20:17:43.803000+00:00 |
| description | Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes.
If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](http://attacksite.mitre.org/tactics/TA0105/) could occur.
In ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code.
In the Maroochy Shire attack, the adversary disabled alarms at four pumping stations. This caused alarms to not be reported to the central computer.(Citation: Marshall Abrams July 2008) | Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes.
If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur.
In ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Asset: Asset Inventory |
| x_mitre_data_sources[3] | Asset: Asset Inventory | Network Traffic: Network Traffic Content |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Marshall Abrams July 2008', 'description': 'Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ', 'url': 'https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf'} | |
[T0836] Modify Parameter
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may modify parameters used to instruct industria | t | Adversaries may modify parameters used to instruct industria |
| l control system devices. These devices operate via programs | | l control system devices. These devices operate via programs |
| that dictate how and when to perform actions based on such | | that dictate how and when to perform actions based on such |
| parameters. Such parameters can determine the extent to whic | | parameters. Such parameters can determine the extent to whic |
| h an action is performed and may specify additional options. | | h an action is performed and may specify additional options. |
| For example, a program on a control system device dictating | | For example, a program on a control system device dictating |
| motor processes may take a parameter defining the total num | | motor processes may take a parameter defining the total num |
| ber of seconds to run that motor. An adversary can po | | ber of seconds to run that motor. An adversary can po |
| tentially modify these parameters to produce an outcome outs | | tentially modify these parameters to produce an outcome outs |
| ide of what was intended by the operators. By modifying syst | | ide of what was intended by the operators. By modifying syst |
| em and process critical parameters, the adversary may cause | | em and process critical parameters, the adversary may cause |
| [Impact](https://attack.mitre.org/tactics/TA0105) to equipme | | [Impact](https://attack.mitre.org/tactics/TA0105) to equipme |
| nt and/or control processes. Modified parameters may be turn | | nt and/or control processes. Modified parameters may be turn |
| ed into dangerous, out-of-bounds, or unexpected values from | | ed into dangerous, out-of-bounds, or unexpected values from |
| typical operations. For example, specifying that a process r | | typical operations. For example, specifying that a process r |
| un for more or less time than it should, or dictating an unu | | un for more or less time than it should, or dictating an unu |
| sually high, low, or invalid value as a parameter. In the M | | sually high, low, or invalid value as a parameter. |
| aroochy Shire attack, the adversary gained remote computer a | | |
| ccess to the control system and altered data so that whateve | | |
| r function should have occurred at affected pumping stations | | |
| did not occur or occurred in a different way. The software | | |
| program installed in the laptop was one developed for changi | | |
| ng configurations in the PDS computers. This ultimately led | | |
| to 800,000 liters of raw sewage being spilled out into the c | | |
| ommunity.(Citation: Marshall Abrams July 2008) | | |
New Mitigations:
- M0818: Validate Program Inputs
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:13:48.146000+00:00 | 2023-04-05 14:15:29.756000+00:00 |
| description | Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor.
An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.
In the Maroochy Shire attack, the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.(Citation: Marshall Abrams July 2008) | Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor.
An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Operational Databases: Device Alarm |
| x_mitre_data_sources[3] | Operational Databases: Device Alarm | Network Traffic: Network Traffic Content |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Marshall Abrams July 2008', 'description': 'Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ', 'url': 'https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf'} | |
[T0848] Rogue Master
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may setup a rogue master to leverage control ser | t | Adversaries may setup a rogue master to leverage control ser |
| ver functions to communicate with outstations. A rogue maste | | ver functions to communicate with outstations. A rogue maste |
| r can be used to send legitimate control messages to other c | | r can be used to send legitimate control messages to other c |
| ontrol system devices, affecting processes in unintended way | | ontrol system devices, affecting processes in unintended way |
| s. It may also be used to disrupt network communications by | | s. It may also be used to disrupt network communications by |
| capturing and receiving the network traffic meant for the ac | | capturing and receiving the network traffic meant for the ac |
| tual master. Impersonating a master may also allow an advers | | tual master. Impersonating a master may also allow an advers |
| ary to avoid detection. In the Maroochy Shire attack, the | | ary to avoid detection. In the case of the 2017 Dallas Sir |
| adversary falsified network addresses in order to send false | | en incident, adversaries used a rogue master to send command |
| data and instructions to pumping stations.(Citation: Marsha | | messages to the 156 distributed sirens across the city, eit |
| ll Abrams July 2008) In the case of the 2017 Dallas Siren i | | her through a single rogue transmitter with a strong signal, |
| ncident, adversaries used a rogue master to send command mes | | or using many distributed repeaters. (Citation: Bastille Ap |
| sages to the 156 distributed sirens across the city, either | | ril 2017) (Citation: Zack Whittaker April 2017) |
| through a single rogue transmitter with a strong signal, or | | |
| using many distributed repeaters. (Citation: Bastille April | | |
| 2017) (Citation: Zack Whittaker April 2017) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:11:21.376000+00:00 | 2023-03-30 20:18:41.277000+00:00 |
| description | Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection.
In the Maroochy Shire attack, the adversary falsified network addresses in order to send false data and instructions to pumping stations.(Citation: Marshall Abrams July 2008)
In the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017) | Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection.
In the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017) |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
| external_references[2]['source_name'] | Marshall Abrams July 2008 | Zack Whittaker April 2017 |
| external_references[2]['description'] | Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 | Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 |
| external_references[2]['url'] | https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf | https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Asset: Asset Inventory | Operational Databases: Device Alarm |
| x_mitre_data_sources[2] | Operational Databases: Device Alarm | Asset: Asset Inventory |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[4] | Network Traffic: Network Traffic Flow | Application Log: Application Log Content |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Zack Whittaker April 2017', 'description': "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", 'url': 'https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/'} | |
[T0856] Spoof Reporting Message
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may spoof reporting messages in control system e | t | Adversaries may spoof reporting messages in control system e |
| nvironments for evasion and to impair process control. In co | | nvironments for evasion and to impair process control. In co |
| ntrol systems, reporting messages contain telemetry data (e. | | ntrol systems, reporting messages contain telemetry data (e. |
| g., I/O values) pertaining to the current state of equipment | | g., I/O values) pertaining to the current state of equipment |
| and the industrial process. Reporting messages are importan | | and the industrial process. Reporting messages are importan |
| t for monitoring the normal operation of a system or identif | | t for monitoring the normal operation of a system or identif |
| ying important events such as deviations from expected value | | ying important events such as deviations from expected value |
| s. If an adversary has the ability to Spoof Reporting Mess | | s. If an adversary has the ability to Spoof Reporting Mess |
| ages, they can impact the control system in many ways. The a | | ages, they can impact the control system in many ways. The a |
| dversary can Spoof Reporting Messages that state that the pr | | dversary can Spoof Reporting Messages that state that the pr |
| ocess is operating normally, as a form of evasion. The adver | | ocess is operating normally, as a form of evasion. The adver |
| sary could also Spoof Reporting Messages to make the defende | | sary could also Spoof Reporting Messages to make the defende |
| rs and operators think that other errors are occurring in or | | rs and operators think that other errors are occurring in or |
| der to distract them from the actual source of a problem. (C | | der to distract them from the actual source of a problem. (C |
| itation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) | | itation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) |
| In the Maroochy Shire attack, the adversary used a dedicated | | |
| analog two-way radio system to send false data and instruct | | |
| ions to pumping stations and the central computer.(Citation: | | |
| Marshall Abrams July 2008) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:16:21.548000+00:00 | 2023-03-30 20:19:14.351000+00:00 |
| description | Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.
If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
In the Maroochy Shire attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008) | Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.
If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) |
| kill_chain_phases[0]['phase_name'] | evasion-ics | evasion |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Operational Databases: Device Alarm | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Modification | Operational Databases: Device Alarm |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Marshall Abrams July 2008', 'description': 'Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ', 'url': 'https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf'} | |
[T0864] Transient Cyber Asset
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may target devices that are transient across ICS | t | Adversaries may target devices that are transient across ICS |
| networks and external networks. Normally, transient assets | | networks and external networks. Normally, transient assets |
| are brought into an environment by authorized personnel and | | are brought into an environment by authorized personnel and |
| do not remain in that environment on a permanent basis. (Cit | | do not remain in that environment on a permanent basis. (Cit |
| ation: North American Electric Reliability Corporation June | | ation: North American Electric Reliability Corporation June |
| 2021) Transient assets are commonly needed to support manage | | 2021) Transient assets are commonly needed to support manage |
| ment functions and may be more common in systems where a rem | | ment functions and may be more common in systems where a rem |
| otely managed asset is not feasible, external connections fo | | otely managed asset is not feasible, external connections fo |
| r remote access do not exist, or 3rd party contractor/vendor | | r remote access do not exist, or 3rd party contractor/vendor |
| access is required. Adversaries may take advantage of tra | | access is required. Adversaries may take advantage of tra |
| nsient assets in different ways. For instance, adversaries m | | nsient assets in different ways. For instance, adversaries m |
| ay target a transient asset when it is connected to an exter | | ay target a transient asset when it is connected to an exter |
| nal network and then leverage its trusted access in another | | nal network and then leverage its trusted access in another |
| environment to launch an attack. They may also take advantag | | environment to launch an attack. They may also take advantag |
| e of installed applications and libraries that are used by l | | e of installed applications and libraries that are used by l |
| egitimate end-users to interact with control system devices. | | egitimate end-users to interact with control system devices. |
| Transient assets, in some cases, may not be deployed with | | Transient assets, in some cases, may not be deployed with |
| a secure configuration leading to weaknesses that could all | | a secure configuration leading to weaknesses that could all |
| ow an adversary to propagate malicious executable code, e.g. | | ow an adversary to propagate malicious executable code, e.g. |
| , the transient asset may be infected by malware and when co | | , the transient asset may be infected by malware and when co |
| nnected to an ICS environment the malware propagates onto ot | | nnected to an ICS environment the malware propagates onto ot |
| her systems. In the Maroochy Shire attack, the adversary u | | her systems. |
| tilized a computer, possibly stolen, with proprietary engine | | |
| ering software to communicate with a wastewater system.(Cita | | |
| tion: Marshall Abrams July 2008) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:13:19.252000+00:00 | 2023-03-30 20:19:41.272000+00:00 |
| description | Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required.
Adversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices.
Transient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems.
In the Maroochy Shire attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.(Citation: Marshall Abrams July 2008) | Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required.
Adversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices.
Transient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
| external_references[1]['source_name'] | Marshall Abrams July 2008 | North American Electric Reliability Corporation June 2021 |
| external_references[1]['description'] | Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 | North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 |
| external_references[1]['url'] | https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf | https://www.nerc.com/files/glossary_of_terms.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Application Log: Application Log Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Application Log: Application Log Content |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'North American Electric Reliability Corporation June 2021', 'description': 'North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ', 'url': 'https://www.nerc.com/files/glossary_of_terms.pdf'} | |
[T0855] Unauthorized Command Message
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may send unauthorized command messages to instru | t | Adversaries may send unauthorized command messages to instru |
| ct control system assets to perform actions outside of their | | ct control system assets to perform actions outside of their |
| intended functionality, or without the logical precondition | | intended functionality, or without the logical precondition |
| s to trigger their expected function. Command messages are u | | s to trigger their expected function. Command messages are u |
| sed in ICS networks to give direct instructions to control s | | sed in ICS networks to give direct instructions to control s |
| ystems devices. If an adversary can send an unauthorized com | | ystems devices. If an adversary can send an unauthorized com |
| mand message to a control system, then it can instruct the c | | mand message to a control system, then it can instruct the c |
| ontrol systems device to perform an action outside the norma | | ontrol systems device to perform an action outside the norma |
| l bounds of the device's actions. An adversary could potenti | | l bounds of the device's actions. An adversary could potenti |
| ally instruct a control systems device to perform an action | | ally instruct a control systems device to perform an action |
| that will cause an [Impact](https://attack.mitre.org/tactics | | that will cause an [Impact](https://attack.mitre.org/tactics |
| /TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sas | | /TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sas |
| try 2011) In the Maroochy Shire attack, the adversary used | | try 2011) In the Dallas Siren incident, adversaries were ab |
| a dedicated analog two-way radio system to send false data a | | le to send command messages to activate tornado alarm system |
| nd instructions to pumping stations and the central computer | | s across the city without an impending tornado or other disa |
| .(Citation: Marshall Abrams July 2008) In the Dallas Siren | | ster. (Citation: Zack Whittaker April 2017) (Citation: Benja |
| incident, adversaries were able to send command messages to | | min Freed March 2019) |
| activate tornado alarm systems across the city without an im | | |
| pending tornado or other disaster. (Citation: Zack Whittaker | | |
| April 2017) (Citation: Benjamin Freed March 2019) | | |
New Mitigations:
- M0818: Validate Program Inputs
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 18:10:48.892000+00:00 | 2023-04-05 14:16:02.811000+00:00 |
| description | Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
In the Maroochy Shire attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)
In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019) | Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019) |
| external_references[3]['source_name'] | Marshall Abrams July 2008 | Zack Whittaker April 2017 |
| external_references[3]['description'] | Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 | Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 |
| external_references[3]['url'] | https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf | https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Operational Databases: Process/Event Alarm | Application Log: Application Log Content |
| x_mitre_data_sources[2] | Operational Databases: Process History/Live Data | Operational Databases: Process/Event Alarm |
| x_mitre_data_sources[4] | Network Traffic: Network Traffic Content | Operational Databases: Process History/Live Data |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Zack Whittaker April 2017', 'description': "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", 'url': 'https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/'} | |
[T0860] Wireless Compromise
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may perform wireless compromise as a method of g | t | Adversaries may perform wireless compromise as a method of g |
| aining communications and unauthorized access to a wireless | | aining communications and unauthorized access to a wireless |
| network. Access to a wireless network may be gained through | | network. Access to a wireless network may be gained through |
| the compromise of a wireless device. (Citation: Alexander Bo | | the compromise of a wireless device. (Citation: Alexander Bo |
| lshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev | | lshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev |
| March 2014) Adversaries may also utilize radios and other wi | | March 2014) Adversaries may also utilize radios and other wi |
| reless communication devices on the same frequency as the wi | | reless communication devices on the same frequency as the wi |
| reless network. Wireless compromise can be done as an initia | | reless network. Wireless compromise can be done as an initia |
| l access vector from a remote distance. In the Maroochy Sh | | l access vector from a remote distance. A Polish student u |
| ire attack, the adversary used a two-way radio to communicat | | sed a modified TV remote controller to gain access to and co |
| e with and set the frequencies of Maroochy Shire's repeater | | ntrol over the Lodz city tram system in Poland. (Citation: J |
| stations.(Citation: Marshall Abrams July 2008) A Polish stu | | ohn Bill May 2017) (Citation: Shelley Smith February 2008) T |
| dent used a modified TV remote controller to gain access to | | he remote controller device allowed the student to interface |
| and control over the Lodz city tram system in Poland. (Citat | | with the trams network to modify track settings and overrid |
| ion: John Bill May 2017) (Citation: Shelley Smith February 2 | | e operator control. The adversary may have accomplished this |
| 008) The remote controller device allowed the student to int | | by aligning the controller to the frequency and amplitude o |
| erface with the trams network to modify track settings and o | | f IR control protocol signals. (Citation: Bruce Schneier Jan |
| verride operator control. The adversary may have accomplishe | | uary 2008) The controller then enabled initial access to the |
| d this by aligning the controller to the frequency and ampli | | network, allowing the capture and replay of tram signals. ( |
| tude of IR control protocol signals. (Citation: Bruce Schnei | | Citation: John Bill May 2017) |
| er January 2008) The controller then enabled initial access | | |
| to the network, allowing the capture and replay of tram sign | | |
| als. (Citation: John Bill May 2017) | | |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 20:40:16.860000+00:00 | 2023-03-30 20:20:38.285000+00:00 |
| description | Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.
In the Maroochy Shire attack, the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations.(Citation: Marshall Abrams July 2008)
A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017) | Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.
A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017) |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
| external_references[5]['source_name'] | Marshall Abrams July 2008 | Shelley Smith February 2008 |
| external_references[5]['description'] | Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 | Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 |
| external_references[5]['url'] | https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf | https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Application Log: Application Log Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Shelley Smith February 2008', 'description': 'Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ', 'url': 'https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/'} | |
| x_mitre_data_sources | Application Log: Application Log Content | |
Patches
[T0830] Adversary-in-the-Middle
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-26 20:38:32.749000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | collection-ics | collection |
| x_mitre_data_sources[2] | Service: Service Creation | Process: Process Creation |
| x_mitre_data_sources[5] | Process: Process Creation | Service: Service Creation |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Windows Registry: Windows Registry Key Modification |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Windows Registry: Windows Registry Key Modification | |
[T0802] Automated Collection
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | collection-ics | collection |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Command: Command Execution |
| x_mitre_data_sources[1] | File: File Access | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[3] | Command: Command Execution | File: File Access |
[T0858] Change Operating Mode
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-24 11:42:52.057000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | execution-ics | execution |
| kill_chain_phases[1]['phase_name'] | evasion-ics | evasion |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
[T0807] Command-Line Interface
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 15:30:18.702000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | execution-ics | execution |
[T0885] Commonly Used Port
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 18:49:25.201000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | command-and-control-ics | command-and-control |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
[T0884] Connection Proxy
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 21:01:00.402000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | command-and-control-ics | command-and-control |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
[T0812] Default Credentials
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-19 14:07:23.199000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | lateral-movement-ics | lateral-movement |
[T0868] Detect Operating Mode
Current version: 1.0
|
|
|---|
| t | Adversaries may gather information about a PLCs or controlle | t | Adversaries may gather information about a PLCs or controlle |
| rs current operating mode. Operating modes dictate what chan | | rs current operating mode. Operating modes dictate what chan |
| ge or maintenance functions can be manipulated and are often | | ge or maintenance functions can be manipulated and are often |
| controlled by a key switch on the PLC (e.g., run, prog [pr | | controlled by a key switch on the PLC (e.g., run, prog [pr |
| ogram], and remote). Knowledge of these states may be valuab | | ogram], and remote). Knowledge of these states may be valuab |
| le to an adversary to determine if they are able to reprogra | | le to an adversary to determine if they are able to reprogra |
| m the PLC. Operating modes and the mechanisms by which they | | m the PLC. Operating modes and the mechanisms by which they |
| are selected often vary by vendor and product line. Some com | | are selected often vary by vendor and product line. Some com |
| monly implemented operating modes are described below: * | | monly implemented operating modes are described below: * |
| Program - This mode must be enabled before changes can be ma | | Program - This mode must be enabled before changes can be ma |
| de to a devices program. This allows program uploads and dow | | de to a devices program. This allows program uploads and dow |
| nloads between the device and an engineering workstation. Of | | nloads between the device and an engineering workstation. Of |
| ten the PLCs logic Is halted, and all outputs may be forced | | ten the PLCs logic Is halted, and all outputs may be forced |
| off. (Citation: N.A. October 2017) * Run - Execution of th | | off. (Citation: N.A. October 2017) * Run - Execution of th |
| e devices program occurs in this mode. Input and output (val | | e devices program occurs in this mode. Input and output (val |
| ues, points, tags, elements, etc.) are monitored and used ac | | ues, points, tags, elements, etc.) are monitored and used ac |
| cording to the programs logic. [Program Upload](https://atta | | cording to the programs logic.[Program Upload](https://attac |
| ck.mitre.org/techniques/T0845) and [Program Download](https: | | k.mitre.org/techniques/T0845) and [Program Download](https:/ |
| //attack.mitre.org/techniques/T0843) are disabled while in t | | /attack.mitre.org/techniques/T0843) are disabled while in th |
| his mode. (Citation: Omron) (Citation: Machine Information S | | is mode. (Citation: Omron) (Citation: Machine Information Sy |
| ystems 2007) (Citation: N.A. October 2017) (Citation: PLCgu | | stems 2007) (Citation: N.A. October 2017) (Citation: PLCgur |
| rus 2021) * Remote - Allows for remote changes to a PLCs | | us 2021) * Remote - Allows for remote changes to a PLCs o |
| operation mode. (Citation: PLCgurus 2021) * Stop - The P | | peration mode. (Citation: PLCgurus 2021) * Stop - The PL |
| LC and program is stopped, while in this mode, outputs are f | | C and program is stopped, while in this mode, outputs are fo |
| orced off. (Citation: Machine Information Systems 2007) * | | rced off. (Citation: Machine Information Systems 2007) * |
| Reset - Conditions on the PLC are reset to their original s | | Reset - Conditions on the PLC are reset to their original st |
| tates. Warm resets may retain some memory while cold resets | | ates. Warm resets may retain some memory while cold resets w |
| will reset all I/O and data registers. (Citation: Machine In | | ill reset all I/O and data registers. (Citation: Machine Inf |
| formation Systems 2007) * Test / Monitor mode - Similar t | | ormation Systems 2007) * Test / Monitor mode - Similar to |
| o run mode, I/O is processed, although this mode allows for | | run mode, I/O is processed, although this mode allows for m |
| monitoring, force set, resets, and more generally tuning or | | onitoring, force set, resets, and more generally tuning or d |
| debugging of the system. Often monitor mode may be used as a | | ebugging of the system. Often monitor mode may be used as a |
| trial for initialization. (Citation: Omron) | | trial for initialization. (Citation: Omron) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-24 11:48:05.134000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| description | Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:
* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017)
* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021)
* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021)
* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007)
* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007)
* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron) | Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:
* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017)
* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021)
* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021)
* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007)
* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007)
* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron) |
| kill_chain_phases[0]['phase_name'] | collection-ics | collection |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[T0817] Drive-by Compromise
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-20 18:27:54.818000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | File: File Creation |
| x_mitre_data_sources | | Network Traffic: Network Traffic Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Content | |
| x_mitre_data_sources | File: File Creation | |
[T0871] Execution through API
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 15:32:03.427000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | execution-ics | execution |
[T0819] Exploit Public-Facing Application
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-19 14:21:18.045000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
[T0820] Exploitation for Evasion
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 15:28:37.716000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | evasion-ics | evasion |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[T0866] Exploitation of Remote Services
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-20 19:23:07.842000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
| kill_chain_phases[1]['phase_name'] | lateral-movement-ics | lateral-movement |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
[T0823] Graphical User Interface
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 15:02:29.881000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | execution-ics | execution |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
[T0891] Hardcoded Credentials
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-29 20:54:56.812000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | lateral-movement-ics | lateral-movement |
| kill_chain_phases[1]['phase_name'] | persistence-ics | persistence |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Logon Session: Logon Session Creation |
| x_mitre_data_sources[1] | Logon Session: Logon Session Creation | Network Traffic: Network Traffic Content |
[T0877] I/O Image
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 18:41:43.724000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | collection-ics | collection |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[T0872] Indicator Removal on Host
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | evasion-ics | evasion |
| x_mitre_data_sources[0] | File: File Metadata | File: File Modification |
| x_mitre_data_sources[1] | Process: Process Creation | Windows Registry: Windows Registry Key Deletion |
| x_mitre_data_sources[2] | File: File Modification | File: File Metadata |
| x_mitre_data_sources[3] | Windows Registry: Windows Registry Key Modification | Process: OS API Execution |
| x_mitre_data_sources[5] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[6] | Windows Registry: Windows Registry Key Deletion | Command: Command Execution |
| x_mitre_data_sources[7] | Process: OS API Execution | Windows Registry: Windows Registry Key Modification |
[T0883] Internet Accessible Device
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-19 14:34:43.060000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[T0867] Lateral Tool Transfer
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 17:39:15.755000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | lateral-movement-ics | lateral-movement |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | File: File Metadata |
| x_mitre_data_sources[1] | Network Share: Network Share Access | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Flow | File: File Creation |
| x_mitre_data_sources[3] | Command: Command Execution | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[4] | File: File Creation | Process: Process Creation |
| x_mitre_data_sources[5] | File: File Metadata | Command: Command Execution |
| x_mitre_data_sources[6] | Process: Process Creation | Network Share: Network Share Access |
[T0826] Loss of Availability
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-19 14:36:34.715000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
[T0827] Loss of Control
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-19 14:38:06.130000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
[T0828] Loss of Productivity and Revenue
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-20 19:31:11.106000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
[T0837] Loss of Protection
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-19 14:40:19.570000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
[T0880] Loss of Safety
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-19 14:41:41.466000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
[T0829] Loss of View
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
[T0831] Manipulation of Control
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-24 14:57:44.326000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
[T0832] Manipulation of View
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-20 19:30:22.792000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
[T0849] Masquerading
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 16:56:31.022000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | evasion-ics | evasion |
| x_mitre_data_sources[1] | Command: Command Execution | Scheduled Job: Scheduled Job Modification |
| x_mitre_data_sources[2] | Service: Service Modification | File: File Metadata |
| x_mitre_data_sources[3] | Service: Service Creation | Process: Process Metadata |
| x_mitre_data_sources[4] | File: File Modification | Service: Service Modification |
| x_mitre_data_sources[5] | Process: Process Metadata | File: File Modification |
| x_mitre_data_sources[6] | File: File Metadata | Command: Command Execution |
| x_mitre_data_sources[7] | Scheduled Job: Scheduled Job Modification | Service: Service Creation |
[T0821] Modify Controller Tasking
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 15:49:27.003000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | execution-ics | execution |
| x_mitre_data_sources[1] | Operational Databases: Device Alarm | Application Log: Application Log Content |
| x_mitre_data_sources[2] | Application Log: Application Log Content | Operational Databases: Device Alarm |
[T0889] Modify Program
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 16:08:15.574000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | persistence-ics | persistence |
| x_mitre_data_sources[2] | Asset: Software | Operational Databases: Device Alarm |
| x_mitre_data_sources[3] | Operational Databases: Device Alarm | Asset: Software |
[T0839] Module Firmware
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-26 18:41:49.037000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | persistence-ics | persistence |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[2] | Application Log: Application Log Content | Firmware: Firmware Modification |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Application Log: Application Log Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Firmware: Firmware Modification | |
[T0801] Monitor Process State
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | collection-ics | collection |
| x_mitre_data_sources[0] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
[T0834] Native API
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-19 14:52:28.584000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | execution-ics | execution |
[T0840] Network Connection Enumeration
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 17:22:27.357000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | discovery-ics | discovery |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | Script: Script Execution | Command: Command Execution |
| x_mitre_data_sources[3] | Command: Command Execution | Script: Script Execution |
[T0842] Network Sniffing
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-20 19:22:11.937000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | discovery-ics | discovery |
| x_mitre_data_sources[0] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[1] | Process: Process Creation | Command: Command Execution |
[T0861] Point & Tag Identification
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-26 15:24:07.480000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | collection-ics | collection |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
[T0843] Program Download
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-26 16:25:38.670000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | lateral-movement-ics | lateral-movement |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[1] | Operational Databases: Device Alarm | Asset: Asset Inventory |
| x_mitre_data_sources[3] | Asset: Asset Inventory | Operational Databases: Device Alarm |
[T0845] Program Upload
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | collection-ics | collection |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
[T0873] Project File Infection
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-20 18:37:59.276000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | persistence-ics | persistence |
[T0886] Remote Services
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 15:01:43.553000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
| kill_chain_phases[1]['phase_name'] | lateral-movement-ics | lateral-movement |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Process: Process Creation | Module: Module Load |
| x_mitre_data_sources[1] | Network Traffic: Network Connection Creation | Process: Process Creation |
| x_mitre_data_sources[2] | Module: Module Load | Network Share: Network Share Access |
| x_mitre_data_sources[3] | Network Share: Network Share Access | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[6] | Network Traffic: Network Traffic Flow | Network Traffic: Network Connection Creation |
[T0846] Remote System Discovery
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 15:34:29.457000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | discovery-ics | discovery |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | File: File Access | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Flow | File: File Access |
[T0888] Remote System Information Discovery
Current version: 1.1
|
|
|---|
| t | An adversary may attempt to get detailed information about r | t | An adversary may attempt to get detailed information about r |
| emote systems and their peripherals, such as make/model, rol | | emote systems and their peripherals, such as make/model, rol |
| e, and configuration. Adversaries may use information from R | | e, and configuration. Adversaries may use information from R |
| emote System Information Discovery to aid in targeting and s | | emote System Information Discovery to aid in targeting and s |
| haping follow-on behaviors. For example, the systems operati | | haping follow-on behaviors. For example, the system's operat |
| onal role and model information can dictate whether it is a | | ional role and model information can dictate whether it is a |
| relevant target for the adversary's operational objectives. | | relevant target for the adversary's operational objectives. |
| In addition, the systems configuration may be used to scope | | In addition, the system's configuration may be used to scop |
| subsequent technique usage. Requests for system informatio | | e subsequent technique usage. Requests for system informat |
| n are typically implemented using automation and management | | ion are typically implemented using automation and managemen |
| protocols and are often automatically requested by vendor so | | t protocols and are often automatically requested by vendor |
| ftware during normal operation. This information may be used | | software during normal operation. This information may be us |
| to tailor management actions, such as program download and | | ed to tailor management actions, such as program download an |
| system or module firmware. An adversary may leverage this sa | | d system or module firmware. An adversary may leverage this |
| me information by issuing calls directly to the systems API. | | same information by issuing calls directly to the system's A |
| | | PI. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-26 14:40:01.435000+00:00 | 2023-03-17 15:14:31.276000+00:00 |
| description | An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the systems operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the systems configuration may be used to scope subsequent technique usage.
Requests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the systems API. | An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage.
Requests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API. |
| kill_chain_phases[0]['phase_name'] | discovery-ics | discovery |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | File: File Access |
| x_mitre_data_sources[3] | File: File Access | Network Traffic: Network Traffic Content |
[T0847] Replication Through Removable Media
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-20 19:18:25.490000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
[T0851] Rootkit
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 20:44:34.980000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | evasion-ics | evasion |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[T0852] Screen Capture
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | collection-ics | collection |
[T0853] Scripting
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-20 18:18:34.807000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | execution-ics | execution |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Script: Script Execution |
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_data_sources | Script: Script Execution | |
[T0865] Spearphishing Attachment
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 15:22:37.964000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Network Traffic: Network Traffic Content |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Content | |
[T0869] Standard Application Layer Protocol
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | command-and-control-ics | command-and-control |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
[T0862] Supply Chain Compromise
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 15:25:50.699000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | initial-access-ics | initial-access |
[T0857] System Firmware
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-26 17:14:52.590000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | persistence-ics | persistence |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Firmware: Firmware Modification | Operational Databases: Device Alarm |
| x_mitre_data_sources[2] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[3] | Operational Databases: Device Alarm | Firmware: Firmware Modification |
[T0882] Theft of Operational Information
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | impact-ics | impact |
[T0863] User Execution
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 16:03:41.333000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | execution-ics | execution |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Command: Command Execution | File: File Access |
| x_mitre_data_sources[2] | Application Log: Application Log Content | Process: Process Creation |
| x_mitre_data_sources[4] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[5] | File: File Access | Network Traffic: Network Traffic Content |
[T0859] Valid Accounts
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 16:35:12.478000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | persistence-ics | persistence |
| kill_chain_phases[1]['phase_name'] | lateral-movement-ics | lateral-movement |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Logon Session: Logon Session Metadata |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | Logon Session: Logon Session Metadata | |
[T0887] Wireless Sniffing
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 17:37:02.773000+00:00 | 2023-03-09 18:38:51.471000+00:00 |
| kill_chain_phases[0]['phase_name'] | discovery-ics | discovery |
| kill_chain_phases[1]['phase_name'] | collection-ics | collection |
Software
enterprise-attack
New Software
[S1053] AvosLocker
Current version: 1.0
Description: [AvosLocker](https://attack.mitre.org/software/S1053) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://attack.mitre.org/software/S1053) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)
[S1070] Black Basta
Current version: 1.0
Description: [Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. [Black Basta](https://attack.mitre.org/software/S1070) operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. [Black Basta](https://attack.mitre.org/software/S1070) affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the [Black Basta](https://attack.mitre.org/software/S1070) RaaS operators could include current or former members of the [Conti](https://attack.mitre.org/software/S0575) group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)
[S1068] BlackCat
Current version: 1.0
Description: [BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)(Citation: ACSC BlackCat Apr 2022)
[S1063] Brute Ratel C4
Current version: 1.0
Description: [Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)
[S1052] DEADEYE
Current version: 1.0
Description: [DEADEYE](https://attack.mitre.org/software/S1052) is a malware launcher that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least May 2021. [DEADEYE](https://attack.mitre.org/software/S1052) has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).(Citation: Mandiant APT41)
[S1066] DarkTortilla
Current version: 1.0
Description: [DarkTortilla](https://attack.mitre.org/software/S1066) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://attack.mitre.org/software/S1066) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://attack.mitre.org/software/S0331), AsyncRat, [NanoCore](https://attack.mitre.org/software/S0336), RedLine, [Cobalt Strike](https://attack.mitre.org/software/S0154), and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)
[S1072] Industroyer2
Current version: 1.0
Description: [Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)
[S1051] KEYPLUG
Current version: 1.0
Description: [KEYPLUG](https://attack.mitre.org/software/S1051) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least June 2021.(Citation: Mandiant APT41)
[S1060] Mafalda
Current version: 1.0
Description: [Mafalda](https://attack.mitre.org/software/S1060) is a flexible interactive implant that has been used by [Metador](https://attack.mitre.org/groups/G1013). Security researchers assess the [Mafalda](https://attack.mitre.org/software/S1060) name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)
[S1058] Prestige
Current version: 1.0
Description: [Prestige](https://attack.mitre.org/software/S1058) ransomware has been used by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft Prestige ransomware October 2022)
[S1073] Royal
Current version: 1.0
Description: [Royal](https://attack.mitre.org/software/S1073) is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. [Royal](https://attack.mitre.org/software/S1073) employs partial encryption and multiple threads to evade detection and speed encryption. [Royal](https://attack.mitre.org/software/S1073) has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in [Royal](https://attack.mitre.org/software/S1073) and [Conti](https://attack.mitre.org/software/S0575) attacks and noted a possible connection between their operators.(Citation: Microsoft Royal ransomware November 2022)(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)(Citation: CISA Royal AA23-061A March 2023)
[S1071] Rubeus
Current version: 1.0
Description: [Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
[S1064] SVCReady
Current version: 1.0
Description: [SVCReady](https://attack.mitre.org/software/S1064) is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between [TA551](https://attack.mitre.org/groups/G0127) activity and [SVCReady](https://attack.mitre.org/software/S1064) distribution, including similarities in file names, lure images, and identical grammatical errors.(Citation: HP SVCReady Jun 2022)
[S1065] Woody RAT
Current version: 1.0
Description: [Woody RAT](https://attack.mitre.org/software/S1065) is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)
[S1059] metaMain
Current version: 1.0
Description: [metaMain](https://attack.mitre.org/software/S1059) is a backdoor used by [Metador](https://attack.mitre.org/groups/G1013) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://attack.mitre.org/software/S1060) into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
Minor Version Changes
[S0677] AADInternals
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-03 15:01:46.965000+00:00 | 2023-04-15 00:59:18.335000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0552] AdFind
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-29 20:40:24.739000+00:00 | 2023-03-02 20:44:17.690000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0373] Astaroth
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-08 21:14:48.861000+00:00 | 2023-03-21 21:20:23.717000+00:00 |
| external_references[2]['source_name'] | Cybereason Astaroth Feb 2019 | Cofense Astaroth Sept 2018 |
| external_references[2]['description'] | Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. | Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. |
| external_references[2]['url'] | https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research | https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/ |
| external_references[3]['source_name'] | Cofense Astaroth Sept 2018 | Securelist Brazilian Banking Malware July 2020 |
| external_references[3]['description'] | Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. | GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. |
| external_references[3]['url'] | https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/ | https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ |
| external_references[4]['source_name'] | Securelist Brazilian Banking Malware July 2020 | Cybereason Astaroth Feb 2019 |
| external_references[4]['description'] | GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. | Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. |
| external_references[4]['url'] | https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ | https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[S0475] BackConfig
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-29 15:59:07.478000+00:00 | 2023-03-22 00:10:02.140000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0521] BloodHound
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 18:19:01.118000+00:00 | 2023-02-16 18:51:10.090000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
[S0462] CARROTBAT
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-15 15:13:27.660000+00:00 | 2023-03-22 03:24:06.264000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0023] CHOPSTICK
Current version: 2.3
Version changed from: 2.2 → 2.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-14 17:21:52.879000+00:00 | 2023-03-26 17:51:20.403000+00:00 |
| external_references[9]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.2 | 2.3 |
[S0631] Chaes
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 21:51:39.986000+00:00 | 2023-03-24 21:17:54.342000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0020] China Chopper
Current version: 2.4
Version changed from: 2.3 → 2.4
|
|
|---|
| t | [China Chopper](https://attack.mitre.org/software/S0020) is | t | [China Chopper](https://attack.mitre.org/software/S0020) is |
| a [Web Shell](https://attack.mitre.org/techniques/T1505/003) | | a [Web Shell](https://attack.mitre.org/techniques/T1505/003) |
| hosted on Web servers to provide access back into an enterp | | hosted on Web servers to provide access back into an enterp |
| rise network that does not rely on an infected system callin | | rise network that does not rely on an infected system callin |
| g back to a remote command and control server. (Citation: Le | | g back to a remote command and control server.(Citation: Lee |
| e 2013) It has been used by several threat groups. (Citation | | 2013) It has been used by several threat groups.(Citation: |
| : Dell TG-3390) (Citation: FireEye Periscope March 2018)(Cit | | Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citati |
| ation: CISA AA21-200A APT40 July 2021) | | on: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM |
| | | Mar 2021) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 15:15:51.199000+00:00 | 2023-04-10 21:53:43.748000+00:00 |
| description | [China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021) | [China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021) |
| external_references[4]['source_name'] | FireEye Periscope March 2018 | Rapid7 HAFNIUM Mar 2021 |
| external_references[4]['description'] | FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. | Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html | https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/ |
| external_references[5]['source_name'] | Lee 2013 | FireEye Periscope March 2018 |
| external_references[5]['description'] | Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. | FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html | https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.3 | 2.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Lee 2013', 'description': 'Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.', 'url': 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'} |
[S0154] Cobalt Strike
Current version: 1.10
Version changed from: 1.9 → 1.10
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 23:24:12.980000+00:00 | 2023-03-07 13:05:11.028000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.9 | 1.10 |
[S0126] ComRAT
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 21:58:12.936000+00:00 | 2023-03-22 03:30:00.985000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
[S0492] CookieMiner
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-22 01:50:12.660000+00:00 | 2023-03-22 03:33:29.192000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0694] DRATzarus
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-12 20:41:58.960000+00:00 | 2023-03-17 13:52:45.671000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0673] DarkWatchman
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 23:16:37.724000+00:00 | 2023-03-22 03:34:53.944000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0354] Denis
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-30 15:06:42.569000+00:00 | 2023-03-22 03:36:59.569000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0367] Emotet
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-24 20:15:54.954000+00:00 | 2023-01-17 22:19:58.856000+00:00 |
| external_references[3]['source_name'] | Trend Micro Banking Malware Jan 2019 | Talos Emotet Jan 2019 |
| external_references[3]['description'] | Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019. | Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. |
| external_references[3]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/ | https://blog.talosintelligence.com/2019/01/return-of-emotet.html |
| external_references[4]['source_name'] | Kaspersky Emotet Jan 2019 | CIS Emotet Apr 2017 |
| external_references[4]['description'] | Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019. | CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019. |
| external_references[4]['url'] | https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/ | https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/ |
| external_references[5]['source_name'] | CIS Emotet Apr 2017 | CIS Emotet Dec 2018 |
| external_references[5]['description'] | CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019. | CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019. |
| external_references[5]['url'] | https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/ | https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/ |
| external_references[6]['source_name'] | Malwarebytes Emotet Dec 2017 | Red Canary Emotet Feb 2019 |
| external_references[6]['description'] | Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019. | Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019. |
| external_references[6]['url'] | https://support.malwarebytes.com/docs/DOC-2295 | https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/ |
| external_references[7]['source_name'] | Symantec Emotet Jul 2018 | ESET Emotet Nov 2018 |
| external_references[7]['description'] | Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019. | ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019. |
| external_references[7]['url'] | https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor | https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/ |
| external_references[8]['source_name'] | US-CERT Emotet Jul 2018 | Secureworks Emotet Nov 2018 |
| external_references[8]['description'] | US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. | Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019. |
| external_references[8]['url'] | https://www.us-cert.gov/ncas/alerts/TA18-201A | https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader |
| external_references[9]['source_name'] | ESET Emotet Nov 2018 | Picus Emotet Dec 2018 |
| external_references[9]['description'] | ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019. | Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. |
| external_references[9]['url'] | https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/ | https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html |
| external_references[10]['source_name'] | Secureworks Emotet Nov 2018 | Trend Micro Banking Malware Jan 2019 |
| external_references[10]['description'] | Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019. | Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019. |
| external_references[10]['url'] | https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader | https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/ |
| external_references[11]['source_name'] | Talos Emotet Jan 2019 | Kaspersky Emotet Jan 2019 |
| external_references[11]['description'] | Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. | Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019. |
| external_references[11]['url'] | https://blog.talosintelligence.com/2019/01/return-of-emotet.html | https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/ |
| external_references[12]['source_name'] | Trend Micro Emotet Jan 2019 | Malwarebytes Emotet Dec 2017 |
| external_references[12]['description'] | Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019. | Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019. |
| external_references[12]['url'] | https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf | https://support.malwarebytes.com/docs/DOC-2295 |
| external_references[13]['source_name'] | CIS Emotet Dec 2018 | Symantec Emotet Jul 2018 |
| external_references[13]['description'] | CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019. | Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019. |
| external_references[13]['url'] | https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/ | https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor |
| external_references[14]['source_name'] | Picus Emotet Dec 2018 | Trend Micro Emotet Jan 2019 |
| external_references[14]['description'] | Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. | Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019. |
| external_references[14]['url'] | https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html | https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf |
| external_references[15]['source_name'] | Red Canary Emotet Feb 2019 | US-CERT Emotet Jul 2018 |
| external_references[15]['description'] | Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019. | US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. |
| external_references[15]['url'] | https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/ | https://www.us-cert.gov/ncas/alerts/TA18-201A |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
[S0363] Empire
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-03 17:55:43.889000+00:00 | 2023-03-22 03:43:09.336000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.5 | 1.6 |
[S0343] Exaramel for Windows
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-17 23:21:44.445000+00:00 | 2023-03-26 18:59:38.457000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.1 | 2.2 |
[S0277] FruitFly
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:42:09.499000+00:00 | 2023-03-22 03:55:46.184000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0666] Gelsemium
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-06 19:37:01.617000+00:00 | 2023-03-26 19:02:24.792000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0597] GoldFinder
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | [GoldFinder](https://attack.mitre.org/software/S0597) is a c | t | [GoldFinder](https://attack.mitre.org/software/S0597) is a c |
| ustom HTTP tracer tool written in Go that logs the route a p | | ustom HTTP tracer tool written in Go that logs the route a p |
| acket takes between a compromised network and a C2 server. I | | acket takes between a compromised network and a C2 server. I |
| t can be used to inform threat actors of potential points o | | t can be used to inform threat actors of potential points o |
| f discovery or logging of their actions, including C2 relate | | f discovery or logging of their actions, including C2 relate |
| d to other malware. [GoldFinder](https://attack.mitre.org/so | | d to other malware. [GoldFinder](https://attack.mitre.org/so |
| ftware/S0597) was discovered in early 2021 during an investi | | ftware/S0597) was discovered in early 2021 during an investi |
| gation into the SolarWinds cyber intrusion by [APT29](https: | | gation into the [SolarWinds Compromise](https://attack.mitre |
| //attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM M | | .org/campaigns/C0024) by [APT29](https://attack.mitre.org/gr |
| ar 2021) | | oups/G0016).(Citation: MSTIC NOBELIUM Mar 2021) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-24 22:32:23.654000+00:00 | 2023-03-27 19:50:35.143000+00:00 |
| description | [GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the SolarWinds cyber intrusion by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021) | [GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0588] GoldMax
Current version: 2.1
Version changed from: 2.0 → 2.1
|
|
|---|
| t | [GoldMax](https://attack.mitre.org/software/S0588) is a seco | t | [GoldMax](https://attack.mitre.org/software/S0588) is a seco |
| nd-stage C2 backdoor written in Go with Windows and Linux va | | nd-stage C2 backdoor written in Go with Windows and Linux va |
| riants that are nearly identical in functionality. [GoldMax] | | riants that are nearly identical in functionality. [GoldMax] |
| (https://attack.mitre.org/software/S0588) was discovered in | | (https://attack.mitre.org/software/S0588) was discovered in |
| early 2021 during the investigation into the SolarWinds intr | | early 2021 during the investigation into the [SolarWinds Com |
| usion, and has likely been used by [APT29](https://attack.mi | | promise](https://attack.mitre.org/campaigns/C0024), and has |
| tre.org/groups/G0016) since at least mid-2019. [GoldMax](htt | | likely been used by [APT29](https://attack.mitre.org/groups/ |
| ps://attack.mitre.org/software/S0588) uses multiple defense | | G0016) since at least mid-2019. [GoldMax](https://attack.mit |
| evasion techniques, including avoiding virtualization execut | | re.org/software/S0588) uses multiple defense evasion techniq |
| ion and masking malicious traffic.(Citation: MSTIC NOBELIUM | | ues, including avoiding virtualization execution and masking |
| Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: C | | malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citat |
| rowdStrike StellarParticle January 2022) | | ion: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike Stel |
| | | larParticle January 2022) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 22:23:36.883000+00:00 | 2023-03-27 19:46:46.532000+00:00 |
| description | [GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the SolarWinds intrusion, and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022) | [GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[S0531] Grandoreiro
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 22:11:10.040000+00:00 | 2023-03-26 19:05:29.235000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0376] HOPLIGHT
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 19:47:21.986000+00:00 | 2023-03-28 20:24:33.471000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S1022] IceApple
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-25 16:03:40.451000+00:00 | 2023-03-22 04:45:42.926000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0357] Impacket
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 18:20:48.473000+00:00 | 2023-01-23 20:52:37.112000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
[S0669] KOCTOPUS
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-29 19:46:14.547000+00:00 | 2023-03-22 04:47:58.740000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0349] LaZagne
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 16:56:52.156000+00:00 | 2023-03-02 20:48:02.590000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
[S0451] LoudMiner
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 16:31:13.272000+00:00 | 2023-03-22 04:51:42.922000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[S0409] Machete
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-12 03:16:03.258000+00:00 | 2023-03-22 04:52:58.843000+00:00 |
| external_references[1]['source_name'] | Machete | Pyark |
| external_references[1]['description'] | (Citation: Securelist Machete Aug 2014) | (Citation: 360 Machete Sep 2020) |
| external_references[2]['source_name'] | Pyark | Machete |
| external_references[2]['description'] | (Citation: 360 Machete Sep 2020) | (Citation: Securelist Machete Aug 2014) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[S0002] Mimikatz
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-03 15:07:11.534000+00:00 | 2023-03-07 13:04:10.731000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.6 | 1.7 |
[S0256] Mosquito
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:06:45.586000+00:00 | 2023-03-26 19:19:33.603000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0198] NETWIRE
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 11:21:09.567000+00:00 | 2023-03-26 19:24:00.073000+00:00 |
| external_references[2]['source_name'] | FireEye APT33 Sept 2017 | FireEye APT33 Webinar Sept 2017 |
| external_references[2]['description'] | O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. | Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html | https://www.brighttalk.com/webcast/10703/275683 |
| external_references[4]['source_name'] | FireEye APT33 Webinar Sept 2017 | FireEye APT33 Sept 2017 |
| external_references[4]['description'] | Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. | O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. |
| external_references[4]['url'] | https://www.brighttalk.com/webcast/10703/275683 | https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.4 | 1.5 |
[S0039] Net
Current version: 2.4
Version changed from: 2.3 → 2.4
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 20:33:54.392000+00:00 | 2023-03-03 16:49:41.059000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.3 | 2.4 |
[S0457] Netwalker
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-16 16:14:19.924000+00:00 | 2023-03-22 05:03:29.436000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0223] POWERSTATS
Current version: 2.3
Version changed from: 2.2 → 2.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 19:06:51.405000+00:00 | 2023-03-22 05:13:46.664000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.2 | 2.3 |
[S0517] Pillowmint
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-29 19:50:27.063000+00:00 | 2023-03-26 19:34:38.763000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0097] Ping
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-13 18:56:52.195000+00:00 | 2023-01-04 21:59:04.229000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[S0501] PipeMon
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-16 21:01:16.880000+00:00 | 2023-03-26 19:38:46.705000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0013] PlugX
Current version: 3.1
Version changed from: 3.0 → 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 16:30:28.192000+00:00 | 2023-04-10 17:14:55.086000+00:00 |
| external_references[11]['url'] | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf | https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.0 | 3.1 |
[S0428] PoetRAT
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 01:41:29.396000+00:00 | 2023-03-22 05:09:38.370000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.1 | 2.2 |
[S0518] PolyglotDuke
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-09 16:07:59.493000+00:00 | 2023-03-26 19:42:34.359000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S1012] PowerLess
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_aliases | | ['PowerLess'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-02 19:48:39.830000+00:00 | 2023-03-28 17:21:55.473000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0685] PowerPunch
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 12:11:41.617000+00:00 | 2023-03-22 05:12:04.169000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0194] PowerSploit
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-27 18:18:15.392000+00:00 | 2023-03-22 05:12:48.213000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.5 | 1.6 |
[S0029] PsExec
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-11-01 18:29:13.666000+00:00 | 2023-03-02 20:43:41.287000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
[S0269] QUADAGENT
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-28 21:38:43.793000+00:00 | 2023-03-22 05:20:12.492000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0650] QakBot
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 21:47:13.084000+00:00 | 2023-04-14 14:37:59.896000+00:00 |
| external_references[1]['source_name'] | Pinkslipbot | QuackBot |
| external_references[1]['description'] | (Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021) | (Citation: Kaspersky QakBot September 2021) |
| external_references[2]['source_name'] | QuackBot | Pinkslipbot |
| external_references[2]['description'] | (Citation: Kaspersky QakBot September 2021) | (Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021) |
| external_references[4]['source_name'] | Trend Micro Qakbot December 2020 | Kaspersky QakBot September 2021 |
| external_references[4]['description'] | Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. | Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. |
| external_references[4]['url'] | https://success.trendmicro.com/solution/000283381 | https://securelist.com/qakbot-technical-analysis/103931/ |
| external_references[5]['source_name'] | Red Canary Qbot | ATT QakBot April 2021 |
| external_references[5]['description'] | Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. | Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. |
| external_references[5]['url'] | https://redcanary.com/threat-detection-report/threats/qbot/ | https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot |
| external_references[6]['source_name'] | Kaspersky QakBot September 2021 | Red Canary Qbot |
| external_references[6]['description'] | Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. | Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. |
| external_references[6]['url'] | https://securelist.com/qakbot-technical-analysis/103931/ | https://redcanary.com/threat-detection-report/threats/qbot/ |
| external_references[7]['source_name'] | ATT QakBot April 2021 | Trend Micro Qakbot December 2020 |
| external_references[7]['description'] | Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. | Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. |
| external_references[7]['url'] | https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot | https://success.trendmicro.com/solution/000283381 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Inna Danilevich, U.S Bank |
[S0662] RCSession
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 14:57:26.308000+00:00 | 2023-03-26 19:54:58.293000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0496] REvil
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-24 21:09:01.019000+00:00 | 2023-03-26 20:06:33.317000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[S0565] Raindrop
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | [Raindrop](https://attack.mitre.org/software/S0565) is a loa | t | [Raindrop](https://attack.mitre.org/software/S0565) is a loa |
| der used by [APT29](https://attack.mitre.org/groups/G0016) t | | der used by [APT29](https://attack.mitre.org/groups/G0016) t |
| hat was discovered on some victim machines during investigat | | hat was discovered on some victim machines during investigat |
| ions related to the 2020 SolarWinds cyber intrusion. It was | | ions related to the [SolarWinds Compromise](https://attack.m |
| discovered in January 2021 and was likely used since at leas | | itre.org/campaigns/C0024). It was discovered in January 2021 |
| t May 2020.(Citation: Symantec RAINDROP January 2021)(Citati | | and was likely used since at least May 2020.(Citation: Syma |
| on: Microsoft Deep Dive Solorigate January 2021) | | ntec RAINDROP January 2021)(Citation: Microsoft Deep Dive So |
| | | lorigate January 2021) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 12:16:26.590000+00:00 | 2023-03-27 19:53:24.461000+00:00 |
| description | [Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021) | [Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021) |
| external_references[2]['source_name'] | Symantec RAINDROP January 2021 | Microsoft Deep Dive Solorigate January 2021 |
| external_references[2]['description'] | Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. | MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. |
| external_references[2]['url'] | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware | https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ |
| external_references[3]['source_name'] | Microsoft Deep Dive Solorigate January 2021 | Symantec RAINDROP January 2021 |
| external_references[3]['description'] | MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. | Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. |
| external_references[3]['url'] | https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0511] RegDuke
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-09 16:07:59.731000+00:00 | 2023-03-24 21:24:58.468000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0125] Remsec
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| external_references | | https://securelist.com/faq-the-projectsauron-apt/75533/ |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-28 21:41:25.889000+00:00 | 2023-03-28 20:28:28.088000+00:00 |
| external_references[1]['source_name'] | ProjectSauron | Kaspersky ProjectSauron Blog |
| external_references[1]['description'] | ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog) | Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016. |
| external_references[2]['source_name'] | Symantec Strider Blog | ProjectSauron |
| external_references[2]['description'] | Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016. | ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog) |
| external_references[3]['source_name'] | Kaspersky ProjectSauron Blog | Symantec Strider Blog |
| external_references[3]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016. | Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016. |
| external_references[3]['url'] | https://securelist.com/faq-the-projectsauron-apt/75533/ | http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0174] Responder
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_aliases | | ['Responder'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 14:42:53.334000+00:00 | 2023-03-17 14:01:57.617000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0270] RogueRobin
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:06:39.526000+00:00 | 2023-03-22 05:24:35.812000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.1 | 2.2 |
[S0085] S-Type
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 20:10:08.347000+00:00 | 2023-03-10 16:02:05.568000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[S0450] SHARPSTATS
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-21 13:12:36.865000+00:00 | 2023-03-22 05:29:42.303000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0649] SMOKEDHAM
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 22:07:23.251000+00:00 | 2023-04-14 23:43:40.206000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0390] SQLRat
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:12:51.198000+00:00 | 2023-03-22 05:36:07.371000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0559] SUNBURST
Current version: 2.4
Version changed from: 2.3 → 2.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-29 19:52:40.476000+00:00 | 2023-03-27 20:01:39.552000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.3 | 2.4 |
[S0562] SUNSPOT
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 12:11:19.301000+00:00 | 2023-03-27 20:02:20.344000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0382] ServHelper
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-29 19:31:03.708000+00:00 | 2023-04-14 23:44:24.382000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0596] ShadowPad
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-17 19:31:36.083000+00:00 | 2023-03-26 20:09:03.093000+00:00 |
| external_references[2]['url'] | https://content.fireeye.com/apt-41/rpt-apt41 | https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0589] Sibot
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | [Sibot](https://attack.mitre.org/software/S0589) is dual-pur | t | [Sibot](https://attack.mitre.org/software/S0589) is dual-pur |
| pose malware written in VBScript designed to achieve persist | | pose malware written in VBScript designed to achieve persist |
| ence on a compromised system as well as download and execute | | ence on a compromised system as well as download and execute |
| additional payloads. Microsoft discovered three [Sibot](htt | | additional payloads. Microsoft discovered three [Sibot](htt |
| ps://attack.mitre.org/software/S0589) variants in early 2021 | | ps://attack.mitre.org/software/S0589) variants in early 2021 |
| during its investigation of [APT29](https://attack.mitre.or | | during its investigation of [APT29](https://attack.mitre.or |
| g/groups/G0016) and the SolarWinds cyber intrusion campaign. | | g/groups/G0016) and the [SolarWinds Compromise](https://atta |
| (Citation: MSTIC NOBELIUM Mar 2021) | | ck.mitre.org/campaigns/C0024).(Citation: MSTIC NOBELIUM Mar |
| | | 2021) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 23:33:55.403000+00:00 | 2023-03-27 19:54:34.154000+00:00 |
| description | [Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the SolarWinds cyber intrusion campaign.(Citation: MSTIC NOBELIUM Mar 2021) | [Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024).(Citation: MSTIC NOBELIUM Mar 2021) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0633] Sliver
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 15:49:25.284000+00:00 | 2023-01-17 22:14:02.852000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0603] Stuxnet
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | [Stuxnet](https://attack.mitre.org/software/S0603) was the f | t | [Stuxnet](https://attack.mitre.org/software/S0603) was the f |
| irst publicly reported piece of malware to specifically targ | | irst publicly reported piece of malware to specifically targ |
| et industrial control systems devices. [Stuxnet](https://att | | et industrial control systems devices. [Stuxnet](https://att |
| ack.mitre.org/software/S0603) is a large and complex piece o | | ack.mitre.org/software/S0603) is a large and complex piece o |
| f malware that utilized multiple different behaviors includi | | f malware that utilized multiple different behaviors includi |
| ng multiple zero-day vulnerabilities, a sophisticated Window | | ng multiple zero-day vulnerabilities, a sophisticated Window |
| s rootkit, and network infection routines.(Citation: Symante | | s rootkit, and network infection routines.(Citation: Nicolas |
| c W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10- | | Falliere, Liam O Murchu, Eric Chien February 2011)(Citation |
| 272-01)(Citation: ESET Stuxnet Under the Microscope)(Citatio | | : CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet U |
| n: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/softwa | | nder the Microscope)(Citation: Langer Stuxnet) [Stuxnet](htt |
| re/S0603) was discovered in 2010, with some components being | | ps://attack.mitre.org/software/S0603) was discovered in 2010 |
| used as early as November 2008.(Citation: Symantec W.32 Stu | | , with some components being used as early as November 2008. |
| xnet Dossier) | | (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febru |
| | | ary 2011) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 20:31:32.664000+00:00 | 2023-03-20 13:50:55.168000+00:00 |
| description | [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier) | [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
| external_references[1]['description'] | (Citation: Symantec W.32 Stuxnet Dossier) | (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
| external_references[4]['source_name'] | Symantec W.32 Stuxnet Dossier | Nicolas Falliere, Liam O Murchu, Eric Chien February 2011 |
| external_references[4]['description'] | Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. | Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 |
| external_references[4]['url'] | https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf | https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf |
| external_references[5]['description'] | Ralph Langner. (2013, November). Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020. | Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[S0663] SysUpdate
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 15:03:47.435000+00:00 | 2023-03-20 16:32:21.733000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Linux |
[S0096] Systeminfo
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 21:29:48.567000+00:00 | 2023-03-07 13:03:30.781000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0560] TEARDROP
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | [TEARDROP](https://attack.mitre.org/software/S0560) is a mem | t | [TEARDROP](https://attack.mitre.org/software/S0560) is a mem |
| ory-only dropper that was discovered on some victim machines | | ory-only dropper that was discovered on some victim machines |
| during investigations related to the 2020 SolarWinds cyber | | during investigations related to the [SolarWinds Compromise |
| intrusion. It was likely used by [APT29](https://attack.mitr | | ](https://attack.mitre.org/campaigns/C0024). It was likely u |
| e.org/groups/G0016) since at least May 2020.(Citation: FireE | | sed by [APT29](https://attack.mitre.org/groups/G0016) since |
| ye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep | | at least May 2020.(Citation: FireEye SUNBURST Backdoor Decem |
| Dive Solorigate January 2021) | | ber 2020)(Citation: Microsoft Deep Dive Solorigate January 2 |
| | | 021) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 12:13:17.872000+00:00 | 2023-03-27 19:55:35.688000+00:00 |
| description | [TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021) | [TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0263] TYPEFRAME
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-23 20:40:40.755000+00:00 | 2023-03-26 20:22:31.288000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0665] ThreatNeedle
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-13 19:50:38.792000+00:00 | 2023-03-26 20:18:23.760000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0668] TinyTurla
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 16:08:09.275000+00:00 | 2023-03-26 20:20:44.580000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0678] Torisma
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-13 21:11:36.982000+00:00 | 2023-03-21 11:45:38.621000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0682] TrailBlazer
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-02-08 16:20:46.242000+00:00 | 2023-03-27 19:56:40.741000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0386] Ursnif
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-23 20:38:14.681000+00:00 | 2023-03-22 05:42:32.541000+00:00 |
| external_references[1]['source_name'] | Ursnif | Gozi-ISFB |
| external_references[1]['description'] | (Citation: NJCCIC Ursnif Sept 2016) | (Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016) |
| external_references[2]['source_name'] | Gozi-ISFB | Ursnif |
| external_references[2]['description'] | (Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016) | (Citation: NJCCIC Ursnif Sept 2016) |
| external_references[3]['source_name'] | PE_URSNIF | Dreambot |
| external_references[3]['description'] | (Citation: TrendMicro Ursnif Mar 2015) | (Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) |
| external_references[4]['source_name'] | Dreambot | PE_URSNIF |
| external_references[4]['description'] | (Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) | (Citation: TrendMicro Ursnif Mar 2015) |
| external_references[5]['source_name'] | NJCCIC Ursnif Sept 2016 | TrendMicro Ursnif Mar 2015 |
| external_references[5]['description'] | NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019. | Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. |
| external_references[5]['url'] | https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif | https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992 |
| external_references[6]['source_name'] | ProofPoint Ursnif Aug 2016 | NJCCIC Ursnif Sept 2016 |
| external_references[6]['description'] | Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. | NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019. |
| external_references[6]['url'] | https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality | https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif |
| external_references[7]['source_name'] | TrendMicro Ursnif Mar 2015 | ProofPoint Ursnif Aug 2016 |
| external_references[7]['description'] | Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. | Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. |
| external_references[7]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992 | https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
[S0476] Valak
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-23 19:00:25.745000+00:00 | 2023-03-24 21:42:31.959000+00:00 |
| external_references[1]['source_name'] | Cybereason Valak May 2020 | Unit 42 Valak July 2020 |
| external_references[1]['description'] | Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. | Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. |
| external_references[1]['url'] | https://www.cybereason.com/blog/valak-more-than-meets-the-eye | https://unit42.paloaltonetworks.com/valak-evolution/ |
| external_references[2]['source_name'] | Unit 42 Valak July 2020 | Cybereason Valak May 2020 |
| external_references[2]['description'] | Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. | Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. |
| external_references[2]['url'] | https://unit42.paloaltonetworks.com/valak-evolution/ | https://www.cybereason.com/blog/valak-more-than-meets-the-eye |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[S0180] Volgmer
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-25 13:57:35.783000+00:00 | 2023-03-26 20:40:35.183000+00:00 |
| external_references[2]['source_name'] | US-CERT Volgmer Nov 2017 | US-CERT Volgmer 2 Nov 2017 |
| external_references[2]['description'] | US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. | US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. |
| external_references[2]['url'] | https://www.us-cert.gov/ncas/alerts/TA17-318B | https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF |
| external_references[3]['source_name'] | US-CERT Volgmer 2 Nov 2017 | US-CERT Volgmer Nov 2017 |
| external_references[3]['description'] | US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. | US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. |
| external_references[3]['url'] | https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF | https://www.us-cert.gov/ncas/alerts/TA17-318B |
| external_references[4]['url'] | https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2 | https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0689] WhisperGate
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | [WhisperGate](https://attack.mitre.org/software/S0689) is a | t | [WhisperGate](https://attack.mitre.org/software/S0689) is a |
| multi-stage wiper designed to look like ransomware that has | | multi-stage wiper designed to look like ransomware that has |
| been used in attacks against Ukraine since at least January | | been used against multiple government, non-profit, and infor |
| 2022.(Citation: Cybereason WhisperGate February 2022)(Citati | | mation technology organizations in Ukraine since at least Ja |
| on: Unit 42 WhisperGate January 2022)(Citation: Microsoft Wh | | nuary 2022.(Citation: Cybereason WhisperGate February 2022)( |
| isperGate January 2022) | | Citation: Unit 42 WhisperGate January 2022)(Citation: Micros |
| | | oft WhisperGate January 2022) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 18:47:53.298000+00:00 | 2023-04-05 20:48:07.280000+00:00 |
| description | [WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used in attacks against Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022) | [WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022) |
| x_mitre_attack_spec_version | 3.0.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Matt Brenton, Zurich Global Information Security |
[S0330] Zeus Panda
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-18 23:49:03.468000+00:00 | 2023-03-22 05:47:42.436000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[S0160] certutil
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-16 17:50:50.307000+00:00 | 2023-03-03 00:40:22.280000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
[S0105] dsquery
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-13 13:34:53.355000+00:00 | 2023-01-04 18:56:27.812000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.3 | 1.4 |
[S0108] netsh
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-31 12:41:22.189000+00:00 | 2023-01-17 22:14:55.797000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
Patches
[S0137] CORESHELL
Current version: 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| external_references | | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:14:36.623000+00:00 | 2023-03-26 17:51:20.402000+00:00 |
| external_references[2]['source_name'] | Sofacy | SOURFACE |
| external_references[2]['description'] | This designation has been used in reporting both to refer to the threat group ([APT28](https://attack.mitre.org/groups/G0007)) and its associated malware.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018) | (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018) |
| external_references[3]['source_name'] | SOURFACE | FireEye APT28 January 2017 |
| external_references[3]['description'] | (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018) | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. |
| external_references[4]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| external_references[5]['source_name'] | FireEye APT28 January 2017 | Securelist Sofacy Feb 2018 |
| external_references[5]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. |
| external_references[5]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ |
| external_references[6]['source_name'] | Securelist Sofacy Feb 2018 | Sofacy |
| external_references[6]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. | This designation has been used in reporting both to refer to the threat group ([APT28](https://attack.mitre.org/groups/G0007)) and its associated malware.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0144] ChChes
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:49:40.093000+00:00 | 2023-03-23 15:14:18.599000+00:00 |
| external_references[4]['source_name'] | Palo Alto menuPass Feb 2017 | Twitter Nick Carr APT10 |
| external_references[4]['description'] | Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017. | Carr, N.. (2017, April 6). Retrieved June 29, 2017. |
| external_references[4]['url'] | http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/ | https://twitter.com/ItsReallyNick/status/850105140589633536 |
| external_references[5]['source_name'] | JPCERT ChChes Feb 2017 | FireEye APT10 April 2017 |
| external_references[5]['description'] | Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017. | FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. |
| external_references[5]['url'] | http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html | https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html |
| external_references[6]['source_name'] | PWC Cloud Hopper Technical Annex April 2017 | Palo Alto menuPass Feb 2017 |
| external_references[6]['description'] | PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. | Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017. |
| external_references[6]['url'] | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf | http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/ |
| external_references[7]['source_name'] | FireEye APT10 April 2017 | JPCERT ChChes Feb 2017 |
| external_references[7]['description'] | FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. | Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017. |
| external_references[7]['url'] | https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html | http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html |
| external_references[8]['source_name'] | Twitter Nick Carr APT10 | PWC Cloud Hopper Technical Annex April 2017 |
| external_references[8]['description'] | Carr, N.. (2017, April 6). Retrieved June 29, 2017. | PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. |
| external_references[8]['url'] | https://twitter.com/ItsReallyNick/status/850105140589633536 | https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0608] Conficker
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-25 14:00:00.188000+00:00 | 2023-03-08 22:15:47.458000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0591] ConnectWise
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-18 14:54:01.053000+00:00 | 2023-04-13 13:09:38.786000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0115] Crimson
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-22 18:16:11.378000+00:00 | 2023-03-26 18:39:01.095000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0021] Derusbi
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 15:04:10.654000+00:00 | 2023-03-20 22:03:44.668000+00:00 |
| external_references[5]['url'] | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf | https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0038] Duqu
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-25 14:00:00.188000+00:00 | 2023-03-08 22:17:50.971000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0605] EKANS
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-11 14:00:00.188000+00:00 | 2023-03-08 22:04:48.834000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0152] EvilGrab
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:22:54.155000+00:00 | 2023-03-23 15:14:18.597000+00:00 |
| external_references[1]['url'] | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf | https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0061] HDoor
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-04-25 02:33:53.419000+00:00 | 2023-04-04 20:20:59.961000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0009] Hikit
Current version: 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-01-12 16:21:44.692000+00:00 | 2023-03-20 22:03:44.668000+00:00 |
| external_references[1]['source_name'] | Novetta-Axiom | FireEye Hikit Rootkit |
| external_references[1]['description'] | Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. | Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016. |
| external_references[1]['url'] | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf | https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html |
| external_references[2]['source_name'] | FireEye Hikit Rootkit | Novetta-Axiom |
| external_references[2]['description'] | Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016. | Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html | https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0203] Hydraq
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 14:57:44.182000+00:00 | 2023-03-20 22:03:44.662000+00:00 |
| external_references[16]['url'] | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf | https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0387] KeyBoy
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 14:04:15.433000+00:00 | 2023-03-23 15:22:36.377000+00:00 |
| external_references[2]['source_name'] | CitizenLab KeyBoy Nov 2016 | Rapid7 KeyBoy Jun 2013 |
| external_references[2]['description'] | Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. | Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. |
| external_references[2]['url'] | https://citizenlab.ca/2016/11/parliament-keyboy/ | https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/ |
| external_references[3]['source_name'] | PWC KeyBoys Feb 2017 | CitizenLab KeyBoy Nov 2016 |
| external_references[3]['description'] | Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. | Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. |
| external_references[3]['url'] | https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html | https://citizenlab.ca/2016/11/parliament-keyboy/ |
| external_references[4]['source_name'] | Rapid7 KeyBoy Jun 2013 | PWC KeyBoys Feb 2017 |
| external_references[4]['description'] | Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. | Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. |
| external_references[4]['url'] | https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/ | https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0607] KillDisk
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-11 14:00:00.188000+00:00 | 2023-03-08 22:13:42.357000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0372] LockerGoga
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-23 21:22:58.477000+00:00 | 2023-03-08 22:03:50.370000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0508] Ngrok
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 19:49:28.441000+00:00 | 2023-04-13 13:24:56.579000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0368] NotPetya
Current version: 2.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-25 14:00:00.188000+00:00 | 2023-03-08 22:11:21.842000+00:00 |
| external_references[4]['source_name'] | Petrwrap | Nyetya |
| external_references[4]['description'] | (Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017) | (Citation: Talos Nyetya June 2017) |
| external_references[5]['source_name'] | Nyetya | Petrwrap |
| external_references[5]['description'] | (Citation: Talos Nyetya June 2017) | (Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017) |
| external_references[6]['source_name'] | Talos Nyetya June 2017 | ESET Telebots June 2017 |
| external_references[6]['description'] | Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. | Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. |
| external_references[6]['url'] | https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html | https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ |
| external_references[7]['source_name'] | US-CERT NotPetya 2017 | Talos Nyetya June 2017 |
| external_references[7]['description'] | US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. | Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. |
| external_references[7]['url'] | https://www.us-cert.gov/ncas/alerts/TA17-181A | https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html |
| external_references[8]['source_name'] | ESET Telebots June 2017 | US District Court Indictment GRU Unit 74455 October 2020 |
| external_references[8]['description'] | Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. |
| external_references[8]['url'] | https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ | https://www.justice.gov/opa/press-release/file/1328521/download |
| external_references[9]['source_name'] | US District Court Indictment GRU Unit 74455 October 2020 | US-CERT NotPetya 2017 |
| external_references[9]['description'] | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. | US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. |
| external_references[9]['url'] | https://www.justice.gov/opa/press-release/file/1328521/download | https://www.us-cert.gov/ncas/alerts/TA17-181A |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0138] OLDBAIT
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-19 23:51:58.976000+00:00 | 2023-03-26 17:51:20.402000+00:00 |
| external_references[1]['source_name'] | FireEye APT28 | FireEye APT28 January 2017 |
| external_references[1]['description'] | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. |
| external_references[1]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf |
| external_references[2]['source_name'] | FireEye APT28 January 2017 | FireEye APT28 |
| external_references[2]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. |
| external_references[2]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0012] PoisonIvy
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 21:02:39.862000+00:00 | 2023-03-20 22:03:44.669000+00:00 |
| external_references[7]['url'] | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf | https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S1040] Rclone
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 15:20:46.871000+00:00 | 2023-04-13 13:14:41.257000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0153] RedLeaves
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 21:01:05.439000+00:00 | 2023-03-23 15:14:18.594000+00:00 |
| external_references[3]['source_name'] | PWC Cloud Hopper Technical Annex April 2017 | Twitter Nick Carr APT10 |
| external_references[3]['description'] | PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. | Carr, N.. (2017, April 6). Retrieved June 29, 2017. |
| external_references[3]['url'] | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf | https://twitter.com/ItsReallyNick/status/850105140589633536 |
| external_references[5]['source_name'] | Twitter Nick Carr APT10 | PWC Cloud Hopper Technical Annex April 2017 |
| external_references[5]['description'] | Carr, N.. (2017, April 6). Retrieved June 29, 2017. | PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. |
| external_references[5]['url'] | https://twitter.com/ItsReallyNick/status/850105140589633536 | https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0332] Remcos
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-16 15:40:41.093000+00:00 | 2022-12-23 14:07:20.658000+00:00 |
| external_references[4]['url'] | https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/ | https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0692] SILENTTRINITY
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 12:01:12.083000+00:00 | 2023-04-14 19:27:39.308000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_contributors[0] | Daniel Acevedo, Blackbot | Daniel Acevedo, @darmad0, ARMADO |
[S0266] TrickBot
Current version: 2.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-01 14:19:20.660000+00:00 | 2023-02-23 19:45:50.419000+00:00 |
| external_references[2]['source_name'] | Totbrick | TSPY_TRICKLOAD |
| external_references[2]['description'] | (Citation: Trend Micro Totbrick Oct 2016) (Citation: Microsoft Totbrick Oct 2017) | (Citation: Trend Micro Totbrick Oct 2016) |
| external_references[3]['source_name'] | TSPY_TRICKLOAD | Totbrick |
| external_references[3]['description'] | (Citation: Trend Micro Totbrick Oct 2016) | (Citation: Trend Micro Totbrick Oct 2016) (Citation: Microsoft Totbrick Oct 2017) |
| external_references[4]['source_name'] | S2 Grupo TrickBot June 2017 | Trend Micro Totbrick Oct 2016 |
| external_references[4]['description'] | Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. | Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018. |
| external_references[4]['url'] | https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf | https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n |
| external_references[5]['source_name'] | Fidelis TrickBot Oct 2016 | IBM TrickBot Nov 2016 |
| external_references[5]['description'] | Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. | Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018. |
| external_references[5]['url'] | https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre | https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/ |
| external_references[6]['source_name'] | IBM TrickBot Nov 2016 | TrendMicro Trickbot Feb 2019 |
| external_references[6]['description'] | Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018. | Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019. |
| external_references[6]['url'] | https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/ | https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/ |
| external_references[8]['source_name'] | Trend Micro Totbrick Oct 2016 | Microsoft Totbrick Oct 2017 |
| external_references[8]['description'] | Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018. | Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018. |
| external_references[8]['url'] | https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n | https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick |
| external_references[9]['source_name'] | TrendMicro Trickbot Feb 2019 | Fidelis TrickBot Oct 2016 |
| external_references[9]['description'] | Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019. | Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. |
| external_references[9]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/ | https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre |
| external_references[10]['source_name'] | Microsoft Totbrick Oct 2017 | S2 Grupo TrickBot June 2017 |
| external_references[10]['description'] | Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018. | Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. |
| external_references[10]['url'] | https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick | https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0366] WannaCry
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-25 14:00:00.188000+00:00 | 2023-03-08 22:20:20.868000+00:00 |
| external_references[1]['source_name'] | WanaCry | WanaCrypt0r |
| external_references[1]['description'] | (Citation: SecureWorks WannaCry Analysis) | (Citation: LogRhythm WannaCry) |
| external_references[2]['source_name'] | WanaCrypt | WCry |
| external_references[2]['description'] | (Citation: SecureWorks WannaCry Analysis) | (Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis) |
| external_references[3]['source_name'] | WanaCrypt0r | WanaCry |
| external_references[3]['description'] | (Citation: LogRhythm WannaCry) | (Citation: SecureWorks WannaCry Analysis) |
| external_references[4]['source_name'] | WCry | WanaCrypt |
| external_references[4]['description'] | (Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis) | (Citation: SecureWorks WannaCry Analysis) |
| external_references[5]['source_name'] | LogRhythm WannaCry | FireEye WannaCry 2017 |
| external_references[5]['description'] | Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. | Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. |
| external_references[5]['url'] | https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/ | https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html |
| external_references[6]['source_name'] | US-CERT WannaCry 2017 | SecureWorks WannaCry Analysis |
| external_references[6]['description'] | US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019. | Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. |
| external_references[6]['url'] | https://www.us-cert.gov/ncas/alerts/TA17-132A | https://www.secureworks.com/research/wcry-ransomware-analysis |
| external_references[8]['source_name'] | FireEye WannaCry 2017 | LogRhythm WannaCry |
| external_references[8]['description'] | Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. | Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. |
| external_references[8]['url'] | https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html | https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/ |
| external_references[9]['source_name'] | SecureWorks WannaCry Analysis | US-CERT WannaCry 2017 |
| external_references[9]['description'] | Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. | US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019. |
| external_references[9]['url'] | https://www.secureworks.com/research/wcry-ransomware-analysis | https://www.us-cert.gov/ncas/alerts/TA17-132A |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0141] Winnti for Windows
Current version: 3.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 16:38:19.439000+00:00 | 2023-03-20 22:02:53.982000+00:00 |
| external_references[5]['url'] | http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf | https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0388] YAHOYAH
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-21 17:23:45.362000+00:00 | 2023-03-23 15:24:22.256000+00:00 |
| external_references[1]['url'] | https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf | https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0672] Zox
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 16:01:23.818000+00:00 | 2023-03-20 22:03:44.670000+00:00 |
| external_references[4]['url'] | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf | https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0412] ZxShell
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 15:01:42.835000+00:00 | 2023-03-23 15:27:10.501000+00:00 |
| external_references[4]['url'] | https://content.fireeye.com/apt-41/rpt-apt41 | https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0032] gh0st RAT
Current version: 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 21:03:21.873000+00:00 | 2023-03-20 22:03:44.666000+00:00 |
| external_references[5]['url'] | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf | https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
mobile-attack
New Software
[S1061] AbstractEmu
Current version: 1.0
Description: [AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)
[S1054] Drinik
Current version: 1.0
Description: [Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)
[S1067] FluBot
Current version: 1.0
Description: [FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)
[S1062] S.O.V.A.
Current version: 1.0
Description: [S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)
[S1055] SharkBot
Current version: 1.0
Description: [SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)
[S1069] TangleBot
Current version: 1.0
Description: [TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)
[S1056] TianySpy
Current version: 1.0
Description: [TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122)
Major Version Changes
[S0311] YiSpecter
Current version: 2.0
Version changed from: 1.0 → 2.0
|
|
|---|
| t | [YiSpecter](https://attack.mitre.org/software/S0311) iOS mal | t | [YiSpecter](https://attack.mitre.org/software/S0311) is a fa |
| ware that affects both jailbroken and non-jailbroken iOS dev | | mily of iOS and Android malware, first detected in November |
| ices. It is also unique because it abuses private APIs in th | | 2014, targeting users in mainland China and Taiwan. [YiSpect |
| e iOS system to implement functionality. (Citation: PaloAlto | | er](https://attack.mitre.org/software/S0311) abuses private |
| -YiSpecter) | | APIs in iOS to infect both jailbroken and non-jailbroken dev |
| | | ices.(Citation: paloalto_yispecter_1015) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_aliases | | ['YiSpecter'] |
| x_mitre_deprecated | | False |
| x_mitre_platforms | | ['Android', 'iOS'] |
| external_references | | https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-04-20 18:19:15.826000+00:00 |
| description | [YiSpecter](https://attack.mitre.org/software/S0311) iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality. (Citation: PaloAlto-YiSpecter) | [YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015) |
| external_references[1]['source_name'] | YiSpecter | paloalto_yispecter_1015 |
| external_references[1]['description'] | (Citation: PaloAlto-YiSpecter) | Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 2.0 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'PaloAlto-YiSpecter', 'description': 'Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved January 20, 2017.', 'url': 'https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/'} | |
Minor Version Changes
[S0432] Bread
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-14 14:42:53.609000+00:00 | 2023-04-21 18:53:30.817000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[S0322] HummingBad
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_aliases | | ['HummingBad'] |
| x_mitre_deprecated | | False |
| external_references | | http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/ |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-04-21 18:52:08.966000+00:00 |
| external_references[1]['source_name'] | HummingBad | ArsTechnica-HummingBad |
| external_references[1]['description'] | (Citation: ArsTechnica-HummingBad) | Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'ArsTechnica-HummingBad', 'description': 'Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.', 'url': 'http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/'} | |
Patches
[S0655] BusyGasper
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-14 15:38:53.014000+00:00 | 2023-03-28 17:20:20.194000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
ics-attack
New Software
[S1072] Industroyer2
Current version: 1.0
Description: [Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)
Minor Version Changes
[S0496] REvil
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-24 21:09:01.019000+00:00 | 2023-03-26 20:06:33.317000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[S0603] Stuxnet
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | [Stuxnet](https://attack.mitre.org/software/S0603) was the f | t | [Stuxnet](https://attack.mitre.org/software/S0603) was the f |
| irst publicly reported piece of malware to specifically targ | | irst publicly reported piece of malware to specifically targ |
| et industrial control systems devices. [Stuxnet](https://att | | et industrial control systems devices. [Stuxnet](https://att |
| ack.mitre.org/software/S0603) is a large and complex piece o | | ack.mitre.org/software/S0603) is a large and complex piece o |
| f malware that utilized multiple different behaviors includi | | f malware that utilized multiple different behaviors includi |
| ng multiple zero-day vulnerabilities, a sophisticated Window | | ng multiple zero-day vulnerabilities, a sophisticated Window |
| s rootkit, and network infection routines.(Citation: Symante | | s rootkit, and network infection routines.(Citation: Nicolas |
| c W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10- | | Falliere, Liam O Murchu, Eric Chien February 2011)(Citation |
| 272-01)(Citation: ESET Stuxnet Under the Microscope)(Citatio | | : CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet U |
| n: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/softwa | | nder the Microscope)(Citation: Langer Stuxnet) [Stuxnet](htt |
| re/S0603) was discovered in 2010, with some components being | | ps://attack.mitre.org/software/S0603) was discovered in 2010 |
| used as early as November 2008.(Citation: Symantec W.32 Stu | | , with some components being used as early as November 2008. |
| xnet Dossier) | | (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febru |
| | | ary 2011) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 20:31:32.664000+00:00 | 2023-03-20 13:50:55.168000+00:00 |
| description | [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier) | [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
| external_references[1]['description'] | (Citation: Symantec W.32 Stuxnet Dossier) | (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
| external_references[4]['source_name'] | Symantec W.32 Stuxnet Dossier | Nicolas Falliere, Liam O Murchu, Eric Chien February 2011 |
| external_references[4]['description'] | Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. | Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 |
| external_references[4]['url'] | https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf | https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf |
| external_references[5]['description'] | Ralph Langner. (2013, November). Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020. | Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
Patches
[S0608] Conficker
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-25 14:00:00.188000+00:00 | 2023-03-08 22:15:47.458000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0038] Duqu
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-25 14:00:00.188000+00:00 | 2023-03-08 22:17:50.971000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0605] EKANS
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-11 14:00:00.188000+00:00 | 2023-03-08 22:04:48.834000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S1045] INCONTROLLER
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Jimmy Wylie, Dragos, Inc.'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 16:49:51.348000+00:00 | 2023-03-17 16:23:24.812000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0607] KillDisk
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-11 14:00:00.188000+00:00 | 2023-03-08 22:13:42.357000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0372] LockerGoga
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-23 21:22:58.477000+00:00 | 2023-03-08 22:03:50.370000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S0368] NotPetya
Current version: 2.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-25 14:00:00.188000+00:00 | 2023-03-08 22:11:21.842000+00:00 |
| external_references[4]['source_name'] | Petrwrap | Nyetya |
| external_references[4]['description'] | (Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017) | (Citation: Talos Nyetya June 2017) |
| external_references[5]['source_name'] | Nyetya | Petrwrap |
| external_references[5]['description'] | (Citation: Talos Nyetya June 2017) | (Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017) |
| external_references[6]['source_name'] | Talos Nyetya June 2017 | ESET Telebots June 2017 |
| external_references[6]['description'] | Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. | Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. |
| external_references[6]['url'] | https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html | https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ |
| external_references[7]['source_name'] | US-CERT NotPetya 2017 | Talos Nyetya June 2017 |
| external_references[7]['description'] | US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. | Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. |
| external_references[7]['url'] | https://www.us-cert.gov/ncas/alerts/TA17-181A | https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html |
| external_references[8]['source_name'] | ESET Telebots June 2017 | US District Court Indictment GRU Unit 74455 October 2020 |
| external_references[8]['description'] | Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. |
| external_references[8]['url'] | https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ | https://www.justice.gov/opa/press-release/file/1328521/download |
| external_references[9]['source_name'] | US District Court Indictment GRU Unit 74455 October 2020 | US-CERT NotPetya 2017 |
| external_references[9]['description'] | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. | US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. |
| external_references[9]['url'] | https://www.justice.gov/opa/press-release/file/1328521/download | https://www.us-cert.gov/ncas/alerts/TA17-181A |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[S1009] Triton
Current version: 1.0
|
|
|---|
| t | [Triton](https://attack.mitre.org/software/S1009) is an atta | t | [Triton](https://attack.mitre.org/software/S1009) is an atta |
| ck framework built to interact with Triconex Safety Instrume | | ck framework built to interact with Triconex Safety Instrume |
| nted System (SIS) controllers. (Citation: Blake Johnson, Dan | | nted System (SIS) controllers.(Citation: Blake Johnson, Dan |
| Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christo | | Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christop |
| pher Glyer December 2017) (Citation: Dragos December 2017) ( | | her Glyer December 2017)(Citation: Dragos December 2017)(Cit |
| Citation: DHS CISA February 2019) (Citation: Schneider Elect | | ation: DHS CISA February 2019)(Citation: Schneider Electric |
| ric January 2018) (Citation: Julian Gutmanis March 2019) (Ci | | January 2018)(Citation: Julian Gutmanis March 2019)(Citation |
| tation: Schneider December 2018) (Citation: Jos Wetzels Janu | | : Schneider December 2018)(Citation: Jos Wetzels January 201 |
| ary 2018) | | 8) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 18:29:38.831000+00:00 | 2022-11-23 14:27:54.711000+00:00 |
| description | [Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: DHS CISA February 2019) (Citation: Schneider Electric January 2018) (Citation: Julian Gutmanis March 2019) (Citation: Schneider December 2018) (Citation: Jos Wetzels January 2018) | [Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018) |
| x_mitre_attack_spec_version | 2.1.0 | 3.0.0 |
[S0366] WannaCry
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-25 14:00:00.188000+00:00 | 2023-03-08 22:20:20.868000+00:00 |
| external_references[1]['source_name'] | WanaCry | WanaCrypt0r |
| external_references[1]['description'] | (Citation: SecureWorks WannaCry Analysis) | (Citation: LogRhythm WannaCry) |
| external_references[2]['source_name'] | WanaCrypt | WCry |
| external_references[2]['description'] | (Citation: SecureWorks WannaCry Analysis) | (Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis) |
| external_references[3]['source_name'] | WanaCrypt0r | WanaCry |
| external_references[3]['description'] | (Citation: LogRhythm WannaCry) | (Citation: SecureWorks WannaCry Analysis) |
| external_references[4]['source_name'] | WCry | WanaCrypt |
| external_references[4]['description'] | (Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis) | (Citation: SecureWorks WannaCry Analysis) |
| external_references[5]['source_name'] | LogRhythm WannaCry | FireEye WannaCry 2017 |
| external_references[5]['description'] | Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. | Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. |
| external_references[5]['url'] | https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/ | https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html |
| external_references[6]['source_name'] | US-CERT WannaCry 2017 | SecureWorks WannaCry Analysis |
| external_references[6]['description'] | US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019. | Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. |
| external_references[6]['url'] | https://www.us-cert.gov/ncas/alerts/TA17-132A | https://www.secureworks.com/research/wcry-ransomware-analysis |
| external_references[8]['source_name'] | FireEye WannaCry 2017 | LogRhythm WannaCry |
| external_references[8]['description'] | Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. | Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. |
| external_references[8]['url'] | https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html | https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/ |
| external_references[9]['source_name'] | SecureWorks WannaCry Analysis | US-CERT WannaCry 2017 |
| external_references[9]['description'] | Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. | US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019. |
| external_references[9]['url'] | https://www.secureworks.com/research/wcry-ransomware-analysis | https://www.us-cert.gov/ncas/alerts/TA17-132A |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
Groups
enterprise-attack
New Groups
[G1012] CURIUM
Current version: 1.0
Description: [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
[G1014] LuminousMoth
Current version: 1.0
Description: [LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between [LuminousMoth](https://attack.mitre.org/groups/G1014) and [Mustang Panda](https://attack.mitre.org/groups/G0129) based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)
[G1013] Metador
Current version: 1.0
Description: [Metador](https://attack.mitre.org/groups/G1013) is a suspected cyber espionage group that was first reported in September 2022. [Metador](https://attack.mitre.org/groups/G1013) has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group [Metador](https://attack.mitre.org/groups/G1013) based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)
Major Version Changes
[G0016] APT29
Current version: 4.0
Version changed from: 3.1 → 4.0
|
|
|---|
| t | [APT29](https://attack.mitre.org/groups/G0016) is threat gro | t | [APT29](https://attack.mitre.org/groups/G0016) is threat gro |
| up that has been attributed to Russia's Foreign Intelligence | | up that has been attributed to Russia's Foreign Intelligence |
| Service (SVR).(Citation: White House Imposing Costs RU Gov | | Service (SVR).(Citation: White House Imposing Costs RU Gov |
| April 2021)(Citation: UK Gov Malign RIS Activity April 2021) | | April 2021)(Citation: UK Gov Malign RIS Activity April 2021) |
| They have operated since at least 2008, often targeting gov | | They have operated since at least 2008, often targeting gov |
| ernment networks in Europe and NATO member countries, resear | | ernment networks in Europe and NATO member countries, resear |
| ch institutes, and think tanks. [APT29](https://attack.mitre | | ch institutes, and think tanks. [APT29](https://attack.mitre |
| .org/groups/G0016) reportedly compromised the Democratic Nat | | .org/groups/G0016) reportedly compromised the Democratic Nat |
| ional Committee starting in the summer of 2015.(Citation: F- | | ional Committee starting in the summer of 2015.(Citation: F- |
| Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Cr | | Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Cr |
| owdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia | | owdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia |
| SolarWinds April 2021) In April 2021, the US and UK governm | | SolarWinds April 2021) In April 2021, the US and UK governm |
| ents attributed the SolarWinds supply chain compromise cyber | | ents attributed the [SolarWinds Compromise](https://attack.m |
| operation to the SVR; public statements included citations | | itre.org/campaigns/C0024) to the SVR; public statements incl |
| to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear | | uded citations to [APT29](https://attack.mitre.org/groups/G0 |
| , and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds | | 016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory |
| April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) | | SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWi |
| Victims of this campaign included government, consulting, t | | nds April 2021) Industry reporting also referred to the acto |
| echnology, telecom, and other organizations in North America | | rs involved in this campaign as UNC2452, NOBELIUM, StellarPa |
| , Europe, Asia, and the Middle East. Industry reporting refe | | rticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURS |
| rred to the actors involved in this campaign as UNC2452, NOB | | T Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021) |
| ELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUN | | (Citation: CrowdStrike SUNSPOT Implant January 2021)(Citatio |
| BURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2 | | n: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR |
| 021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Cit | | TTP May 2021)(Citation: Unit 42 SolarStorm December 2020) |
| ation: Volexity SolarWinds)(Citation: Cybersecurity Advisory | | |
| SVR TTP May 2021) | | |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | |
| external_references | https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-11 20:34:55.717000+00:00 | 2023-04-16 22:25:01.191000+00:00 |
| description | [APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)
In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021) | [APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)
In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020) |
| external_references[9]['source_name'] | IRON HEMLOCK | Blue Kitsune |
| external_references[9]['description'] | (Citation: Secureworks IRON HEMLOCK Profile) | (Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020) |
| external_references[10]['source_name'] | IRON RITUAL | IRON HEMLOCK |
| external_references[10]['description'] | (Citation: Secureworks IRON RITUAL Profile) | (Citation: Secureworks IRON HEMLOCK Profile) |
| external_references[11]['source_name'] | NobleBaron | IRON RITUAL |
| external_references[11]['description'] | (Citation: SentinelOne NobleBaron June 2021) | (Citation: Secureworks IRON RITUAL Profile) |
| external_references[12]['source_name'] | Dark Halo | NobleBaron |
| external_references[12]['description'] | (Citation: Volexity SolarWinds) | (Citation: SentinelOne NobleBaron June 2021) |
| external_references[13]['source_name'] | Crowdstrike DNC June 2016 | SolarStorm |
| external_references[13]['description'] | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. | (Citation: Unit 42 SolarStorm December 2020) |
| external_references[14]['source_name'] | Volexity SolarWinds | Dark Halo |
| external_references[14]['description'] | Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. | (Citation: Volexity SolarWinds) |
| external_references[15]['source_name'] | CrowdStrike SUNSPOT Implant January 2021 | Crowdstrike DNC June 2016 |
| external_references[15]['description'] | CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. |
| external_references[15]['url'] | https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
| external_references[16]['source_name'] | CrowdStrike StellarParticle January 2022 | Volexity SolarWinds |
| external_references[16]['description'] | CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. | Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. |
| external_references[16]['url'] | https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ | https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ |
| external_references[17]['source_name'] | GRIZZLY STEPPE JAR | CrowdStrike SUNSPOT Implant January 2021 |
| external_references[17]['description'] | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. | CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. |
| external_references[17]['url'] | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf | https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ |
| external_references[18]['source_name'] | FireEye APT29 Nov 2018 | CrowdStrike StellarParticle January 2022 |
| external_references[18]['description'] | Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. | CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. |
| external_references[18]['url'] | https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html | https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ |
| external_references[19]['source_name'] | F-Secure The Dukes | GRIZZLY STEPPE JAR |
| external_references[19]['description'] | F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. |
| external_references[19]['url'] | https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf |
| external_references[20]['source_name'] | ESET Dukes October 2019 | FireEye APT29 Nov 2018 |
| external_references[20]['description'] | Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. | Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. |
| external_references[20]['url'] | https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf | https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html |
| external_references[21]['source_name'] | FireEye SUNBURST Backdoor December 2020 | F-Secure The Dukes |
| external_references[21]['description'] | FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. | F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. |
| external_references[21]['url'] | https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html | https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf |
| external_references[22]['source_name'] | SentinelOne NobleBaron June 2021 | ESET Dukes October 2019 |
| external_references[22]['description'] | Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. | Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. |
| external_references[22]['url'] | https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/ | https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf |
| external_references[23]['source_name'] | Microsoft Unidentified Dec 2018 | FireEye SUNBURST Backdoor December 2020 |
| external_references[23]['description'] | Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. | FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. |
| external_references[23]['url'] | https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ | https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html |
| external_references[24]['source_name'] | MSTIC NOBELIUM May 2021 | SentinelOne NobleBaron June 2021 |
| external_references[24]['description'] | Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. | Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. |
| external_references[24]['url'] | https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ | https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/ |
| external_references[25]['source_name'] | MSRC Nobelium June 2021 | Microsoft Unidentified Dec 2018 |
| external_references[25]['description'] | MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021. | Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. |
| external_references[25]['url'] | https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/ | https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ |
| external_references[26]['source_name'] | MSTIC Nobelium Toolset May 2021 | MSTIC NOBELIUM May 2021 |
| external_references[26]['description'] | MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. | Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. |
| external_references[26]['url'] | https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ | https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ |
| external_references[27]['source_name'] | MSTIC NOBELIUM Mar 2021 | MSRC Nobelium June 2021 |
| external_references[27]['description'] | Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. | MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021. |
| external_references[27]['url'] | https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ | https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/ |
| external_references[28]['source_name'] | NCSC APT29 July 2020 | MSTIC Nobelium Toolset May 2021 |
| external_references[28]['description'] | National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. | MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. |
| external_references[28]['url'] | https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf | https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ |
| external_references[29]['source_name'] | Cybersecurity Advisory SVR TTP May 2021 | MSTIC NOBELIUM Mar 2021 |
| external_references[29]['description'] | NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. | Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. |
| external_references[29]['url'] | https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf | https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ |
| external_references[30]['source_name'] | NSA Joint Advisory SVR SolarWinds April 2021 | NCSC APT29 July 2020 |
| external_references[30]['description'] | NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. | National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. |
| external_references[30]['url'] | https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF | https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf |
| external_references[31]['source_name'] | Secureworks IRON HEMLOCK Profile | Cybersecurity Advisory SVR TTP May 2021 |
| external_references[31]['description'] | Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. | NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. |
| external_references[31]['url'] | http://www.secureworks.com/research/threat-profiles/iron-hemlock | https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf |
| external_references[32]['source_name'] | Secureworks IRON RITUAL Profile | NSA Joint Advisory SVR SolarWinds April 2021 |
| external_references[32]['description'] | Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. | NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. |
| external_references[32]['url'] | https://www.secureworks.com/research/threat-profiles/iron-ritual | https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF |
| external_references[33]['source_name'] | UK Gov Malign RIS Activity April 2021 | PWC WellMess C2 August 2020 |
| external_references[33]['description'] | UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021. | PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020. |
| external_references[33]['url'] | https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services | https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html |
| external_references[34]['source_name'] | UK Gov UK Exposes Russia SolarWinds April 2021 | PWC WellMess July 2020 |
| external_references[34]['description'] | UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021. | PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. |
| external_references[34]['url'] | https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise | https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html |
| external_references[35]['source_name'] | UK NSCS Russia SolarWinds April 2021 | Secureworks IRON HEMLOCK Profile |
| external_references[35]['description'] | UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021. | Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. |
| external_references[35]['url'] | https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise | http://www.secureworks.com/research/threat-profiles/iron-hemlock |
| external_references[36]['source_name'] | White House Imposing Costs RU Gov April 2021 | Secureworks IRON RITUAL Profile |
| external_references[36]['description'] | White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021. | Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. |
| external_references[36]['url'] | https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/ | https://www.secureworks.com/research/threat-profiles/iron-ritual |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.1 | 4.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | SolarStorm |
| aliases | | Blue Kitsune |
| external_references | | {'source_name': 'UK Gov Malign RIS Activity April 2021', 'description': 'UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.', 'url': 'https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services'} |
| external_references | | {'source_name': 'UK Gov UK Exposes Russia SolarWinds April 2021', 'description': 'UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.', 'url': 'https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise'} |
| external_references | | {'source_name': 'UK NSCS Russia SolarWinds April 2021', 'description': 'UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.', 'url': 'https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise'} |
| external_references | | {'source_name': 'Unit 42 SolarStorm December 2020', 'description': 'Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.', 'url': 'https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/'} |
| external_references | | {'source_name': 'White House Imposing Costs RU Gov April 2021', 'description': 'White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.', 'url': 'https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/'} |
| x_mitre_contributors | | Joe Gumke, U.S. Bank |
[G0115] GOLD SOUTHFIELD
Current version: 2.0
Version changed from: 1.1 → 2.0
|
|
|---|
| t | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is | t | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is |
| a financially motivated threat group active since at least 2 | | a financially motivated threat group active since at least 2 |
| 019 that operates the [REvil](https://attack.mitre.org/softw | | 018 that operates the [REvil](https://attack.mitre.org/softw |
| are/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD] | | are/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD] |
| (https://attack.mitre.org/groups/G0115) provides backend inf | | (https://attack.mitre.org/groups/G0115) provides backend inf |
| rastructure for affiliates recruited on underground forums t | | rastructure for affiliates recruited on underground forums t |
| o perpetrate high value deployments.(Citation: Secureworks R | | o perpetrate high value deployments. By early 2020, [GOLD SO |
| Evil September 2019)(Citation: Secureworks GandCrab and REvi | | UTHFIELD](https://attack.mitre.org/groups/G0115) started cap |
| l September 2019)(Citation: Secureworks GOLD SOUTHFIELD) | | italizing on the new trend of stealing data and further exto |
| | | rting the victim to pay for their data to not get publicly l |
| | | eaked.(Citation: Secureworks REvil September 2019)(Citation: |
| | | Secureworks GandCrab and REvil September 2019)(Citation: Se |
| | | cureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution o |
| | | f Pinchy Spider July 2021) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://www.secureworks.com/research/revil-sodinokibi-ransomware | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 12:52:34.528000+00:00 | 2023-03-28 20:49:53.223000+00:00 |
| description | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD) | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021) |
| external_references[1]['source_name'] | Secureworks REvil September 2019 | Pinchy Spider |
| external_references[1]['description'] | Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. | (Citation: CrowdStrike Evolution of Pinchy Spider July 2021) |
| external_references[2]['source_name'] | Secureworks GandCrab and REvil September 2019 | Secureworks REvil September 2019 |
| external_references[2]['description'] | Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. | Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. |
| external_references[2]['url'] | https://www.secureworks.com/blog/revil-the-gandcrab-connection | https://www.secureworks.com/research/revil-sodinokibi-ransomware |
| external_references[3]['source_name'] | Secureworks GOLD SOUTHFIELD | CrowdStrike Evolution of Pinchy Spider July 2021 |
| external_references[3]['description'] | Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020. | Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023. |
| external_references[3]['url'] | https://www.secureworks.com/research/threat-profiles/gold-southfield | https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/ |
| x_mitre_version | 1.1 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | Pinchy Spider |
| external_references | | {'source_name': 'Secureworks GandCrab and REvil September 2019', 'description': 'Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.', 'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection'} |
| external_references | | {'source_name': 'Secureworks GOLD SOUTHFIELD', 'description': 'Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield'} |
[G0034] Sandworm Team
Current version: 3.0
Version changed from: 2.2 → 3.0
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://www.justice.gov/opa/page/file/1098481/download | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 20:11:40.313000+00:00 | 2023-03-08 22:12:31.238000+00:00 |
| external_references[5]['source_name'] | BlackEnergy (Group) | IRIDIUM |
| external_references[5]['description'] | (Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: Microsoft Prestige ransomware October 2022) |
| external_references[6]['source_name'] | Telebots | BlackEnergy (Group) |
| external_references[6]['description'] | (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[7]['source_name'] | IRON VIKING | Telebots |
| external_references[7]['description'] | (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[8]['source_name'] | US District Court Indictment GRU Oct 2018 | IRON VIKING |
| external_references[8]['description'] | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. | (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[9]['source_name'] | Dragos ELECTRUM | US District Court Indictment GRU Oct 2018 |
| external_references[9]['description'] | Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[9]['url'] | https://www.dragos.com/resource/electrum/ | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[10]['source_name'] | F-Secure BlackEnergy 2014 | Dragos ELECTRUM |
| external_references[10]['description'] | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. | Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. |
| external_references[10]['url'] | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf | https://www.dragos.com/resource/electrum/ |
| external_references[11]['source_name'] | iSIGHT Sandworm 2014 | F-Secure BlackEnergy 2014 |
| external_references[11]['description'] | Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. |
| external_references[11]['url'] | https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf |
| external_references[12]['source_name'] | CrowdStrike VOODOO BEAR | iSIGHT Sandworm 2014 |
| external_references[12]['description'] | Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. | Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. |
| external_references[12]['url'] | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ | https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html |
| external_references[13]['source_name'] | InfoSecurity Sandworm Oct 2014 | CrowdStrike VOODOO BEAR |
| external_references[13]['description'] | Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. | Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. |
| external_references[13]['url'] | https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ |
| external_references[14]['source_name'] | NCSC Sandworm Feb 2020 | Microsoft Prestige ransomware October 2022 |
| external_references[14]['description'] | NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. | MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. |
| external_references[14]['url'] | https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory | https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ |
| external_references[15]['source_name'] | USDOJ Sandworm Feb 2020 | InfoSecurity Sandworm Oct 2014 |
| external_references[15]['description'] | Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. | Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. |
| external_references[15]['url'] | https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html | https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ |
| external_references[16]['source_name'] | US District Court Indictment GRU Unit 74455 October 2020 | NCSC Sandworm Feb 2020 |
| external_references[16]['description'] | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. | NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. |
| external_references[16]['url'] | https://www.justice.gov/opa/press-release/file/1328521/download | https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory |
| external_references[17]['source_name'] | Secureworks IRON VIKING | USDOJ Sandworm Feb 2020 |
| external_references[17]['description'] | Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. | Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. |
| external_references[17]['url'] | https://www.secureworks.com/research/threat-profiles/iron-viking | https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html |
| external_references[18]['source_name'] | UK NCSC Olympic Attacks October 2020 | US District Court Indictment GRU Unit 74455 October 2020 |
| external_references[18]['description'] | UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. |
| external_references[18]['url'] | https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games | https://www.justice.gov/opa/press-release/file/1328521/download |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.2 | 3.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | IRIDIUM |
| external_references | | {'source_name': 'Secureworks IRON VIKING ', 'description': 'Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/iron-viking'} |
| external_references | | {'source_name': 'UK NCSC Olympic Attacks October 2020', 'description': 'UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.', 'url': 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games'} |
Minor Version Changes
[G0073] APT19
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-05-26 12:38:01.003000+00:00 | 2023-03-21 20:44:02.443000+00:00 |
| external_references[1]['source_name'] | APT19 | Sunshop Group |
| external_references[1]['description'] | (Citation: FireEye APT19) | (Citation: Dark Reading Codoso Feb 2015) |
| external_references[2]['source_name'] | Codoso | Codoso Team |
| external_references[2]['description'] | (Citation: Unit 42 C0d0so0 Jan 2016) | (Citation: FireEye APT Groups) |
| external_references[3]['source_name'] | C0d0so0 | APT19 |
| external_references[3]['description'] | (Citation: Unit 42 C0d0so0 Jan 2016) | (Citation: FireEye APT19) |
| external_references[4]['source_name'] | Codoso Team | Codoso |
| external_references[4]['description'] | (Citation: FireEye APT Groups) | (Citation: Unit 42 C0d0so0 Jan 2016) |
| external_references[5]['source_name'] | Sunshop Group | C0d0so0 |
| external_references[5]['description'] | (Citation: Dark Reading Codoso Feb 2015) | (Citation: Unit 42 C0d0so0 Jan 2016) |
| external_references[7]['source_name'] | ICIT China's Espionage Jul 2016 | Dark Reading Codoso Feb 2015 |
| external_references[7]['description'] | Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018. | Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018. |
| external_references[7]['url'] | https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/ | https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059 |
| external_references[10]['source_name'] | Dark Reading Codoso Feb 2015 | ICIT China's Espionage Jul 2016 |
| external_references[10]['description'] | Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018. | Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018. |
| external_references[10]['url'] | https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059 | https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/ |
| x_mitre_version | 1.4 | 1.5 |
[G0050] APT32
Current version: 2.6
Version changed from: 2.5 → 2.6
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-14 16:39:50.790000+00:00 | 2023-03-21 21:04:18.158000+00:00 |
| external_references[1]['source_name'] | APT32 | SeaLotus |
| external_references[1]['description'] | (Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021) | (Citation: Cybereason Oceanlotus May 2017) |
| external_references[2]['source_name'] | SeaLotus | APT-C-00 |
| external_references[2]['description'] | (Citation: Cybereason Oceanlotus May 2017) | (Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021) |
| external_references[3]['source_name'] | OceanLotus | APT32 |
| external_references[4]['source_name'] | APT-C-00 | OceanLotus |
| external_references[4]['description'] | (Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021) | (Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021) |
| external_references[5]['source_name'] | FireEye APT32 May 2017 | Amnesty Intl. Ocean Lotus February 2021 |
| external_references[5]['description'] | Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. | Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html | https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf |
| external_references[6]['source_name'] | Volexity OceanLotus Nov 2017 | FireEye APT32 May 2017 |
| external_references[6]['description'] | Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. | Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. |
| external_references[6]['url'] | https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/ | https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html |
| external_references[7]['source_name'] | ESET OceanLotus | Cybereason Oceanlotus May 2017 |
| external_references[7]['description'] | Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. | Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. |
| external_references[7]['url'] | https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/ | https://www.cybereason.com/blog/operation-cobalt-kitty-apt |
| external_references[8]['source_name'] | Cybereason Oceanlotus May 2017 | ESET OceanLotus Mar 2019 |
| external_references[8]['description'] | Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. | Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. |
| external_references[8]['url'] | https://www.cybereason.com/blog/operation-cobalt-kitty-apt | https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ |
| external_references[9]['source_name'] | ESET OceanLotus Mar 2019 | ESET OceanLotus |
| external_references[9]['description'] | Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. | Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. |
| external_references[9]['url'] | https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ | https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/ |
| external_references[10]['source_name'] | Amnesty Intl. Ocean Lotus February 2021 | Volexity OceanLotus Nov 2017 |
| external_references[10]['description'] | Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. | Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. |
| external_references[10]['url'] | https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf | https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/ |
| x_mitre_version | 2.5 | 2.6 |
[G0096] APT41
Current version: 3.1
Version changed from: 3.0 → 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-02 20:09:29.475000+00:00 | 2023-03-23 15:45:58.846000+00:00 |
| external_references[4]['url'] | https://content.fireeye.com/apt-41/rpt-apt41 | https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf |
| external_references[5]['url'] | https://content.fireeye.com/apt-41/rpt-apt41 | https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf |
| external_references[6]['url'] | https://blog.group-ib.com/colunmtk_apt41 | https://www.group-ib.com/blog/colunmtk-apt41/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.0 | 3.1 |
[G0143] Aquatic Panda
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | ['Aquatic Panda'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-29 20:28:29.913000+00:00 | 2023-03-21 21:16:34.243000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[G0114] Chimera
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-25 19:35:55.074000+00:00 | 2023-03-22 03:25:24.295000+00:00 |
| external_references[2]['url'] | https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf | https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf |
| x_mitre_version | 2.1 | 2.2 |
[G0080] Cobalt Group
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 22:02:12.586000+00:00 | 2023-03-22 03:28:29.415000+00:00 |
| external_references[1]['source_name'] | Cobalt Group | Cobalt Spider |
| external_references[1]['description'] | (Citation: Talos Cobalt Group July 2018) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: PTSecurity Cobalt Dec 2016) (Citation: Proofpoint Cobalt June 2017) (Citation: RiskIQ Cobalt Nov 2017) (Citation: RiskIQ Cobalt Jan 2018) | (Citation: Crowdstrike Global Threat Report Feb 2018) |
| external_references[4]['source_name'] | Cobalt Spider | Cobalt Group |
| external_references[4]['description'] | (Citation: Crowdstrike Global Threat Report Feb 2018) | (Citation: Talos Cobalt Group July 2018) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: PTSecurity Cobalt Dec 2016) (Citation: Proofpoint Cobalt June 2017) (Citation: RiskIQ Cobalt Nov 2017) (Citation: RiskIQ Cobalt Jan 2018) |
| external_references[5]['source_name'] | Talos Cobalt Group July 2018 | Crowdstrike Global Threat Report Feb 2018 |
| external_references[5]['description'] | Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. | CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. |
| external_references[5]['url'] | https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html | https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report |
| external_references[6]['source_name'] | PTSecurity Cobalt Group Aug 2017 | Secureworks GOLD KINGSWOOD September 2018 |
| external_references[6]['description'] | Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. | CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. |
| external_references[6]['url'] | https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf | https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish |
| external_references[7]['source_name'] | PTSecurity Cobalt Dec 2016 | Europol Cobalt Mar 2018 |
| external_references[7]['description'] | Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018. | Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018. |
| external_references[7]['url'] | https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf | https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain |
| external_references[8]['source_name'] | Group IB Cobalt Aug 2017 | Morphisec Cobalt Gang Oct 2018 |
| external_references[8]['description'] | Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. | Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. |
| external_references[8]['url'] | https://www.group-ib.com/blog/cobalt | https://blog.morphisec.com/cobalt-gang-2.0 |
| external_references[9]['source_name'] | Proofpoint Cobalt June 2017 | RiskIQ Cobalt Nov 2017 |
| external_references[9]['description'] | Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018. | Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018. |
| external_references[9]['url'] | https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target | https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/ |
| external_references[10]['source_name'] | RiskIQ Cobalt Nov 2017 | RiskIQ Cobalt Jan 2018 |
| external_references[10]['description'] | Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018. | Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018. |
| external_references[10]['url'] | https://www.riskiq.com/blog/labs/cobalt-strike/ | https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/ |
| external_references[11]['source_name'] | RiskIQ Cobalt Jan 2018 | Group IB Cobalt Aug 2017 |
| external_references[11]['description'] | Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018. | Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. |
| external_references[11]['url'] | https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/ | https://www.group-ib.com/blog/cobalt |
| external_references[12]['source_name'] | Europol Cobalt Mar 2018 | Proofpoint Cobalt June 2017 |
| external_references[12]['description'] | Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018. | Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018. |
| external_references[12]['url'] | https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain | https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target |
| external_references[13]['source_name'] | Secureworks GOLD KINGSWOOD September 2018 | PTSecurity Cobalt Dec 2016 |
| external_references[13]['description'] | CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. | Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018. |
| external_references[13]['url'] | https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish | https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf |
| external_references[14]['source_name'] | Crowdstrike Global Threat Report Feb 2018 | PTSecurity Cobalt Group Aug 2017 |
| external_references[14]['description'] | CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. | Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. |
| external_references[14]['url'] | https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report | https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf |
| external_references[15]['source_name'] | Morphisec Cobalt Gang Oct 2018 | Talos Cobalt Group July 2018 |
| external_references[15]['description'] | Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. | Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. |
| external_references[15]['url'] | https://blog.morphisec.com/cobalt-gang-2.0 | https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html |
| x_mitre_version | 2.0 | 2.1 |
[G1003] Ember Bear
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-14 15:03:19.292000+00:00 | 2023-03-22 03:40:53.311000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[G0037] FIN6
Current version: 3.3
Version changed from: 3.2 → 3.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-02 20:11:01.957000+00:00 | 2023-03-22 03:50:17.471000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.2 | 3.3 |
[G0046] FIN7
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-20 20:06:44.706000+00:00 | 2023-03-22 03:51:04.185000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.1 | 2.2 |
[G0061] FIN8
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 21:31:07.407000+00:00 | 2023-03-22 03:52:13.089000+00:00 |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html | https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html |
| x_mitre_version | 1.2 | 1.3 |
[G0117] Fox Kitten
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-02 20:12:00.458000+00:00 | 2023-03-22 03:53:37.888000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[G0047] Gamaredon Group
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 13:46:34.474000+00:00 | 2023-03-22 04:29:39.915000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[G0125] HAFNIUM
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-06 20:05:26.079000+00:00 | 2023-04-10 21:54:46.756000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Vinayak Wadhwa, SAFE Security |
[G1001] HEXANE
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-31 22:16:30.454000+00:00 | 2023-03-22 04:43:59.082000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_domains[0] | ics-attack | enterprise-attack |
| x_mitre_domains[1] | enterprise-attack | ics-attack |
| x_mitre_version | 2.0 | 2.1 |
[G1004] LAPSUS$
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 12:21:38.612000+00:00 | 2023-04-11 00:01:29.232000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[G0032] Lazarus Group
Current version: 3.2
Version changed from: 3.1 → 3.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-23 15:30:44.196000+00:00 | 2023-03-30 19:01:41.451000+00:00 |
| external_references[6]['url'] | https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/ | https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.1 | 3.2 |
[G0140] LazyScripter
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 19:09:59.211000+00:00 | 2023-03-22 04:49:29.731000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[G0077] Leafminer
Current version: 2.4
Version changed from: 2.3 → 2.4
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 23:23:16.109000+00:00 | 2023-03-22 04:50:51.782000+00:00 |
| external_references[1]['source_name'] | Leafminer | Raspite |
| external_references[1]['description'] | (Citation: Symantec Leafminer July 2018) | (Citation: Dragos Raspite Aug 2018) |
| external_references[2]['source_name'] | Raspite | Leafminer |
| external_references[2]['description'] | (Citation: Dragos Raspite Aug 2018) | (Citation: Symantec Leafminer July 2018) |
| external_references[3]['source_name'] | Symantec Leafminer July 2018 | Dragos Raspite Aug 2018 |
| external_references[3]['description'] | Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. | Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018. |
| external_references[3]['url'] | https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east | https://www.dragos.com/blog/20180802Raspite.html |
| external_references[4]['source_name'] | Dragos Raspite Aug 2018 | Symantec Leafminer July 2018 |
| external_references[4]['description'] | Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018. | Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. |
| external_references[4]['url'] | https://www.dragos.com/blog/20180802Raspite.html | https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east |
| x_mitre_version | 2.3 | 2.4 |
[G0059] Magic Hound
Current version: 5.1
Version changed from: 5.0 → 5.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-03 13:20:02.945000+00:00 | 2023-01-13 21:18:18.077000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 5.0 | 5.1 |
[G0069] MuddyWater
Current version: 4.1
Version changed from: 4.0 → 4.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-17 12:43:55.847000+00:00 | 2023-03-22 04:59:16.032000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 4.0 | 4.1 |
[G0129] Mustang Panda
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 16:43:52.231000+00:00 | 2023-03-22 22:01:13.781000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[G0049] OilRig
Current version: 3.1
Version changed from: 3.0 → 3.1
|
|
|---|
| t | [OilRig](https://attack.mitre.org/groups/G0049) is a suspect | t | [OilRig](https://attack.mitre.org/groups/G0049) is a suspect |
| ed Iranian threat group that has targeted Middle Eastern and | | ed Iranian threat group that has targeted Middle Eastern and |
| international victims since at least 2014. The group has ta | | international victims since at least 2014. The group has ta |
| rgeted a variety of sectors, including financial, government | | rgeted a variety of sectors, including financial, government |
| , energy, chemical, and telecommunications. It appears the g | | , energy, chemical, and telecommunications. It appears the g |
| roup carries out supply chain attacks, leveraging the trust | | roup carries out supply chain attacks, leveraging the trust |
| relationship between organizations to attack their primary t | | relationship between organizations to attack their primary t |
| argets. FireEye assesses that the group works on behalf of t | | argets. FireEye assesses that the group works on behalf of t |
| he Iranian government based on infrastructure details that c | | he Iranian government based on infrastructure details that c |
| ontain references to Iran, use of Iranian infrastructure, an | | ontain references to Iran, use of Iranian infrastructure, an |
| d targeting that aligns with nation-state interests.(Citatio | | d targeting that aligns with nation-state interests.(Citatio |
| n: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Ja | | n: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Ja |
| n 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo | | n 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo |
| Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(C | | Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023) |
| itation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT | | (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGE |
| July 2018) | | NT July 2018) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | https://www.secureworks.com/research/threat-profiles/cobalt-gypsy |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ | |
| external_references | https://pan-unit42.github.io/playbook_viewer/ | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-02 20:18:52.733000+00:00 | 2023-02-06 20:58:52.317000+00:00 |
| description | [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) | [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) |
| external_references[5]['source_name'] | Check Point APT34 April 2021 | Evasive Serpens |
| external_references[5]['description'] | Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. | (Citation: Unit42 OilRig Playbook 2023) |
| external_references[6]['source_name'] | ClearSky OilRig Jan 2017 | Check Point APT34 April 2021 |
| external_references[6]['description'] | ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. | Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. |
| external_references[6]['url'] | http://www.clearskysec.com/oilrig/ | https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ |
| external_references[7]['source_name'] | Palo Alto OilRig May 2016 | ClearSky OilRig Jan 2017 |
| external_references[7]['description'] | Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. | ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. |
| external_references[7]['url'] | http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/ | http://www.clearskysec.com/oilrig/ |
| external_references[8]['source_name'] | Palo Alto OilRig April 2017 | Palo Alto OilRig May 2016 |
| external_references[8]['description'] | Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017. | Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. |
| external_references[8]['url'] | http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/ | http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/ |
| external_references[9]['source_name'] | Palo Alto OilRig Oct 2016 | Palo Alto OilRig April 2017 |
| external_references[9]['description'] | Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. | Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017. |
| external_references[9]['url'] | http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/ | http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/ |
| external_references[10]['source_name'] | Unit 42 QUADAGENT July 2018 | Palo Alto OilRig Oct 2016 |
| external_references[10]['description'] | Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. | Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. |
| external_references[10]['url'] | https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/ | http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/ |
| external_references[11]['source_name'] | Crowdstrike Helix Kitten Nov 2018 | Unit 42 QUADAGENT July 2018 |
| external_references[11]['description'] | Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. | Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. |
| external_references[11]['url'] | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/ | https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/ |
| external_references[12]['source_name'] | FireEye APT34 Dec 2017 | Crowdstrike Helix Kitten Nov 2018 |
| external_references[12]['description'] | Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. | Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. |
| external_references[12]['url'] | https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/ |
| external_references[13]['source_name'] | Secureworks COBALT GYPSY Threat Profile | FireEye APT34 Dec 2017 |
| external_references[13]['description'] | Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021. | Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. |
| external_references[13]['url'] | https://www.secureworks.com/research/threat-profiles/cobalt-gypsy | https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html |
| external_references[14]['source_name'] | APT34 | Secureworks COBALT GYPSY Threat Profile |
| external_references[14]['description'] | This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021) | Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021. |
| external_references[15]['source_name'] | Unit 42 Playbook Dec 2017 | APT34 |
| external_references[15]['description'] | Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. | This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.0 | 3.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | Evasive Serpens |
| external_references | | {'source_name': 'Unit 42 Playbook Dec 2017', 'description': 'Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.', 'url': 'https://pan-unit42.github.io/playbook_viewer/'} |
| external_references | | {'source_name': 'Unit42 OilRig Playbook 2023', 'description': 'Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.', 'url': 'https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens'} |
[G0040] Patchwork
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-02 18:04:32.246000+00:00 | 2023-03-22 05:08:20.780000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.4 | 1.5 |
[G0121] Sidewinder
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-21 12:32:46.791000+00:00 | 2023-03-22 05:31:54.382000+00:00 |
| external_references[3]['source_name'] | ATT Sidewinder January 2021 | Cyble Sidewinder September 2020 |
| external_references[3]['description'] | Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. | Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. |
| external_references[3]['url'] | https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf | https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/ |
| external_references[5]['source_name'] | Cyble Sidewinder September 2020 | ATT Sidewinder January 2021 |
| external_references[5]['description'] | Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. | Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. |
| external_references[5]['url'] | https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/ | https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf |
| x_mitre_version | 1.0 | 1.1 |
[G0091] Silence
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-02 20:13:56.605000+00:00 | 2023-03-22 05:34:46.346000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.1 | 2.2 |
[G0092] TA505
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-13 16:17:20.601000+00:00 | 2023-03-22 05:38:20.381000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[G0127] TA551
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-09-30 12:58:59.065000+00:00 | 2023-03-22 05:40:21.255000+00:00 |
| external_references[3]['source_name'] | Secureworks GOLD CABIN | Unit 42 Valak July 2020 |
| external_references[3]['description'] | Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021. | Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. |
| external_references[3]['url'] | https://www.secureworks.com/research/threat-profiles/gold-cabin | https://unit42.paloaltonetworks.com/valak-evolution/ |
| external_references[5]['source_name'] | Unit 42 Valak July 2020 | Secureworks GOLD CABIN |
| external_references[5]['description'] | Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. | Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021. |
| external_references[5]['url'] | https://unit42.paloaltonetworks.com/valak-evolution/ | https://www.secureworks.com/research/threat-profiles/gold-cabin |
| x_mitre_version | 1.1 | 1.2 |
[G0027] Threat Group-3390
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 18:05:20.983000+00:00 | 2023-03-29 16:53:17.235000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.0 | 2.1 |
[G0010] Turla
Current version: 3.1
Version changed from: 3.0 → 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-28 21:27:07.133000+00:00 | 2023-03-22 05:41:28.428000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.0 | 3.1 |
[G0102] Wizard Spider
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-14 17:27:41.194000+00:00 | 2023-03-22 05:44:27.289000+00:00 |
| external_references[1]['source_name'] | UNC1878 | Grim Spider |
| external_references[1]['description'] | (Citation: FireEye KEGTAP SINGLEMALT October 2020) | (Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019) |
| external_references[2]['source_name'] | TEMP.MixMaster | UNC1878 |
| external_references[2]['description'] | (Citation: FireEye Ryuk and Trickbot January 2019) | (Citation: FireEye KEGTAP SINGLEMALT October 2020) |
| external_references[3]['source_name'] | Grim Spider | TEMP.MixMaster |
| external_references[3]['description'] | (Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019) | (Citation: FireEye Ryuk and Trickbot January 2019) |
| external_references[4]['source_name'] | CrowdStrike Ryuk January 2019 | DHS/CISA Ransomware Targeting Healthcare October 2020 |
| external_references[4]['description'] | Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. | DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. |
| external_references[4]['url'] | https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ | https://us-cert.cisa.gov/ncas/alerts/aa20-302a |
| external_references[5]['source_name'] | DHS/CISA Ransomware Targeting Healthcare October 2020 | FireEye Ryuk and Trickbot January 2019 |
| external_references[5]['description'] | DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. | Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. |
| external_references[5]['url'] | https://us-cert.cisa.gov/ncas/alerts/aa20-302a | https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html |
| external_references[6]['source_name'] | CrowdStrike Wizard Spider October 2020 | CrowdStrike Ryuk January 2019 |
| external_references[6]['description'] | Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. | Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. |
| external_references[6]['url'] | https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ | https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ |
| external_references[7]['source_name'] | FireEye KEGTAP SINGLEMALT October 2020 | CrowdStrike Grim Spider May 2019 |
| external_references[7]['description'] | Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. | John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. |
| external_references[7]['url'] | https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html | https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/ |
| external_references[8]['source_name'] | FireEye Ryuk and Trickbot January 2019 | FireEye KEGTAP SINGLEMALT October 2020 |
| external_references[8]['description'] | Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. | Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. |
| external_references[8]['url'] | https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html | https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html |
| external_references[9]['source_name'] | CrowdStrike Grim Spider May 2019 | CrowdStrike Wizard Spider October 2020 |
| external_references[9]['description'] | John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. | Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. |
| external_references[9]['url'] | https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/ | https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ |
| x_mitre_version | 2.0 | 2.1 |
[G0128] ZIRCONIUM
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-20 21:00:44.930000+00:00 | 2023-03-22 22:10:43.732000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Patches
[G0007] APT28
Current version: 4.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 |
| external_references | | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ | |
| external_references | https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-16 18:08:13.958000+00:00 | 2023-03-26 17:51:20.401000+00:00 |
| external_references[1]['source_name'] | APT28 | SNAKEMACKEREL |
| external_references[1]['description'] | (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) | (Citation: Accenture SNAKEMACKEREL Nov 2018) |
| external_references[2]['source_name'] | IRON TWILIGHT | Fancy Bear |
| external_references[2]['description'] | (Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) | (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| external_references[3]['source_name'] | SNAKEMACKEREL | Tsar Team |
| external_references[3]['description'] | (Citation: Accenture SNAKEMACKEREL Nov 2018) | (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017) |
| external_references[4]['source_name'] | Swallowtail | APT28 |
| external_references[4]['description'] | (Citation: Symantec APT28 Oct 2018) | (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| external_references[5]['source_name'] | Group 74 | STRONTIUM |
| external_references[5]['description'] | (Citation: Talos Seduploader Oct 2017) | (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| external_references[6]['source_name'] | Sednit | IRON TWILIGHT |
| external_references[6]['description'] | This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018) | (Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
| external_references[7]['source_name'] | Sofacy | Threat Group-4127 |
| external_references[7]['description'] | This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017) | (Citation: SecureWorks TG-4127) |
| external_references[8]['source_name'] | Pawn Storm | TG-4127 |
| external_references[8]['description'] | (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) | (Citation: SecureWorks TG-4127) |
| external_references[9]['source_name'] | Fancy Bear | Pawn Storm |
| external_references[9]['description'] | (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) | (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) |
| external_references[10]['source_name'] | STRONTIUM | Swallowtail |
| external_references[10]['description'] | (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) | (Citation: Symantec APT28 Oct 2018) |
| external_references[11]['source_name'] | Tsar Team | Group 74 |
| external_references[11]['description'] | (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017) | (Citation: Talos Seduploader Oct 2017) |
| external_references[12]['source_name'] | Threat Group-4127 | Accenture SNAKEMACKEREL Nov 2018 |
| external_references[12]['description'] | (Citation: SecureWorks TG-4127) | Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. |
| external_references[13]['source_name'] | TG-4127 | Crowdstrike DNC June 2016 |
| external_references[13]['description'] | (Citation: SecureWorks TG-4127) | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. |
| external_references[14]['source_name'] | NSA/FBI Drovorub August 2020 | US District Court Indictment GRU Oct 2018 |
| external_references[14]['description'] | NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[14]['url'] | https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[15]['source_name'] | Cybersecurity Advisory GRU Brute Force Campaign July 2021 | GRIZZLY STEPPE JAR |
| external_references[15]['description'] | NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. |
| external_references[15]['url'] | https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf |
| external_references[16]['source_name'] | DOJ GRU Indictment Jul 2018 | ESET Zebrocy May 2019 |
| external_references[16]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. |
| external_references[16]['url'] | https://www.justice.gov/file/1080281/download | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ |
| external_references[17]['source_name'] | Ars Technica GRU indictment Jul 2018 | ESET Sednit Part 3 |
| external_references[17]['description'] | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. |
| external_references[17]['url'] | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf |
| external_references[18]['source_name'] | Crowdstrike DNC June 2016 | Sofacy DealersChoice |
| external_references[18]['description'] | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. |
| external_references[18]['url'] | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ |
| external_references[19]['source_name'] | FireEye APT28 | FireEye APT28 January 2017 |
| external_references[19]['description'] | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. |
| external_references[19]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf |
| external_references[20]['source_name'] | SecureWorks TG-4127 | FireEye APT28 |
| external_references[20]['description'] | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. |
| external_references[20]['url'] | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign | https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| external_references[21]['source_name'] | FireEye APT28 January 2017 | Ars Technica GRU indictment Jul 2018 |
| external_references[21]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. |
| external_references[21]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ |
| external_references[22]['source_name'] | GRIZZLY STEPPE JAR | TrendMicro Pawn Storm Dec 2020 |
| external_references[22]['description'] | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. | Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. |
| external_references[22]['url'] | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf | https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html |
| external_references[23]['source_name'] | Sofacy DealersChoice | Securelist Sofacy Feb 2018 |
| external_references[23]['description'] | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. |
| external_references[23]['url'] | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ |
| external_references[24]['source_name'] | Palo Alto Sofacy 06-2018 | Kaspersky Sofacy |
| external_references[24]['description'] | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. |
| external_references[24]['url'] | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ |
| external_references[25]['source_name'] | Symantec APT28 Oct 2018 | Palo Alto Sofacy 06-2018 |
| external_references[25]['description'] | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. |
| external_references[25]['url'] | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ |
| external_references[26]['source_name'] | ESET Zebrocy May 2019 | Talos Seduploader Oct 2017 |
| external_references[26]['description'] | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. |
| external_references[26]['url'] | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html |
| external_references[27]['source_name'] | US District Court Indictment GRU Oct 2018 | Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020 |
| external_references[27]['description'] | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. | Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. |
| external_references[27]['url'] | https://www.justice.gov/opa/page/file/1098481/download | https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ |
| external_references[28]['source_name'] | Kaspersky Sofacy | Microsoft STRONTIUM Aug 2019 |
| external_references[28]['description'] | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. | MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. |
| external_references[28]['url'] | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ | https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ |
| external_references[29]['source_name'] | ESET Sednit Part 3 | DOJ GRU Indictment Jul 2018 |
| external_references[29]['description'] | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. |
| external_references[29]['url'] | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf | https://www.justice.gov/file/1080281/download |
| external_references[30]['source_name'] | Talos Seduploader Oct 2017 | Cybersecurity Advisory GRU Brute Force Campaign July 2021 |
| external_references[30]['description'] | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. | NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. |
| external_references[30]['url'] | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html | https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF |
| external_references[31]['source_name'] | Securelist Sofacy Feb 2018 | NSA/FBI Drovorub August 2020 |
| external_references[31]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. | NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. |
| external_references[31]['url'] | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ | https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF |
| external_references[32]['source_name'] | Secureworks IRON TWILIGHT Profile | SecureWorks TG-4127 |
| external_references[32]['description'] | Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022. | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. |
| external_references[32]['url'] | https://www.secureworks.com/research/threat-profiles/iron-twilight | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign |
| external_references[34]['source_name'] | Accenture SNAKEMACKEREL Nov 2018 | Secureworks IRON TWILIGHT Profile |
| external_references[34]['description'] | Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. | Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022. |
| external_references[34]['url'] | https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 | https://www.secureworks.com/research/threat-profiles/iron-twilight |
| external_references[35]['source_name'] | TrendMicro Pawn Storm Dec 2020 | Symantec APT28 Oct 2018 |
| external_references[35]['description'] | Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. |
| external_references[35]['url'] | https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government |
| external_references[36]['source_name'] | Microsoft STRONTIUM Aug 2019 | Sednit |
| external_references[36]['description'] | MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. | This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018) |
| external_references[37]['source_name'] | Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020 | Sofacy |
| external_references[37]['description'] | Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. | This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017) |
[G0064] APT33
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-23 21:22:08.170000+00:00 | 2023-03-08 22:07:25.123000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[G0138] Andariel
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-24 16:27:11.471000+00:00 | 2022-11-30 22:51:40.270000+00:00 |
| external_references[3]['url'] | http://download.ahnlab.com/global/brochure/[Analysis]Andariel_Group.pdf | http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[G0001] Axiom
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 15:52:00.359000+00:00 | 2023-03-20 22:03:44.661000+00:00 |
| external_references[5]['url'] | http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf | https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf |
| external_references[6]['url'] | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf | https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[G0035] Dragonfly
Current version: 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 22:09:02.443000+00:00 | 2023-03-08 22:03:28.170000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[G0085] FIN4
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-11 20:45:59.687000+00:00 | 2023-02-01 21:27:44.778000+00:00 |
| external_references[2]['source_name'] | FireEye Hacking FIN4 Dec 2014 | FireEye FIN4 Stealing Insider NOV 2014 |
| external_references[2]['description'] | Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. | Dennesen, K. et al.. (2014, November 30). FIN4: Stealing Insider Information for an Advantage in Stock Trading?. Retrieved December 17, 2018. |
| external_references[2]['url'] | https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html | https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html |
| external_references[3]['source_name'] | FireEye FIN4 Stealing Insider NOV 2014 | FireEye Hacking FIN4 Video Dec 2014 |
| external_references[3]['description'] | Dennesen, K. et al.. (2014, November 30). FIN4: Stealing Insider Information for an Advantage in Stock Trading?. Retrieved December 17, 2018. | Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html | https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html |
| external_references[4]['source_name'] | FireEye Hacking FIN4 Video Dec 2014 | FireEye Hacking FIN4 Dec 2014 |
| external_references[4]['description'] | Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. | Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. |
| external_references[4]['url'] | https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html | https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf |
[G0094] Kimsuky
Current version: 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-24 16:28:34.698000+00:00 | 2022-11-30 22:53:00.875000+00:00 |
| external_references[6]['url'] | https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdf | https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[G0088] TEMP.Veles
Current version: 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/ | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-24 16:22:20.856000+00:00 | 2022-11-30 22:46:40.135000+00:00 |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html | https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html |
| external_references[4]['source_name'] | FireEye TEMP.Veles 2018 | FireEye TRITON 2019 |
| external_references[4]['description'] | FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. | Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html | https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html |
| external_references[5]['source_name'] | FireEye TRITON 2019 | FireEye TEMP.Veles JSON April 2019 |
| external_references[5]['description'] | Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. | Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html | https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html |
| external_references[6]['source_name'] | FireEye TEMP.Veles JSON April 2019 | Pylos Xenotime 2019 |
| external_references[6]['description'] | Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019. | Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019. |
| external_references[6]['url'] | https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html | https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/ |
| external_references[7]['source_name'] | Pylos Xenotime 2019 | XENOTIME |
| external_references[7]['description'] | Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019. | The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'XENOTIME', 'description': 'The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )'} | |
[G0044] Winnti Group
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 16:27:20.897000+00:00 | 2023-03-20 22:02:53.982000+00:00 |
| external_references[6]['url'] | http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf | https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[G0045] menuPass
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-20 20:07:40.169000+00:00 | 2023-03-23 15:06:31.019000+00:00 |
| external_references[9]['url'] | https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf | http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
mobile-attack
Major Version Changes
[G0034] Sandworm Team
Current version: 3.0
Version changed from: 2.2 → 3.0
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://www.justice.gov/opa/page/file/1098481/download | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 20:11:40.313000+00:00 | 2023-03-08 22:12:31.238000+00:00 |
| external_references[5]['source_name'] | BlackEnergy (Group) | IRIDIUM |
| external_references[5]['description'] | (Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: Microsoft Prestige ransomware October 2022) |
| external_references[6]['source_name'] | Telebots | BlackEnergy (Group) |
| external_references[6]['description'] | (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[7]['source_name'] | IRON VIKING | Telebots |
| external_references[7]['description'] | (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[8]['source_name'] | US District Court Indictment GRU Oct 2018 | IRON VIKING |
| external_references[8]['description'] | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. | (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[9]['source_name'] | Dragos ELECTRUM | US District Court Indictment GRU Oct 2018 |
| external_references[9]['description'] | Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[9]['url'] | https://www.dragos.com/resource/electrum/ | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[10]['source_name'] | F-Secure BlackEnergy 2014 | Dragos ELECTRUM |
| external_references[10]['description'] | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. | Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. |
| external_references[10]['url'] | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf | https://www.dragos.com/resource/electrum/ |
| external_references[11]['source_name'] | iSIGHT Sandworm 2014 | F-Secure BlackEnergy 2014 |
| external_references[11]['description'] | Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. |
| external_references[11]['url'] | https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf |
| external_references[12]['source_name'] | CrowdStrike VOODOO BEAR | iSIGHT Sandworm 2014 |
| external_references[12]['description'] | Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. | Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. |
| external_references[12]['url'] | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ | https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html |
| external_references[13]['source_name'] | InfoSecurity Sandworm Oct 2014 | CrowdStrike VOODOO BEAR |
| external_references[13]['description'] | Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. | Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. |
| external_references[13]['url'] | https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ |
| external_references[14]['source_name'] | NCSC Sandworm Feb 2020 | Microsoft Prestige ransomware October 2022 |
| external_references[14]['description'] | NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. | MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. |
| external_references[14]['url'] | https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory | https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ |
| external_references[15]['source_name'] | USDOJ Sandworm Feb 2020 | InfoSecurity Sandworm Oct 2014 |
| external_references[15]['description'] | Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. | Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. |
| external_references[15]['url'] | https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html | https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ |
| external_references[16]['source_name'] | US District Court Indictment GRU Unit 74455 October 2020 | NCSC Sandworm Feb 2020 |
| external_references[16]['description'] | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. | NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. |
| external_references[16]['url'] | https://www.justice.gov/opa/press-release/file/1328521/download | https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory |
| external_references[17]['source_name'] | Secureworks IRON VIKING | USDOJ Sandworm Feb 2020 |
| external_references[17]['description'] | Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. | Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. |
| external_references[17]['url'] | https://www.secureworks.com/research/threat-profiles/iron-viking | https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html |
| external_references[18]['source_name'] | UK NCSC Olympic Attacks October 2020 | US District Court Indictment GRU Unit 74455 October 2020 |
| external_references[18]['description'] | UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. |
| external_references[18]['url'] | https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games | https://www.justice.gov/opa/press-release/file/1328521/download |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.2 | 3.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | IRIDIUM |
| external_references | | {'source_name': 'Secureworks IRON VIKING ', 'description': 'Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/iron-viking'} |
| external_references | | {'source_name': 'UK NCSC Olympic Attacks October 2020', 'description': 'UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.', 'url': 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games'} |
Patches
[G0007] APT28
Current version: 4.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
| external_references | | https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 |
| external_references | | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ | |
| external_references | https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-16 18:08:13.958000+00:00 | 2023-03-26 17:51:20.401000+00:00 |
| external_references[1]['source_name'] | APT28 | SNAKEMACKEREL |
| external_references[1]['description'] | (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) | (Citation: Accenture SNAKEMACKEREL Nov 2018) |
| external_references[2]['source_name'] | IRON TWILIGHT | Fancy Bear |
| external_references[2]['description'] | (Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) | (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| external_references[3]['source_name'] | SNAKEMACKEREL | Tsar Team |
| external_references[3]['description'] | (Citation: Accenture SNAKEMACKEREL Nov 2018) | (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017) |
| external_references[4]['source_name'] | Swallowtail | APT28 |
| external_references[4]['description'] | (Citation: Symantec APT28 Oct 2018) | (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| external_references[5]['source_name'] | Group 74 | STRONTIUM |
| external_references[5]['description'] | (Citation: Talos Seduploader Oct 2017) | (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| external_references[6]['source_name'] | Sednit | IRON TWILIGHT |
| external_references[6]['description'] | This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018) | (Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
| external_references[7]['source_name'] | Sofacy | Threat Group-4127 |
| external_references[7]['description'] | This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017) | (Citation: SecureWorks TG-4127) |
| external_references[8]['source_name'] | Pawn Storm | TG-4127 |
| external_references[8]['description'] | (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) | (Citation: SecureWorks TG-4127) |
| external_references[9]['source_name'] | Fancy Bear | Pawn Storm |
| external_references[9]['description'] | (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) | (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) |
| external_references[10]['source_name'] | STRONTIUM | Swallowtail |
| external_references[10]['description'] | (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) | (Citation: Symantec APT28 Oct 2018) |
| external_references[11]['source_name'] | Tsar Team | Group 74 |
| external_references[11]['description'] | (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017) | (Citation: Talos Seduploader Oct 2017) |
| external_references[12]['source_name'] | Threat Group-4127 | Accenture SNAKEMACKEREL Nov 2018 |
| external_references[12]['description'] | (Citation: SecureWorks TG-4127) | Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. |
| external_references[13]['source_name'] | TG-4127 | Crowdstrike DNC June 2016 |
| external_references[13]['description'] | (Citation: SecureWorks TG-4127) | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. |
| external_references[14]['source_name'] | NSA/FBI Drovorub August 2020 | US District Court Indictment GRU Oct 2018 |
| external_references[14]['description'] | NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[14]['url'] | https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[15]['source_name'] | Cybersecurity Advisory GRU Brute Force Campaign July 2021 | GRIZZLY STEPPE JAR |
| external_references[15]['description'] | NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. |
| external_references[15]['url'] | https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf |
| external_references[16]['source_name'] | DOJ GRU Indictment Jul 2018 | ESET Zebrocy May 2019 |
| external_references[16]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. |
| external_references[16]['url'] | https://www.justice.gov/file/1080281/download | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ |
| external_references[17]['source_name'] | Ars Technica GRU indictment Jul 2018 | ESET Sednit Part 3 |
| external_references[17]['description'] | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. |
| external_references[17]['url'] | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf |
| external_references[18]['source_name'] | Crowdstrike DNC June 2016 | Sofacy DealersChoice |
| external_references[18]['description'] | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. |
| external_references[18]['url'] | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ |
| external_references[19]['source_name'] | FireEye APT28 | FireEye APT28 January 2017 |
| external_references[19]['description'] | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. |
| external_references[19]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf |
| external_references[20]['source_name'] | SecureWorks TG-4127 | FireEye APT28 |
| external_references[20]['description'] | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. |
| external_references[20]['url'] | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign | https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| external_references[21]['source_name'] | FireEye APT28 January 2017 | Ars Technica GRU indictment Jul 2018 |
| external_references[21]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. |
| external_references[21]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ |
| external_references[22]['source_name'] | GRIZZLY STEPPE JAR | TrendMicro Pawn Storm Dec 2020 |
| external_references[22]['description'] | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. | Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. |
| external_references[22]['url'] | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf | https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html |
| external_references[23]['source_name'] | Sofacy DealersChoice | Securelist Sofacy Feb 2018 |
| external_references[23]['description'] | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. |
| external_references[23]['url'] | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ |
| external_references[24]['source_name'] | Palo Alto Sofacy 06-2018 | Kaspersky Sofacy |
| external_references[24]['description'] | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. |
| external_references[24]['url'] | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ |
| external_references[25]['source_name'] | Symantec APT28 Oct 2018 | Palo Alto Sofacy 06-2018 |
| external_references[25]['description'] | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. |
| external_references[25]['url'] | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ |
| external_references[26]['source_name'] | ESET Zebrocy May 2019 | Talos Seduploader Oct 2017 |
| external_references[26]['description'] | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. |
| external_references[26]['url'] | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html |
| external_references[27]['source_name'] | US District Court Indictment GRU Oct 2018 | Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020 |
| external_references[27]['description'] | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. | Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. |
| external_references[27]['url'] | https://www.justice.gov/opa/page/file/1098481/download | https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ |
| external_references[28]['source_name'] | Kaspersky Sofacy | Microsoft STRONTIUM Aug 2019 |
| external_references[28]['description'] | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. | MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. |
| external_references[28]['url'] | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ | https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ |
| external_references[29]['source_name'] | ESET Sednit Part 3 | DOJ GRU Indictment Jul 2018 |
| external_references[29]['description'] | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. |
| external_references[29]['url'] | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf | https://www.justice.gov/file/1080281/download |
| external_references[30]['source_name'] | Talos Seduploader Oct 2017 | Cybersecurity Advisory GRU Brute Force Campaign July 2021 |
| external_references[30]['description'] | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. | NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. |
| external_references[30]['url'] | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html | https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF |
| external_references[31]['source_name'] | Securelist Sofacy Feb 2018 | NSA/FBI Drovorub August 2020 |
| external_references[31]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. | NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. |
| external_references[31]['url'] | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ | https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF |
| external_references[32]['source_name'] | Secureworks IRON TWILIGHT Profile | SecureWorks TG-4127 |
| external_references[32]['description'] | Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022. | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. |
| external_references[32]['url'] | https://www.secureworks.com/research/threat-profiles/iron-twilight | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign |
| external_references[34]['source_name'] | Accenture SNAKEMACKEREL Nov 2018 | Secureworks IRON TWILIGHT Profile |
| external_references[34]['description'] | Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. | Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022. |
| external_references[34]['url'] | https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 | https://www.secureworks.com/research/threat-profiles/iron-twilight |
| external_references[35]['source_name'] | TrendMicro Pawn Storm Dec 2020 | Symantec APT28 Oct 2018 |
| external_references[35]['description'] | Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. |
| external_references[35]['url'] | https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government |
| external_references[36]['source_name'] | Microsoft STRONTIUM Aug 2019 | Sednit |
| external_references[36]['description'] | MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. | This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018) |
| external_references[37]['source_name'] | Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020 | Sofacy |
| external_references[37]['description'] | Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. | This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017) |
ics-attack
Major Version Changes
[G0115] GOLD SOUTHFIELD
Current version: 2.0
Version changed from: 1.1 → 2.0
|
|
|---|
| t | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is | t | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is |
| a financially motivated threat group active since at least 2 | | a financially motivated threat group active since at least 2 |
| 019 that operates the [REvil](https://attack.mitre.org/softw | | 018 that operates the [REvil](https://attack.mitre.org/softw |
| are/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD] | | are/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD] |
| (https://attack.mitre.org/groups/G0115) provides backend inf | | (https://attack.mitre.org/groups/G0115) provides backend inf |
| rastructure for affiliates recruited on underground forums t | | rastructure for affiliates recruited on underground forums t |
| o perpetrate high value deployments.(Citation: Secureworks R | | o perpetrate high value deployments. By early 2020, [GOLD SO |
| Evil September 2019)(Citation: Secureworks GandCrab and REvi | | UTHFIELD](https://attack.mitre.org/groups/G0115) started cap |
| l September 2019)(Citation: Secureworks GOLD SOUTHFIELD) | | italizing on the new trend of stealing data and further exto |
| | | rting the victim to pay for their data to not get publicly l |
| | | eaked.(Citation: Secureworks REvil September 2019)(Citation: |
| | | Secureworks GandCrab and REvil September 2019)(Citation: Se |
| | | cureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution o |
| | | f Pinchy Spider July 2021) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://www.secureworks.com/research/revil-sodinokibi-ransomware | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 12:52:34.528000+00:00 | 2023-03-28 20:49:53.223000+00:00 |
| description | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD) | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021) |
| external_references[1]['source_name'] | Secureworks REvil September 2019 | Pinchy Spider |
| external_references[1]['description'] | Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. | (Citation: CrowdStrike Evolution of Pinchy Spider July 2021) |
| external_references[2]['source_name'] | Secureworks GandCrab and REvil September 2019 | Secureworks REvil September 2019 |
| external_references[2]['description'] | Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. | Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. |
| external_references[2]['url'] | https://www.secureworks.com/blog/revil-the-gandcrab-connection | https://www.secureworks.com/research/revil-sodinokibi-ransomware |
| external_references[3]['source_name'] | Secureworks GOLD SOUTHFIELD | CrowdStrike Evolution of Pinchy Spider July 2021 |
| external_references[3]['description'] | Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020. | Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023. |
| external_references[3]['url'] | https://www.secureworks.com/research/threat-profiles/gold-southfield | https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/ |
| x_mitre_version | 1.1 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | Pinchy Spider |
| external_references | | {'source_name': 'Secureworks GandCrab and REvil September 2019', 'description': 'Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.', 'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection'} |
| external_references | | {'source_name': 'Secureworks GOLD SOUTHFIELD', 'description': 'Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield'} |
[G0034] Sandworm Team
Current version: 3.0
Version changed from: 2.2 → 3.0
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://www.justice.gov/opa/page/file/1098481/download | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 20:11:40.313000+00:00 | 2023-03-08 22:12:31.238000+00:00 |
| external_references[5]['source_name'] | BlackEnergy (Group) | IRIDIUM |
| external_references[5]['description'] | (Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: Microsoft Prestige ransomware October 2022) |
| external_references[6]['source_name'] | Telebots | BlackEnergy (Group) |
| external_references[6]['description'] | (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[7]['source_name'] | IRON VIKING | Telebots |
| external_references[7]['description'] | (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[8]['source_name'] | US District Court Indictment GRU Oct 2018 | IRON VIKING |
| external_references[8]['description'] | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. | (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[9]['source_name'] | Dragos ELECTRUM | US District Court Indictment GRU Oct 2018 |
| external_references[9]['description'] | Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[9]['url'] | https://www.dragos.com/resource/electrum/ | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[10]['source_name'] | F-Secure BlackEnergy 2014 | Dragos ELECTRUM |
| external_references[10]['description'] | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. | Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. |
| external_references[10]['url'] | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf | https://www.dragos.com/resource/electrum/ |
| external_references[11]['source_name'] | iSIGHT Sandworm 2014 | F-Secure BlackEnergy 2014 |
| external_references[11]['description'] | Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. |
| external_references[11]['url'] | https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf |
| external_references[12]['source_name'] | CrowdStrike VOODOO BEAR | iSIGHT Sandworm 2014 |
| external_references[12]['description'] | Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. | Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. |
| external_references[12]['url'] | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ | https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html |
| external_references[13]['source_name'] | InfoSecurity Sandworm Oct 2014 | CrowdStrike VOODOO BEAR |
| external_references[13]['description'] | Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. | Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. |
| external_references[13]['url'] | https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ |
| external_references[14]['source_name'] | NCSC Sandworm Feb 2020 | Microsoft Prestige ransomware October 2022 |
| external_references[14]['description'] | NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. | MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. |
| external_references[14]['url'] | https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory | https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ |
| external_references[15]['source_name'] | USDOJ Sandworm Feb 2020 | InfoSecurity Sandworm Oct 2014 |
| external_references[15]['description'] | Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. | Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. |
| external_references[15]['url'] | https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html | https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ |
| external_references[16]['source_name'] | US District Court Indictment GRU Unit 74455 October 2020 | NCSC Sandworm Feb 2020 |
| external_references[16]['description'] | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. | NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. |
| external_references[16]['url'] | https://www.justice.gov/opa/press-release/file/1328521/download | https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory |
| external_references[17]['source_name'] | Secureworks IRON VIKING | USDOJ Sandworm Feb 2020 |
| external_references[17]['description'] | Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. | Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. |
| external_references[17]['url'] | https://www.secureworks.com/research/threat-profiles/iron-viking | https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html |
| external_references[18]['source_name'] | UK NCSC Olympic Attacks October 2020 | US District Court Indictment GRU Unit 74455 October 2020 |
| external_references[18]['description'] | UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. |
| external_references[18]['url'] | https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games | https://www.justice.gov/opa/press-release/file/1328521/download |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.2 | 3.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | IRIDIUM |
| external_references | | {'source_name': 'Secureworks IRON VIKING ', 'description': 'Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/iron-viking'} |
| external_references | | {'source_name': 'UK NCSC Olympic Attacks October 2020', 'description': 'UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.', 'url': 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games'} |
Minor Version Changes
[G0037] FIN6
Current version: 3.3
Version changed from: 3.2 → 3.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-02 20:11:01.957000+00:00 | 2023-03-22 03:50:17.471000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.2 | 3.3 |
[G0046] FIN7
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-20 20:06:44.706000+00:00 | 2023-03-22 03:51:04.185000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 2.1 | 2.2 |
[G1001] HEXANE
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-31 22:16:30.454000+00:00 | 2023-03-22 04:43:59.082000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_domains[0] | ics-attack | enterprise-attack |
| x_mitre_domains[1] | enterprise-attack | ics-attack |
| x_mitre_version | 2.0 | 2.1 |
[G0032] Lazarus Group
Current version: 3.2
Version changed from: 3.1 → 3.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-23 15:30:44.196000+00:00 | 2023-03-30 19:01:41.451000+00:00 |
| external_references[6]['url'] | https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/ | https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.1 | 3.2 |
[G0049] OilRig
Current version: 3.1
Version changed from: 3.0 → 3.1
|
|
|---|
| t | [OilRig](https://attack.mitre.org/groups/G0049) is a suspect | t | [OilRig](https://attack.mitre.org/groups/G0049) is a suspect |
| ed Iranian threat group that has targeted Middle Eastern and | | ed Iranian threat group that has targeted Middle Eastern and |
| international victims since at least 2014. The group has ta | | international victims since at least 2014. The group has ta |
| rgeted a variety of sectors, including financial, government | | rgeted a variety of sectors, including financial, government |
| , energy, chemical, and telecommunications. It appears the g | | , energy, chemical, and telecommunications. It appears the g |
| roup carries out supply chain attacks, leveraging the trust | | roup carries out supply chain attacks, leveraging the trust |
| relationship between organizations to attack their primary t | | relationship between organizations to attack their primary t |
| argets. FireEye assesses that the group works on behalf of t | | argets. FireEye assesses that the group works on behalf of t |
| he Iranian government based on infrastructure details that c | | he Iranian government based on infrastructure details that c |
| ontain references to Iran, use of Iranian infrastructure, an | | ontain references to Iran, use of Iranian infrastructure, an |
| d targeting that aligns with nation-state interests.(Citatio | | d targeting that aligns with nation-state interests.(Citatio |
| n: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Ja | | n: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Ja |
| n 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo | | n 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo |
| Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(C | | Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023) |
| itation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT | | (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGE |
| July 2018) | | NT July 2018) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | https://www.secureworks.com/research/threat-profiles/cobalt-gypsy |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ | |
| external_references | https://pan-unit42.github.io/playbook_viewer/ | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-02 20:18:52.733000+00:00 | 2023-02-06 20:58:52.317000+00:00 |
| description | [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) | [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) |
| external_references[5]['source_name'] | Check Point APT34 April 2021 | Evasive Serpens |
| external_references[5]['description'] | Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. | (Citation: Unit42 OilRig Playbook 2023) |
| external_references[6]['source_name'] | ClearSky OilRig Jan 2017 | Check Point APT34 April 2021 |
| external_references[6]['description'] | ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. | Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. |
| external_references[6]['url'] | http://www.clearskysec.com/oilrig/ | https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ |
| external_references[7]['source_name'] | Palo Alto OilRig May 2016 | ClearSky OilRig Jan 2017 |
| external_references[7]['description'] | Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. | ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. |
| external_references[7]['url'] | http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/ | http://www.clearskysec.com/oilrig/ |
| external_references[8]['source_name'] | Palo Alto OilRig April 2017 | Palo Alto OilRig May 2016 |
| external_references[8]['description'] | Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017. | Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. |
| external_references[8]['url'] | http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/ | http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/ |
| external_references[9]['source_name'] | Palo Alto OilRig Oct 2016 | Palo Alto OilRig April 2017 |
| external_references[9]['description'] | Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. | Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017. |
| external_references[9]['url'] | http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/ | http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/ |
| external_references[10]['source_name'] | Unit 42 QUADAGENT July 2018 | Palo Alto OilRig Oct 2016 |
| external_references[10]['description'] | Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. | Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. |
| external_references[10]['url'] | https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/ | http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/ |
| external_references[11]['source_name'] | Crowdstrike Helix Kitten Nov 2018 | Unit 42 QUADAGENT July 2018 |
| external_references[11]['description'] | Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. | Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. |
| external_references[11]['url'] | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/ | https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/ |
| external_references[12]['source_name'] | FireEye APT34 Dec 2017 | Crowdstrike Helix Kitten Nov 2018 |
| external_references[12]['description'] | Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. | Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. |
| external_references[12]['url'] | https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/ |
| external_references[13]['source_name'] | Secureworks COBALT GYPSY Threat Profile | FireEye APT34 Dec 2017 |
| external_references[13]['description'] | Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021. | Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. |
| external_references[13]['url'] | https://www.secureworks.com/research/threat-profiles/cobalt-gypsy | https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html |
| external_references[14]['source_name'] | APT34 | Secureworks COBALT GYPSY Threat Profile |
| external_references[14]['description'] | This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021) | Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021. |
| external_references[15]['source_name'] | Unit 42 Playbook Dec 2017 | APT34 |
| external_references[15]['description'] | Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. | This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 3.0 | 3.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | Evasive Serpens |
| external_references | | {'source_name': 'Unit 42 Playbook Dec 2017', 'description': 'Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.', 'url': 'https://pan-unit42.github.io/playbook_viewer/'} |
| external_references | | {'source_name': 'Unit42 OilRig Playbook 2023', 'description': 'Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.', 'url': 'https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens'} |
[G0102] Wizard Spider
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-14 17:27:41.194000+00:00 | 2023-03-22 05:44:27.289000+00:00 |
| external_references[1]['source_name'] | UNC1878 | Grim Spider |
| external_references[1]['description'] | (Citation: FireEye KEGTAP SINGLEMALT October 2020) | (Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019) |
| external_references[2]['source_name'] | TEMP.MixMaster | UNC1878 |
| external_references[2]['description'] | (Citation: FireEye Ryuk and Trickbot January 2019) | (Citation: FireEye KEGTAP SINGLEMALT October 2020) |
| external_references[3]['source_name'] | Grim Spider | TEMP.MixMaster |
| external_references[3]['description'] | (Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019) | (Citation: FireEye Ryuk and Trickbot January 2019) |
| external_references[4]['source_name'] | CrowdStrike Ryuk January 2019 | DHS/CISA Ransomware Targeting Healthcare October 2020 |
| external_references[4]['description'] | Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. | DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. |
| external_references[4]['url'] | https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ | https://us-cert.cisa.gov/ncas/alerts/aa20-302a |
| external_references[5]['source_name'] | DHS/CISA Ransomware Targeting Healthcare October 2020 | FireEye Ryuk and Trickbot January 2019 |
| external_references[5]['description'] | DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. | Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. |
| external_references[5]['url'] | https://us-cert.cisa.gov/ncas/alerts/aa20-302a | https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html |
| external_references[6]['source_name'] | CrowdStrike Wizard Spider October 2020 | CrowdStrike Ryuk January 2019 |
| external_references[6]['description'] | Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. | Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. |
| external_references[6]['url'] | https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ | https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ |
| external_references[7]['source_name'] | FireEye KEGTAP SINGLEMALT October 2020 | CrowdStrike Grim Spider May 2019 |
| external_references[7]['description'] | Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. | John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. |
| external_references[7]['url'] | https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html | https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/ |
| external_references[8]['source_name'] | FireEye Ryuk and Trickbot January 2019 | FireEye KEGTAP SINGLEMALT October 2020 |
| external_references[8]['description'] | Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. | Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. |
| external_references[8]['url'] | https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html | https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html |
| external_references[9]['source_name'] | CrowdStrike Grim Spider May 2019 | CrowdStrike Wizard Spider October 2020 |
| external_references[9]['description'] | John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. | Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. |
| external_references[9]['url'] | https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/ | https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ |
| x_mitre_version | 2.0 | 2.1 |
Patches
[G0064] APT33
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-23 21:22:08.170000+00:00 | 2023-03-08 22:07:25.123000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[G0035] Dragonfly
Current version: 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 22:09:02.443000+00:00 | 2023-03-08 22:03:28.170000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[G0088] TEMP.Veles
Current version: 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/ | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-24 16:22:20.856000+00:00 | 2022-11-30 22:46:40.135000+00:00 |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html | https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html |
| external_references[4]['source_name'] | FireEye TEMP.Veles 2018 | FireEye TRITON 2019 |
| external_references[4]['description'] | FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. | Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html | https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html |
| external_references[5]['source_name'] | FireEye TRITON 2019 | FireEye TEMP.Veles JSON April 2019 |
| external_references[5]['description'] | Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. | Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html | https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html |
| external_references[6]['source_name'] | FireEye TEMP.Veles JSON April 2019 | Pylos Xenotime 2019 |
| external_references[6]['description'] | Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019. | Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019. |
| external_references[6]['url'] | https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html | https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/ |
| external_references[7]['source_name'] | Pylos Xenotime 2019 | XENOTIME |
| external_references[7]['description'] | Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019. | The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'XENOTIME', 'description': 'The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )'} | |
Campaigns
enterprise-attack
New Campaigns
[C0025] 2016 Ukraine Electric Power Attack
Current version: 1.0
Description: [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)
[C0017] C0017
Current version: 1.0
Description: [C0017](https://attack.mitre.org/campaigns/C0017) was an [APT41](https://attack.mitre.org/groups/G0096) campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of [C0017](https://attack.mitre.org/campaigns/C0017) are unknown, however [APT41](https://attack.mitre.org/groups/G0096) was observed exfiltrating Personal Identifiable Information (PII).(Citation: Mandiant APT41)
[C0018] C0018
Current version: 1.0
Description:
[C0018](https://attack.mitre.org/campaigns/C0018) was a month-long ransomware intrusion that successfully deployed [AvosLocker](https://attack.mitre.org/software/S1053) onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing [AvosLocker](https://attack.mitre.org/software/S1053).(Citation: Costa AvosLocker May 2022)(Citation: Cisco Talos Avos Jun 2022)
[C0021] C0021
Current version: 1.0
Description: [C0021](https://attack.mitre.org/campaigns/C0021) was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. [C0021](https://attack.mitre.org/campaigns/C0021)'s technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected [APT29](https://attack.mitre.org/groups/G0016) activity.(Citation: Microsoft Unidentified Dec 2018)(Citation: FireEye APT29 Nov 2018)
[C0022] Operation Dream Job
Current version: 1.0
Description: [Operation Dream Job](https://attack.mitre.org/campaigns/C0022) was a cyber espionage operation likely conducted by [Lazarus Group](https://attack.mitre.org/groups/G0032) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://attack.mitre.org/campaigns/C0022) as an umbrella term covering both Operation Interception and Operation North Star.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)
[C0023] Operation Ghost
Current version: 1.0
Description: [Operation Ghost](https://attack.mitre.org/campaigns/C0023) was an [APT29](https://attack.mitre.org/groups/G0016) campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.(Citation: ESET Dukes October 2019)
[C0024] SolarWinds Compromise
Current version: 1.0
Description: The [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) was a sophisticated supply chain cyber operation conducted by [APT29](https://attack.mitre.org/groups/G0016) that was discovered in mid-December 2020. [APT29](https://attack.mitre.org/groups/G0016) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: SolarWinds Advisory Dec 2020)(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Volexity SolarWinds)(Citation: CrowdStrike StellarParticle January 2022)(Citation: Unit 42 SolarStorm December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: Microsoft Internal Solorigate Investigation Blog)
In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021)(Citation: Mandiant UNC2452 APT29 April 2022) The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://attack.mitre.org/groups/G0016) activity on their systems.(Citation: USG Joint Statement SolarWinds January 2021)
Minor Version Changes
[C0001] Frankenstein
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-21 15:15:43.055000+00:00 | 2023-03-22 03:55:03.775000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[C0012] Operation CuckooBees
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-13 15:10:42.515000+00:00 | 2023-03-22 05:06:05.468000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
[C0014] Operation Wocao
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-13 17:42:00.940000+00:00 | 2023-03-22 05:07:13.071000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
ics-attack
New Campaigns
[C0025] 2016 Ukraine Electric Power Attack
Current version: 1.0
Description: [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)
[C0020] Maroochy Water Breach
Current version: 1.0
Description: [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)
Mitigations
enterprise-attack
Minor Version Changes
[M1047] Audit
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 15:52:12.722000+00:00 | 2023-03-31 14:50:47.704000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.1 | 1.2 |
[M1028] Operating System Configuration
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-19 16:50:45.681000+00:00 | 2023-03-31 17:27:28.395000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[M1024] Restrict Registry Permissions
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.1.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-06-06 20:58:59.577000+00:00 | 2023-03-31 17:12:06.164000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
ics-attack
New Mitigations
[M0818] Validate Program Inputs
Current version: 1.0
Description: Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)
Minor Version Changes
[M0814] Static Network Configuration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Configure hosts and devices to use static network configurat | t | Configure hosts and devices to use static network configurat |
| ions when possible, protocols that require dynamic discovery | | ions when possible, protocols that require dynamic discovery |
| /addressing (e.g., ARP, DHCP, DNS) can be used to manipulate | | /addressing (e.g., ARP, DHCP, DNS) can be used to manipulate |
| network message forwarding and enable various MitM attacks. | | network message forwarding and enable various AiTM attacks. |
| This mitigation may not always be usable due to limited dev | | This mitigation may not always be usable due to limited dev |
| ice features or challenges introduced with different network | | ice features or challenges introduced with different network |
| configurations. | | configurations. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 7.7', 'IEC 62443-4-2:2019 - CR 7.7', 'NIST SP 800-53 Rev. 4 - CM-7'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-04-05 14:21:27.977000+00:00 |
| description | Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various MitM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations. | Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations. |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
| x_mitre_version | 1.0 | 1.1 |
Patches
[M0801] Access Management
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 2.1', 'IEC 62443-4-2:2019 - CR 2.1', 'NIST SP 800-53 Rev. 4 - AC-3'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:14.081000+00:00 |
[M0936] Account Use Policies
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 1.11', 'IEC 62443-4-2:2019 - CR 1.11', 'NIST SP 800-53 Rev. 4 - IA-5'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:19.383000+00:00 |
[M0949] Antivirus/Antimalware
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 3.2', 'IEC 62443-4-2:2019 - CR 3.2', 'NIST SP 800-53 Rev. 4 - SI-3'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:21.180000+00:00 |
[M0913] Application Developer Guidance
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['NIST SP 800-53 Rev. 4 - AT-3'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:16.730000+00:00 |
[M0948] Application Isolation and Sandboxing
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 5.4', 'IEC 62443-4-2:2019 - CR 5.4', 'NIST SP 800-53 Rev. 4 - SI-3'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:21.006000+00:00 |
[M0947] Audit
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 3.4', 'IEC 62443-4-2:2019 - CR 3.4', 'NIST SP 800-53 Rev. 4 - SI-7'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:20.836000+00:00 |
[M0800] Authorization Enforcement
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 2.1', 'IEC 62443-4-2:2019 - CR 2.1', 'NIST SP 800-53 Rev. 4 - AC-3'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:13.851000+00:00 |
[M0946] Boot Integrity
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-4-2:2019 - CR 3.14', 'NIST SP 800-53 Rev. 4 - SI-7'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:20.632000+00:00 |
[M0945] Code Signing
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 3.4', 'IEC 62443-4-2:2019 - CR 3.4', 'NIST SP 800-53 Rev. 4 - SI-7'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:20.464000+00:00 |
[M0802] Communication Authenticity
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 3.1', 'IEC 62443-4-2:2019 - CR 3.1', 'NIST SP 800-53 Rev. 4 - SC-8; SC-23'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:14.263000+00:00 |
[M0953] Data Backup
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 7.3', 'IEC 62443-4-2:2019 - CR 7.3', 'NIST SP 800-53 Rev. 4 - CP-9'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-06 17:47:24.040000+00:00 | 2023-03-30 20:55:21.679000+00:00 |
[M0803] Data Loss Prevention
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 4.1', 'IEC 62443-4-2:2019 - CR 4.1'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:14.442000+00:00 |
[M0942] Disable or Remove Feature or Program
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 7.7', 'IEC 62443-4-2:2019 - CR 7.7', 'NIST SP 800-53 Rev. 4 - CM-7'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:20.110000+00:00 |
[M0808] Encrypt Network Traffic
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 4.1', 'IEC 62443-4-2:2019 - CR 4.1', 'NIST SP 800-53 Rev. 4 - SC-8'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:15.230000+00:00 |
[M0941] Encrypt Sensitive Information
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 4.1', 'IEC 62443-4-2:2019 - CR 4.1', 'NIST SP 800-53 Rev. 4 - SC-28'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:19.946000+00:00 |
[M0938] Execution Prevention
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 3.2', 'IEC 62443-4-2:2019 - CR 3.2', 'NIST SP 800-53 Rev. 4 - SI-3'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:19.774000+00:00 |
[M0950] Exploit Protection
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 3.2', 'IEC 62443-4-2:2019 - CR 3.2', 'NIST SP 800-53 Rev. 4 - SI-16'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:21.352000+00:00 |
[M0937] Filter Network Traffic
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 5.1', 'IEC 62443-4-2:2019 - CR 5.1', 'NIST SP 800-53 Rev. 4 - AC-3; SC-7'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:19.604000+00:00 |
[M0804] Human User Authentication
Current version: 1.0
|
|
|---|
| t | Require user authentication before allowing access to data o | t | Require user authentication before allowing access to data o |
| r accepting commands to a device. While strong multi-factor | | r accepting commands to a device. While strong multi-factor |
| authentication is preferable, it is not always feasible with | | authentication is preferable, it is not always feasible with |
| in ICS environments. Performing strong user authentication a | | in ICS environments. Performing strong user authentication a |
| lso requires additional security controls and processes whic | | lso requires additional security controls and processes whic |
| h are often the target of related adversarial techniques (e. | | h are often the target of related adversarial techniques (e. |
| g., Valid Accounts, Default Credentials). Therefore, associa | | g., Valid Accounts, Default Credentials). Therefore, associa |
| ted ATT&CK mitigations should be considered in addition to t | | ted ATT&CK mitigations should be considered in addition to t |
| his, including [Multi-factor Authentication](https://attack. | | his, including [Multi-factor Authentication](https://attack. |
| mitre.org/mitigations/M0932), [Account Use Policies](https:/ | | mitre.org/mitigations/M0932), [Account Use Policies](https:/ |
| /attack.mitre.org/mitigations/M0936), [Password Policies](ht | | /attack.mitre.org/mitigations/M0936), [Password Policies](ht |
| tps://attack.mitre.org/mitigations/M0927), [User Account Man | | tps://attack.mitre.org/mitigations/M0927), [User Account Man |
| agement](https://attack.mitre.org/mitigations/M0918), [Privi | | agement](https://attack.mitre.org/mitigations/M0918), [Privi |
| leged Account Management](https://attack.mitre.org/mitigatio | | leged Account Management](https://attack.mitre.org/mitigatio |
| ns/M0926), and [https://attack.mitre.org/mitigations/M1052/ | | ns/M0926), and [User Account Control](https://attack.mitre.o |
| User Account Control]. | | rg/mitigations/M1052). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 1.1', 'IEC 62443-4-2:2019 - CR 1.1', 'NIST SP 800-53 Rev. 4 - IA-2'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:14.615000+00:00 |
| description | Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [https://attack.mitre.org/mitigations/M1052/ User Account Control]. | Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052). |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[M0935] Limit Access to Resource Over Network
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 5.1', 'IEC 62443-4-2:2019 - CR 5.1', 'NIST SP 800-53 Rev. 4 - AC-3; SC-7'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:19.179000+00:00 |
[M0934] Limit Hardware Installation
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 3.2', 'IEC 62443-4-2:2019 - EDR 3.2', 'NIST SP 800-53 Rev. 4 - MP-7'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:19.007000+00:00 |
[M0806] Minimize Wireless Signal Propagation
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 1.6', 'IEC 62443-4-2:2019 - CR 1.6', 'NIST SP 800-53 Rev. 4 - SC-40'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:14.800000+00:00 |
[M0932] Multi-factor Authentication
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 1.7', 'IEC 62443-4-2:2019 - CR 1.7', 'NIST SP 800-53 Rev. 4 - IA-2'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:18.842000+00:00 |
[M0807] Network Allowlists
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['NIST SP 800-53 Rev. 4 - AC-3'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:14.969000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[M0931] Network Intrusion Prevention
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 6.2', 'IEC 62443-4-2:2019 - CR 6.2', 'NIST SP 800-53 Rev. 4 - SI-4'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:18.665000+00:00 |
[M0930] Network Segmentation
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 5.1', 'IEC 62443-4-2:2019 - CR 5.1', 'NIST SP 800-53 Rev. 4 - AC-3'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:18.480000+00:00 |
[M0928] Operating System Configuration
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 7.7', 'IEC 62443-4-2:2019 - CR 7.7', 'NIST SP 800-53 Rev. 4 - CM-7'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:18.276000+00:00 |
[M0809] Operational Information Confidentiality
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 4.1', 'IEC 62443-4-2:2019 - CR 4.1'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:15.415000+00:00 |
[M0810] Out-of-Band Communications Channel
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['NIST SP 800-53 Rev. 4 - SC-37'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:15.598000+00:00 |
[M0927] Password Policies
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 1.5', 'IEC 62443-4-2:2019 - CR 1.5', 'NIST SP 800-53 Rev. 4 - IA-5'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:18.097000+00:00 |
[M0926] Privileged Account Management
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 1.3', 'IEC 62443-4-2:2019 - CR 1.3', 'NIST SP 800-53 Rev. 4 - AC-2'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:17.929000+00:00 |
[M0811] Redundancy of Service
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['NIST SP 800-53 Rev. 4 - CP-9'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:15.773000+00:00 |
[M0922] Restrict File and Directory Permissions
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 2.1', 'IEC 62443-4-2:2019 - CR 2.1', 'NIST SP 800-53 Rev. 4 - AC-6'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:17.592000+00:00 |
[M0944] Restrict Library Loading
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 7.7', 'IEC 62443-4-2:2019 - CR 7.7', 'NIST SP 800-53 Rev. 4 - CM-7'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-04-11 20:51:32.610000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[M0924] Restrict Registry Permissions
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 2.1', 'IEC 62443-4-2:2019 - CR 2.1', 'NIST SP 800-53 Rev. 4 - AC-6'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:17.759000+00:00 |
[M0921] Restrict Web-Based Content
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 2.4', 'IEC 62443-4-2:2019 - HDR 2.4', 'NIST SP 800-53 Rev. 4 - SC-18'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:17.426000+00:00 |
[M0954] Software Configuration
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 7.7', 'IEC 62443-4-2:2019 - CR 7.7', 'NIST SP 800-53 Rev. 4 - CM-7'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:21.915000+00:00 |
[M0813] Software Process and Device Authentication
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 1.2', 'IEC 62443-4-2:2019 - CR 1.2', 'NIST SP 800-53 Rev. 4 - IA-9'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:15.949000+00:00 |
[M0817] Supply Chain Management
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['NIST SP 800-53 Rev. 4 - SA-12'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:16.556000+00:00 |
[M0951] Update Software
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-4-2:2019 - CR 3.10', 'NIST SP 800-53 Rev. 4 - SI-2'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:21.512000+00:00 |
[M0918] User Account Management
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-3-3:2013 - SR 1.3', 'IEC 62443-4-2:2019 - CR 1.3', 'NIST SP 800-53 Rev. 4 - AC-2'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:17.252000+00:00 |
[M0917] User Training
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['NIST SP 800-53 Rev. 4 - AT-2'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:17.076000+00:00 |
[M0916] Vulnerability Scanning
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['NIST SP 800-53 Rev. 4 - RA-5'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:16.897000+00:00 |
[M0815] Watchdog Timers
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| labels | | ['IEC 62443-4-2:2019 - CR 7.2'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2023-03-30 20:55:16.383000+00:00 |
Data Sources
enterprise-attack
Patches
[DS0017] Command
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T15:55:31.986Z | 2023-04-20T18:38:00.625Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0017 | https://attack.mitre.org/datasources/DS0017 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Android |
| x_mitre_platforms | | iOS |
| x_mitre_domains | | mobile-attack |
[DS0022] File
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21T14:50:59.123Z | 2022-12-07T19:35:34.863Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0022 | https://attack.mitre.org/datasources/DS0022 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[DS0028] Logon Session
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T15:56:16.481Z | 2022-12-07T19:45:09.019Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0028 | https://attack.mitre.org/datasources/DS0028 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[DS0004] Malware Repository
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:20:36.693Z | 2022-12-07T19:49:46.256Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0004 | https://attack.mitre.org/datasources/DS0004 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[DS0029] Network Traffic
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:18:34.334Z | 2023-04-20T18:38:13.356Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0029 | https://attack.mitre.org/datasources/DS0029 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Android |
| x_mitre_platforms | | iOS |
| x_mitre_domains | | mobile-attack |
[DS0009] Process
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T15:58:32.516Z | 2023-04-20T18:38:26.515Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0009 | https://attack.mitre.org/datasources/DS0009 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Android |
| x_mitre_platforms | | iOS |
| x_mitre_domains | | mobile-attack |
[DS0012] Script
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T15:58:58.335Z | 2022-12-07T19:50:56.964Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0012 | https://attack.mitre.org/datasources/DS0012 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[DS0013] Sensor Health
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:22:52.060Z | 2023-04-20T18:38:40.409Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0013 | https://attack.mitre.org/datasources/DS0013 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Android |
| x_mitre_platforms | | iOS |
| x_mitre_domains | | mobile-attack |
[DS0002] User Account
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T15:59:59.646Z | 2022-12-07T19:50:43.993Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0002 | https://attack.mitre.org/datasources/DS0002 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
mobile-attack
New Data Sources
[DS0041] Application Vetting
Current version: 1.0
Description: Application vetting report generated by an external cloud service.
[DS0017] Command
Current version: 1.1
Description: A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)
[DS0029] Network Traffic
Current version: 1.1
Description: Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)
[DS0009] Process
Current version: 1.1
Description: Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)
[DS0013] Sensor Health
Current version: 1.1
Description: Information from host telemetry providing insights about system status, errors, or other notable functional activity
[DS0042] User Interface
Current version: 1.0
Description: Visual activity on the device that could alert the user to potentially malicious behavior.
ics-attack
Patches
[DS0039] Asset
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-26T14:44:35.610Z | 2023-03-24T19:14:15.637Z |
| x_mitre_collection_layers[0] | host | Host |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0039 | https://attack.mitre.org/datasources/DS0039 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[DS0017] Command
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T15:55:31.986Z | 2023-04-20T18:38:00.625Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0017 | https://attack.mitre.org/datasources/DS0017 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Android |
| x_mitre_platforms | | iOS |
| x_mitre_domains | | mobile-attack |
[DS0022] File
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21T14:50:59.123Z | 2022-12-07T19:35:34.863Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0022 | https://attack.mitre.org/datasources/DS0022 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[DS0028] Logon Session
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T15:56:16.481Z | 2022-12-07T19:45:09.019Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0028 | https://attack.mitre.org/datasources/DS0028 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[DS0029] Network Traffic
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:18:34.334Z | 2023-04-20T18:38:13.356Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0029 | https://attack.mitre.org/datasources/DS0029 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Android |
| x_mitre_platforms | | iOS |
| x_mitre_domains | | mobile-attack |
[DS0040] Operational Databases
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| revoked | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-11T16:22:58.802Z | 2023-03-24T19:14:55.615Z |
| x_mitre_collection_layers[0] | host | Host |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[DS0009] Process
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T15:58:32.516Z | 2023-04-20T18:38:26.515Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0009 | https://attack.mitre.org/datasources/DS0009 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Android |
| x_mitre_platforms | | iOS |
| x_mitre_domains | | mobile-attack |
[DS0012] Script
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T15:58:58.335Z | 2022-12-07T19:50:56.964Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0012 | https://attack.mitre.org/datasources/DS0012 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
[DS0002] User Account
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T15:59:59.646Z | 2022-12-07T19:50:43.993Z |
| external_references[0]['url'] | https://attack.mitre.org/data-sources/DS0002 | https://attack.mitre.org/datasources/DS0002 |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
Data Components
enterprise-attack
Patches
Process: OS API Execution
Current version: 1.0
|
|
|---|
| t | Initial construction of a WMI object, such as a filter, cons | t | Operating system function/method calls executed by a process |
| umer, subscription, binding, or provider (ex: Sysmon EIDs 19 | | |
| -21) | | |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| revoked | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.806Z | 2023-04-21T15:41:36.287Z |
| description | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21) | Operating system function/method calls executed by a process |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
mobile-attack
New Data Components
Application Vetting: API Calls
Current version: 1.0
Description: API calls utilized by an application that could indicate malicious activity
Command: Command Execution
Current version: 1.1
Description: The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )
Sensor Health: Host Status
Current version: 1.1
Description: Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)
Application Vetting: Network Communication
Current version: 1.0
Description: Network requests made by an application or domains contacted
Network Traffic: Network Connection Creation
Current version: 1.1
Description: Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)
Network Traffic: Network Traffic Content
Current version: 1.0
Description: Logged network traffic data showing both protocol header and body values (ex: PCAP)
Network Traffic: Network Traffic Flow
Current version: 1.0
Description: Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)
User Interface: Permissions Request
Current version: 1.0
Description: System prompts triggered when an application requests new or additional permissions
Application Vetting: Permissions Requests
Current version: 1.0
Description: Permissions declared in an application's manifest or property list file
Process: Process Creation
Current version: 1.1
Description: The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)
Process: Process Metadata
Current version: 1.0
Description: Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.
Process: Process Termination
Current version: 1.0
Description: Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)
Application Vetting: Protected Configuration
Current version: 1.0
Description: Device configuration options that are not typically utilized by benign applications
User Interface: System Notifications
Current version: 1.0
Description: Notifications generated by the OS
User Interface: System Settings
Current version: 1.0
Description: Settings visible to the user on the device
ics-attack
Patches
Process: OS API Execution
Current version: 1.0
|
|
|---|
| t | Initial construction of a WMI object, such as a filter, cons | t | Operating system function/method calls executed by a process |
| umer, subscription, binding, or provider (ex: Sysmon EIDs 19 | | |
| -21) | | |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| revoked | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.806Z | 2023-04-21T15:41:36.287Z |
| description | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21) | Operating system function/method calls executed by a process |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |