|
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
This JSON file contains the machine readble output used to create this page: changelog.json
Current version: 2.5
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-04-12 21:30:31.151000+00:00 | 2023-05-04 18:03:36.622000+00:00 |
| x_mitre_contributors[5] | Dylan | Dylan Silva, AWS Security |
Current version: 1.5
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-04-15 00:29:43.297000+00:00 | 2023-05-04 18:04:17.588000+00:00 |
| x_mitre_contributors[6] | Dylan | Dylan Silva, AWS Security |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse cloud APIs to execute malicious comman | t | 1 | Adversaries may abuse cloud APIs to execute malicious comman |
| > | ds. APIs available in cloud environments provide various fun | > | ds. APIs available in cloud environments provide various fun | ||
| > | ctionalities and are a feature-rich method for programmatic | > | ctionalities and are a feature-rich method for programmatic | ||
| > | access to nearly all aspects of a tenant. These APIs may be | > | access to nearly all aspects of a tenant. These APIs may be | ||
| > | utilized through various methods such as command line interp | > | utilized through various methods such as command line interp | ||
| > | reters (CLIs), in-browser Cloud Shells, [PowerShell](https:/ | > | reters (CLIs), in-browser Cloud Shells, [PowerShell](https:/ | ||
| > | /attack.mitre.org/techniques/T1059/001) modules like Azure f | > | /attack.mitre.org/techniques/T1059/001) modules like Azure f | ||
| > | or PowerShell(Citation: A), or software developer kits (SDKs | > | or PowerShell(Citation: Microsoft - Azure PowerShell), or so | ||
| > | ) available for languages such as [Python](https://attack.mi | > | ftware developer kits (SDKs) available for languages such as | ||
| > | tre.org/techniques/T1059/006). Cloud API functionality ma | > | [Python](https://attack.mitre.org/techniques/T1059/006). | ||
| > | y allow for administrative access across all major services | > | Cloud API functionality may allow for administrative access | ||
| > | in a tenant such as compute, storage, identity and access ma | > | across all major services in a tenant such as compute, stor | ||
| > | nagement (IAM), networking, and security policies. With pro | > | age, identity and access management (IAM), networking, and s | ||
| > | per permissions (often via use of credentials such as [Appli | > | ecurity policies. With proper permissions (often via use of | ||
| > | cation Access Token](https://attack.mitre.org/techniques/T15 | > | credentials such as [Application Access Token](https://atta | ||
| > | 50/001) and [Web Session Cookie](https://attack.mitre.org/te | > | ck.mitre.org/techniques/T1550/001) and [Web Session Cookie]( | ||
| > | chniques/T1550/004)), adversaries may abuse cloud APIs to in | > | https://attack.mitre.org/techniques/T1550/004)), adversaries | ||
| > | voke various functions that execute malicious actions. For e | > | may abuse cloud APIs to invoke various functions that execu | ||
| > | xample, CLI and PowerShell functionality may be accessed thr | > | te malicious actions. For example, CLI and PowerShell functi | ||
| > | ough binaries installed on cloud-hosted or on-premises hosts | > | onality may be accessed through binaries installed on cloud- | ||
| > | or accessed through a browser-based cloud shell offered by | > | hosted or on-premises hosts or accessed through a browser-ba | ||
| > | many cloud platforms (such as AWS, Azure, and GCP). These cl | > | sed cloud shell offered by many cloud platforms (such as AWS | ||
| > | oud shells are often a packaged unified environment to use C | > | , Azure, and GCP). These cloud shells are often a packaged u | ||
| > | LI and/or scripting modules hosted as a container in the clo | > | nified environment to use CLI and/or scripting modules hoste | ||
| > | ud environment. | > | d as a container in the cloud environment. | ||
| STIX Field | Old value | New Value |
|---|---|---|
| description | Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: A), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies. With proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. | Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies. With proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. |
| external_references[1]['source_name'] | A | Microsoft - Azure PowerShell |
Current version: 1.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-04-11 20:33:55.356000+00:00 | 2023-05-04 18:01:44.086000+00:00 |
| x_mitre_contributors[2] | Thanabodi | Thanabodi Phrakhun, I-SECURE |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-04-11 01:18:10.369000+00:00 | 2023-05-04 18:07:16.804000+00:00 |
| x_mitre_contributors[0] | Filip Kafka, ESET | ESET |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Access | Process: Process Creation |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_data_sources | Windows Registry: Windows Registry Key Access |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | Zuzana Legáthová, ESET | |
| x_mitre_contributors | Miroslav Babiš, ESET | |
| x_mitre_data_sources | Process: Process Creation |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_network_requirements | False |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-04-14 20:36:09.042000+00:00 | 2023-05-04 18:00:33.023000+00:00 |
| x_mitre_contributors[0] | Kuessner Consulting | Harun Küßner |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-03-24 13:51:48.636000+00:00 | 2023-05-04 18:06:40.829000+00:00 |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Creation | WMI: WMI Creation |
| x_mitre_data_sources[1] | WMI: WMI Creation | Windows Registry: Windows Registry Key Creation |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | Xavier Rousseau |
Current version: 1.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-04-12 21:35:48.084000+00:00 | 2023-05-04 18:05:16.877000+00:00 |
| x_mitre_contributors[0] | Dylan | Dylan Silva, AWS Security |
| x_mitre_data_sources[1] | Web Credential: Web Credential Creation | Logon Session: Logon Session Creation |
| x_mitre_data_sources[2] | Logon Session: Logon Session Creation | Web Credential: Web Credential Creation |
Current version: 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-04-14 23:09:55.976000+00:00 | 2023-05-04 18:05:57.725000+00:00 |
| x_mitre_contributors[2] | Pallavi Sivakumaran | Pallavi Sivakumaran, WithSecure |
| x_mitre_data_sources[0] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Modification | Command: Command Execution |
| x_mitre_data_sources[3] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[5] | File: File Deletion | Service: Service Metadata |
| x_mitre_data_sources[6] | Service: Service Metadata | File: File Deletion |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-04-11 03:16:05.019000+00:00 | 2023-05-04 18:02:51.318000+00:00 |
| x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Creation | File: File Creation |
| x_mitre_data_sources[3] | File: File Creation | Windows Registry: Windows Registry Key Creation |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | Jai Minton |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to infect project files with malicio | t | 1 | Adversaries may attempt to infect project files with malicio |
| > | us code. These project files may consist of objects, program | > | us code. These project files may consist of objects, program | ||
| > | organization units, variables such as tags, documentation, | > | organization units, variables such as tags, documentation, | ||
| > | and other configurations needed for PLC programs to function | > | and other configurations needed for PLC programs to function | ||
| > | . (Citation: Beckhoff) Using built in functions of the engin | > | . (Citation: Beckhoff) Using built in functions of the engin | ||
| > | eering software, adversaries may be able to download an infe | > | eering software, adversaries may be able to download an infe | ||
| > | cted program to a PLC in the operating environment enabling | > | cted program to a PLC in the operating environment enabling | ||
| > | further [execution](http://attacksite.mitre.org/tactics/TA01 | > | further [Execution](https://attack.mitre.org/tactics/TA0104) | ||
| > | 04/) and [persistence](http://attacksite.mitre.org/tactics/T | > | and [Persistence](https://attack.mitre.org/tactics/TA0110) | ||
| > | A0110/) techniques. (Citation: PLCdev) Adversaries may exp | > | techniques. (Citation: PLCdev) Adversaries may export thei | ||
| > | ort their own code into project files with conditions to exe | > | r own code into project files with conditions to execute at | ||
| > | cute at specific intervals. (Citation: Nicolas Falliere, Lia | > | specific intervals. (Citation: Nicolas Falliere, Liam O Murc | ||
| > | m O Murchu, Eric Chien February 2011) Malicious programs all | > | hu, Eric Chien February 2011) Malicious programs allow adver | ||
| > | ow adversaries control of all aspects of the process enabled | > | saries control of all aspects of the process enabled by the | ||
| > | by the PLC. Once the project file is downloaded to a PLC th | > | PLC. Once the project file is downloaded to a PLC the workst | ||
| > | e workstation device may be disconnected with the infected p | > | ation device may be disconnected with the infected project f | ||
| > | roject file still executing. (Citation: PLCdev) | > | ile still executing. (Citation: PLCdev) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-03-09 18:38:51.471000+00:00 | 2023-05-08 18:58:24.092000+00:00 |
| description | Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [execution](http://attacksite.mitre.org/tactics/TA0104/) and [persistence](http://attacksite.mitre.org/tactics/TA0110/) techniques. (Citation: PLCdev) Adversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev) | Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) Adversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev) |
| x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-04-17 21:45:00.661000+00:00 | 2023-05-01 17:05:56.388000+00:00 |
| x_mitre_contributors[2] | Inna Danilevich, U.S Bank | Inna Danilevich, U.S. Bank |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2023-04-14 14:37:59.896000+00:00 | 2023-05-01 17:05:20.902000+00:00 |
| x_mitre_contributors[1] | Inna Danilevich, U.S Bank | Inna Danilevich, U.S. Bank |