|
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
This JSON file contains the machine readble output used to create this page: changelog.json
Current version: 1.0
Description: An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC) This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. Note that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.(Citation: Google Cloud Kubernetes IAM)(Citation: AWS EKS IAM Roles for Service Accounts)(Citation: Microsoft Azure Kubernetes Service Service Accounts) In these cases, this technique may be used in conjunction with [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).
Current version: 1.0
Description: An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022) On Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the `fork()` API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the `init` system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree. Another example is using the “daemon” syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022)
Current version: 1.0
Description: Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables. If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault) **Note:** this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.
Current version: 1.0
Description: Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer) Adversaries may inject content to victim systems in various ways, including: * From the middle, where the adversary is in-between legitimate online client-server communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM) * From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide) Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)
Current version: 1.0
Description: Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager). Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access. Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., [Cloud Administration Command](https://attack.mitre.org/techniques/T1651)).
Current version: 1.0
Description: Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. Often referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`, containing a sequence of `auditctl` commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022) With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
Current version: 1.0
Description: Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application. Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated [Automated Exfiltration](https://attack.mitre.org/techniques/T1020) of emails, chat messages, and other data.(Citation: Push Security SaaS Attacks Repository Webhooks) Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.(Citation: Microsoft SQL Server) Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.(Citation: CyberArk Labs Discord)(Citation: Talos Discord Webhook Abuse)(Citation: Checkmarx Webhooks)
Current version: 1.0
Description: Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) "pig butchering,"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) Adversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC) Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks) Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)
Current version: 1.0
Description: Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. Adversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection. Hiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.
Current version: 1.0
Description: Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims. In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657). Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as `payment`, `request`, or `urgent` to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal. Impersonation is typically preceded by reconnaissance techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589) and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591) as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001)) to substantiate their false identity.(Citation: CrowdStrike-BEC) There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)
Current version: 1.0
Description: Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017) LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads.
Current version: 1.0
Description: Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)). Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
Current version: 1.0
Description: Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim. For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy) Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
Current version: 1.0
Description: Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate) Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.(Citation: Microsoft: Powercfg command-line options)(Citation: systemdsleep Linux) For example, `powercfg` controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.(Citation: Two New Monero Malware Attacks Target Windows and Android Users) Adversaries may also extend system lock screen timeout settings.(Citation: BATLOADER: The Evasive Downloader Malware) Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.(Citation: CoinLoader: A Sophisticated Malware Loader Campaign) Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.(Citation: Condi-Botnet-binaries)
Current version: 1.0
Description: Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient. All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Software](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth) Adversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing)
Current version: 1.0
Description: Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient. All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams) Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing) Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to tailor pretexts to be even more persuasive and believable for the victim.
Current version: 1.0
Description: Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. Just-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Google Cloud Just in Time Access 2023)(Citation: Azure Just in Time Access 2023) Account impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account.(Citation: Google Cloud Service Account Authentication Roles) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) Many cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles) While users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation) **Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)
Current version: 1.0
Description: Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns. Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader) On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)
Current version: 2.0
Version changed from: 1.3 → 2.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | An adversary may disable cloud logging capabilities and inte | t | 1 | An adversary may disable or modify cloud logging capabilitie |
> | grations to limit what data is collected on their activities | > | s and integrations to limit what data is collected on their | ||
> | and avoid detection. Cloud environments allow for collectio | > | activities and avoid detection. Cloud environments allow for | ||
> | n and analysis of audit and application logs that provide in | > | collection and analysis of audit and application logs that | ||
> | sight into what activities a user does within the environmen | > | provide insight into what activities a user does within the | ||
> | t. If an adversary has sufficient permissions, they can disa | > | environment. If an adversary has sufficient permissions, the | ||
> | ble logging to avoid detection of their activities. For exa | > | y can disable or modify logging to avoid detection of their | ||
> | mple, in AWS an adversary may disable CloudWatch/CloudTrail | > | activities. For example, in AWS an adversary may disable Cl | ||
> | integrations prior to conducting further malicious activity. | > | oudWatch/CloudTrail integrations prior to conducting further | ||
> | (Citation: Following the CloudTrail: Generating strong AWS s | > | malicious activity.(Citation: Following the CloudTrail: Gen | ||
> | ecurity signals with Sumo Logic) In Office 365, an adversary | > | erating strong AWS security signals with Sumo Logic) They ma | ||
> | may disable logging on mail collection activities for speci | > | y alternatively tamper with logging functionality – for exam | ||
> | fic users by using the `Set-MailboxAuditBypassAssociation` c | > | ple, by removing any associated SNS topics, disabling multi- | ||
> | mdlet, by disabling M365 Advanced Auditing for the user, or | > | region logging, or disabling settings that validate and/or e | ||
> | by downgrading the user’s license from an Enterprise E5 to a | > | ncrypt log files.(Citation: AWS Update Trail)(Citation: Pacu | ||
> | n Enterprise E3 license.(Citation: Dark Reading Microsoft 36 | > | Detection Disruption Module) In Office 365, an adversary ma | ||
> | 5 Attacks 2021) | > | y disable logging on mail collection activities for specific | ||
> | users by using the `Set-MailboxAuditBypassAssociation` cmdl | ||||
> | et, by disabling M365 Advanced Auditing for the user, or by | ||||
> | downgrading the user’s license from an Enterprise E5 to an E | ||||
> | nterprise E3 license.(Citation: Dark Reading Microsoft 365 A | ||||
> | ttacks 2021) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-20 18:13:50.277000+00:00 | 2023-10-15 10:47:17.305000+00:00 |
name | Disable Cloud Logs | Disable or Modify Cloud Logs |
description | An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021) | An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 2.0 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'AWS Update Trail', 'description': 'AWS. (n.d.). update-trail. Retrieved August 4, 2023.', 'url': 'https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html'} | |
external_references | {'source_name': 'Pacu Detection Disruption Module', 'description': 'Rhino Security Labs. (2021, April 29). Pacu Detection Disruption Module. Retrieved August 4, 2023.', 'url': 'https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py'} |
Current version: 2.0
Version changed from: 1.2 → 2.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may achieve persistence by adding a program to a | t | 1 | Adversaries may achieve persistence by adding a program to a |
> | startup folder or referencing it with a Registry run key. A | > | startup folder or referencing it with a Registry run key. A | ||
> | dding an entry to the "run keys" in the Registry or startup | > | dding an entry to the "run keys" in the Registry or startup | ||
> | folder will cause the program referenced to be executed when | > | folder will cause the program referenced to be executed when | ||
> | a user logs in.(Citation: Microsoft Run Key) These programs | > | a user logs in.(Citation: Microsoft Run Key) These programs | ||
> | will be executed under the context of the user and will hav | > | will be executed under the context of the user and will hav | ||
> | e the account's associated permissions level. Placing a pro | > | e the account's associated permissions level. The following | ||
> | gram within a startup folder will also cause that program to | > | run keys are created by default on Windows systems: * <cod | ||
> | execute when a user logs in. There is a startup folder loca | > | e>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio | ||
> | tion for individual user accounts as well as a system-wide s | > | n\Run</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Wi | ||
> | tartup folder that will be checked regardless of which user | > | ndows\CurrentVersion\RunOnce</code> * <code>HKEY_LOCAL_MACHI | ||
> | account logs in. The startup folder path for the current use | > | NE\Software\Microsoft\Windows\CurrentVersion\Run</code> * <c | ||
> | r is <code>C:\Users\\[Username]\AppData\Roaming\Microsoft\Wi | > | ode>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer | ||
> | ndows\Start Menu\Programs\Startup</code>. The startup folder | > | sion\RunOnce</code> Run keys may exist under multiple hives | ||
> | path for all users is <code>C:\ProgramData\Microsoft\Window | > | .(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebyt | ||
> | s\Start Menu\Programs\StartUp</code>. The following run key | > | es Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\M | ||
> | s are created by default on Windows systems: * <code>HKEY_C | > | icrosoft\Windows\CurrentVersion\RunOnceEx</code> is also ava | ||
> | URRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</c | > | ilable but is not created by default on Windows Vista and ne | ||
> | ode> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu | > | wer. Registry run key entries can reference programs directl | ||
> | rrentVersion\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\Softw | > | y or list them as a dependency.(Citation: Microsoft Run Key) | ||
> | are\Microsoft\Windows\CurrentVersion\Run</code> * <code>HKEY | > | For example, it is possible to load a DLL at logon using a | ||
> | _LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | > | "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Mic | ||
> | Once</code> Run keys may exist under multiple hives.(Citati | > | rosoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d | ||
> | on: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow64 | > | "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx | ||
> | 32Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\Microsoft | > | Mar 2018) Placing a program within a startup folder will al | ||
> | \Windows\CurrentVersion\RunOnceEx</code> is also available b | > | so cause that program to execute when a user logs in. There | ||
> | ut is not created by default on Windows Vista and newer. Reg | > | is a startup folder location for individual user accounts as | ||
> | istry run key entries can reference programs directly or lis | > | well as a system-wide startup folder that will be checked r | ||
> | t them as a dependency.(Citation: Microsoft Run Key) For exa | > | egardless of which user account logs in. The startup folder | ||
> | mple, it is possible to load a DLL at logon using a "Depend" | > | path for the current user is <code>C:\Users\\[Username]\AppD | ||
> | key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\W | > | ata\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</c | ||
> | indows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp | > | ode>. The startup folder path for all users is <code>C:\Prog | ||
> | \evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018 | > | ramData\Microsoft\Windows\Start Menu\Programs\StartUp</code> | ||
> | ) The following Registry keys can be used to set startup fo | > | . The following Registry keys can be used to set startup fo | ||
> | lder items for persistence: * <code>HKEY_CURRENT_USER\Softw | > | lder items for persistence: * <code>HKEY_CURRENT_USER\Softw | ||
> | are\Microsoft\Windows\CurrentVersion\Explorer\User Shell Fol | > | are\Microsoft\Windows\CurrentVersion\Explorer\User Shell Fol | ||
> | ders</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Win | > | ders</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Win | ||
> | dows\CurrentVersion\Explorer\Shell Folders</code> * <code>HK | > | dows\CurrentVersion\Explorer\Shell Folders</code> * <code>HK | ||
> | EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\E | > | EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\E | ||
> | xplorer\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\SOFT | > | xplorer\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\SOFT | ||
> | WARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Fo | > | WARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Fo | ||
> | lders</code> The following Registry keys can control automa | > | lders</code> The following Registry keys can control automa | ||
> | tic startup of services during boot: * <code>HKEY_LOCAL_MAC | > | tic startup of services during boot: * <code>HKEY_LOCAL_MAC | ||
> | HINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn | > | HINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn | ||
> | ce</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windo | > | ce</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windo | ||
> | ws\CurrentVersion\RunServicesOnce</code> * <code>HKEY_LOCAL_ | > | ws\CurrentVersion\RunServicesOnce</code> * <code>HKEY_LOCAL_ | ||
> | MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService | > | MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService | ||
> | s</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Window | > | s</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Window | ||
> | s\CurrentVersion\RunServices</code> Using policy settings t | > | s\CurrentVersion\RunServices</code> Using policy settings t | ||
> | o specify startup programs creates corresponding values in e | > | o specify startup programs creates corresponding values in e | ||
> | ither of two Registry keys: * <code>HKEY_LOCAL_MACHINE\Soft | > | ither of two Registry keys: * <code>HKEY_LOCAL_MACHINE\Soft | ||
> | ware\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run< | > | ware\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run< | ||
> | /code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\ | > | /code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\ | ||
> | CurrentVersion\Policies\Explorer\Run</code> The Winlogon ke | > | CurrentVersion\Policies\Explorer\Run</code> Programs listed | ||
> | y controls actions that occur when a user logs on to a compu | > | in the load value of the registry key <code>HKEY_CURRENT_US | ||
> | ter running Windows 7. Most of these actions are under the c | > | ER\Software\Microsoft\Windows NT\CurrentVersion\Windows</cod | ||
> | ontrol of the operating system, but you can also add custom | > | e> run automatically for the currently logged-on user. By d | ||
> | actions here. The <code>HKEY_LOCAL_MACHINE\Software\Microsof | > | efault, the multistring <code>BootExecute</code> value of th | ||
> | t\Windows NT\CurrentVersion\Winlogon\Userinit</code> and <co | > | e registry key <code>HKEY_LOCAL_MACHINE\System\CurrentContro | ||
> | de>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentV | > | lSet\Control\Session Manager</code> is set to <code>autochec | ||
> | ersion\Winlogon\Shell</code> subkeys can automatically launc | > | k autochk *</code>. This value causes Windows, at startup, t | ||
> | h programs. Programs listed in the load value of the regist | > | o check the file-system integrity of the hard disks if the s | ||
> | ry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT | > | ystem has been shut down abnormally. Adversaries can add oth | ||
> | \CurrentVersion\Windows</code> run when any user logs on. B | > | er programs or processes to this registry value which will a | ||
> | y default, the multistring <code>BootExecute</code> value of | > | utomatically launch at boot. Adversaries can use these conf | ||
> | the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentCon | > | iguration locations to execute malware, such as remote acces | ||
> | trolSet\Control\Session Manager</code> is set to <code>autoc | > | s tools, to maintain persistence through system reboots. Adv | ||
> | heck autochk *</code>. This value causes Windows, at startup | > | ersaries may also use [Masquerading](https://attack.mitre.or | ||
> | , to check the file-system integrity of the hard disks if th | > | g/techniques/T1036) to make the Registry entries look as if | ||
> | e system has been shut down abnormally. Adversaries can add | > | they are associated with legitimate programs. | ||
> | other programs or processes to this registry value which wil | ||||
> | l automatically launch at boot. Adversaries can use these c | ||||
> | onfiguration locations to execute malware, such as remote ac | ||||
> | cess tools, to maintain persistence through system reboots. | ||||
> | Adversaries may also use [Masquerading](https://attack.mitre | ||||
> | .org/techniques/T1036) to make the Registry entries look as | ||||
> | if they are associated with legitimate programs. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:52.183000+00:00 | 2023-10-16 09:08:22.319000+00:00 |
description | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup . The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp .
The following run keys are created by default on Windows systems:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk * . This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
The following run keys are created by default on Windows systems:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup . The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp .
The following Registry keys can be used to set startup folder items for persistence:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run automatically for the currently logged-on user.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk * . This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 2.0 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Harun Küßner |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Mitigations:
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-21 12:35:07.744000+00:00 | 2023-10-02 00:47:11.369000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | User Account: User Account Modification | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | IaaS | |
x_mitre_platforms | Google Workspace | |
x_mitre_platforms | Azure AD |
Current version: 2.6
Version changed from: 2.5 → 2.6
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may manipulate accounts to maintain access to vi | t | 1 | Adversaries may manipulate accounts to maintain and/or eleva |
> | ctim systems. Account manipulation may consist of any action | > | te access to victim systems. Account manipulation may consis | ||
> | that preserves adversary access to a compromised account, s | > | t of any action that preserves or modifies adversary access | ||
> | uch as modifying credentials or permission groups. These act | > | to a compromised account, such as modifying credentials or p | ||
> | ions could also include account activity designed to subvert | > | ermission groups. These actions could also include account a | ||
> | security policies, such as performing iterative password up | > | ctivity designed to subvert security policies, such as perfo | ||
> | dates to bypass password duration policies and preserve the | > | rming iterative password updates to bypass password duration | ||
> | life of compromised credentials. In order to create or man | > | policies and preserve the life of compromised credentials. | ||
> | ipulate accounts, the adversary must already have sufficient | > | In order to create or manipulate accounts, the adversary m | ||
> | permissions on systems or the domain. However, account mani | > | ust already have sufficient permissions on systems or the do | ||
> | pulation may also lead to privilege escalation where modific | > | main. However, account manipulation may also lead to privile | ||
> | ations grant access to additional roles, permissions, or hig | > | ge escalation where modifications grant access to additional | ||
> | her-privileged [Valid Accounts](https://attack.mitre.org/tec | > | roles, permissions, or higher-privileged [Valid Accounts](h | ||
> | hniques/T1078). | > | ttps://attack.mitre.org/techniques/T1078). |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 23:29:30.966000+00:00 | 2023-10-16 17:45:54.884000+00:00 |
description | Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078). | Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078). |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.5 | 2.6 |
STIX Field | Old value | New Value |
---|---|---|
kill_chain_phases | {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} | |
x_mitre_contributors | Arad Inbar, Fidelis Security | |
x_mitre_platforms | Containers |
Current version: 1.3
Version changed from: 1.2 → 1.3
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may buy, lease, or rent infrastructure that can | t | 1 | Adversaries may buy, lease, or rent infrastructure that can |
> | be used during targeting. A wide variety of infrastructure e | > | be used during targeting. A wide variety of infrastructure e | ||
> | xists for hosting and orchestrating adversary operations. In | > | xists for hosting and orchestrating adversary operations. In | ||
> | frastructure solutions include physical or cloud servers, do | > | frastructure solutions include physical or cloud servers, do | ||
> | mains, and third-party web services.(Citation: TrendmicroHid | > | mains, and third-party web services.(Citation: TrendmicroHid | ||
> | eoutsLease) Additionally, botnets are available for rent or | > | eoutsLease) Additionally, botnets are available for rent or | ||
> | purchase. Use of these infrastructure solutions allows adve | > | purchase. Use of these infrastructure solutions allows adve | ||
> | rsaries to stage, launch, and execute operations. Solutions | > | rsaries to stage, launch, and execute operations. Solutions | ||
> | may help adversary operations blend in with traffic that is | > | may help adversary operations blend in with traffic that is | ||
> | seen as normal, such as contacting third-party web services | > | seen as normal, such as contacting third-party web services | ||
> | or acquiring infrastructure to support [Proxy](https://attac | > | or acquiring infrastructure to support [Proxy](https://attac | ||
> | k.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus | > | k.mitre.org/techniques/T1090), including from residential pr | ||
> | ) Depending on the implementation, adversaries may use infra | > | oxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI P | ||
> | structure that makes it difficult to physically tie back to | > | roxies Credential Stuffing)(Citation: Mandiant APT29 Microso | ||
> | them as well as utilize infrastructure that can be rapidly p | > | ft 365 2022) Depending on the implementation, adversaries ma | ||
> | rovisioned, modified, and shut down. | > | y use infrastructure that makes it difficult to physically t | ||
> | ie back to them as well as utilize infrastructure that can b | ||||
> | e rapidly provisioned, modified, and shut down. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-02 21:34:46.139000+00:00 | 2023-10-02 01:10:09.833000+00:00 |
description | Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down. | Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down. |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Mandiant APT29 Microsoft 365 2022', 'description': 'Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.', 'url': 'https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft'} | |
external_references | {'source_name': 'FBI Proxies Credential Stuffing', 'description': 'FBI. (2022, August 18). Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts . Retrieved July 6, 2023.', 'url': 'https://www.ic3.gov/Media/News/2022/220818.pdf'} | |
x_mitre_contributors | Goldstein Menachem |
Current version: 2.6
Version changed from: 2.5 → 2.6
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may add adversary-controlled credentials to a cl | t | 1 | Adversaries may add adversary-controlled credentials to a cl |
> | oud account to maintain persistent access to victim accounts | > | oud account to maintain persistent access to victim accounts | ||
> | and instances within the environment. For example, adversa | > | and instances within the environment. For example, adversa | ||
> | ries may add credentials for Service Principals and Applicat | > | ries may add credentials for Service Principals and Applicat | ||
> | ions in addition to existing legitimate credentials in Azure | > | ions in addition to existing legitimate credentials in Azure | ||
> | AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat | > | AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat | ||
> | ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide | > | ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide | ||
> | o) These credentials include both x509 keys and passwords.(C | > | o) These credentials include both x509 keys and passwords.(C | ||
> | itation: Microsoft SolarWinds Customer Guidance) With suffic | > | itation: Microsoft SolarWinds Customer Guidance) With suffic | ||
> | ient permissions, there are a variety of ways to add credent | > | ient permissions, there are a variety of ways to add credent | ||
> | ials including the Azure Portal, Azure command line interfac | > | ials including the Azure Portal, Azure command line interfac | ||
> | e, and Azure or Az PowerShell modules.(Citation: Demystifyin | > | e, and Azure or Az PowerShell modules.(Citation: Demystifyin | ||
> | g Azure AD Service Principals) In infrastructure-as-a-servi | > | g Azure AD Service Principals) In infrastructure-as-a-servi | ||
> | ce (IaaS) environments, after gaining access through [Cloud | > | ce (IaaS) environments, after gaining access through [Cloud | ||
> | Accounts](https://attack.mitre.org/techniques/T1078/004), ad | > | Accounts](https://attack.mitre.org/techniques/T1078/004), ad | ||
> | versaries may generate or import their own SSH keys using ei | > | versaries may generate or import their own SSH keys using ei | ||
> | ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</ | > | ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</ | ||
> | code> API in AWS or the <code>gcloud compute os-login ssh-ke | > | code> API in AWS or the <code>gcloud compute os-login ssh-ke | ||
> | ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi | > | ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi | ||
> | s allows persistent access to instances within the cloud env | > | s allows persistent access to instances within the cloud env | ||
> | ironment without further usage of the compromised cloud acco | > | ironment without further usage of the compromised cloud acco | ||
> | unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind | > | unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind | ||
> | the Scenes) Adversaries may also use the <code>CreateAcces | > | the Scenes) Adversaries may also use the <code>CreateAcces | ||
> | sKey</code> API in AWS or the <code>gcloud iam service-accou | > | sKey</code> API in AWS or the <code>gcloud iam service-accou | ||
> | nts keys create</code> command in GCP to add access keys to | > | nts keys create</code> command in GCP to add access keys to | ||
> | an account. If the target account has different permissions | > | an account. If the target account has different permissions | ||
> | from the requesting account, the adversary may also be able | > | from the requesting account, the adversary may also be able | ||
> | to escalate their privileges in the environment (i.e. [Cloud | > | to escalate their privileges in the environment (i.e. [Cloud | ||
> | Accounts](https://attack.mitre.org/techniques/T1078/004)).( | > | Accounts](https://attack.mitre.org/techniques/T1078/004)).( | ||
> | Citation: Rhino Security Labs AWS Privilege Escalation) In | > | Citation: Rhino Security Labs AWS Privilege Escalation)(Cita | ||
> | AWS environments, adversaries with the appropriate permissio | > | tion: Sysdig ScarletEel 2.0) For example, in Azure AD enviro | ||
> | ns may also use the `sts:GetFederationToken` API call to cre | > | nments, an adversary with the Application Administrator role | ||
> | ate a temporary set of credentials tied to the permissions o | > | can add a new set of credentials to their application's ser | ||
> | f the original user account. These credentials may remain va | > | vice principal. In doing so the adversary would be able to a | ||
> | lid for the duration of their lifetime even if the original | > | ccess the service principal’s roles and permissions, which m | ||
> | account’s API credentials are deactivated. (Citation: Crowds | > | ay be different from those of the Application Administrator. | ||
> | trike AWS User Federation Persistence) | > | (Citation: SpecterOps Azure Privilege Escalation) In AWS e | ||
> | nvironments, adversaries with the appropriate permissions ma | ||||
> | y also use the `sts:GetFederationToken` API call to create a | ||||
> | temporary set of credentials tied to the permissions of the | ||||
> | original user account. These credentials may remain valid f | ||||
> | or the duration of their lifetime even if the original accou | ||||
> | nt’s API credentials are deactivated. (Citation: Crowdstrike | ||||
> | AWS User Federation Persistence) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-05-04 18:03:36.622000+00:00 | 2023-10-03 17:37:24.011000+00:00 |
description | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)
In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
(Citation: Crowdstrike AWS User Federation Persistence) | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation)
In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
(Citation: Crowdstrike AWS User Federation Persistence) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.5 | 2.6 |
STIX Field | Old value | New Value |
---|---|---|
kill_chain_phases | {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} | |
external_references | {'source_name': 'SpecterOps Azure Privilege Escalation', 'description': 'Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.', 'url': 'https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5'} | |
external_references | {'source_name': 'Sysdig ScarletEel 2.0', 'description': 'SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.', 'url': 'https://sysdig.com/blog/scarleteel-2-0/'} | |
x_mitre_contributors | Arad Inbar, Fidelis Security |
Current version: 2.3
Version changed from: 2.2 → 2.3
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | An adversary may add additional roles or permissions to an a | t | 1 | An adversary may add additional roles or permissions to an a |
> | dversary-controlled cloud account to maintain persistent acc | > | dversary-controlled cloud account to maintain persistent acc | ||
> | ess to a tenant. For example, adversaries may update IAM pol | > | ess to a tenant. For example, adversaries may update IAM pol | ||
> | icies in cloud-based environments or add a new global admini | > | icies in cloud-based environments or add a new global admini | ||
> | strator in Office 365 environments.(Citation: AWS IAM Polici | > | strator in Office 365 environments.(Citation: AWS IAM Polici | ||
> | es and Permissions)(Citation: Google Cloud IAM Policies)(Cit | > | es and Permissions)(Citation: Google Cloud IAM Policies)(Cit | ||
> | ation: Microsoft Support O365 Add Another Admin, October 201 | > | ation: Microsoft Support O365 Add Another Admin, October 201 | ||
> | 9)(Citation: Microsoft O365 Admin Roles) With sufficient per | > | 9)(Citation: Microsoft O365 Admin Roles) With sufficient per | ||
> | missions, a compromised account can gain almost unlimited ac | > | missions, a compromised account can gain almost unlimited ac | ||
> | cess to data and settings (including the ability to reset th | > | cess to data and settings (including the ability to reset th | ||
> | e passwords of other admins).(Citation: Expel AWS Attacker) | > | e passwords of other admins).(Citation: Expel AWS Attacker) | ||
> | (Citation: Microsoft O365 Admin Roles) This account modifi | > | (Citation: Microsoft O365 Admin Roles) This account modifi | ||
> | cation may immediately follow [Create Account](https://attac | > | cation may immediately follow [Create Account](https://attac | ||
> | k.mitre.org/techniques/T1136) or other malicious account act | > | k.mitre.org/techniques/T1136) or other malicious account act | ||
> | ivity. Adversaries may also modify existing [Valid Accounts] | > | ivity. Adversaries may also modify existing [Valid Accounts] | ||
> | (https://attack.mitre.org/techniques/T1078) that they have c | > | (https://attack.mitre.org/techniques/T1078) that they have c | ||
> | ompromised. This could lead to privilege escalation, particu | > | ompromised. This could lead to privilege escalation, particu | ||
> | larly if the roles added allow for lateral movement to addit | > | larly if the roles added allow for lateral movement to addit | ||
> | ional accounts. For example, in Azure AD environments, an a | > | ional accounts. For example, in AWS environments, an advers | ||
> | dversary with the Application Administrator role can add [Ad | > | ary with appropriate permissions may be able to use the <cod | ||
> | ditional Cloud Credentials](https://attack.mitre.org/techniq | > | e>CreatePolicyVersion</code> API to define a new version of | ||
> | ues/T1098/001) to their application's service principal. In | > | an IAM policy or the <code>AttachUserPolicy</code> API to at | ||
> | doing so the adversary would be able to gain the service pri | > | tach an IAM policy with additional or distinct permissions t | ||
> | ncipal’s roles and permissions, which may be different from | > | o a compromised user account.(Citation: Rhino Security Labs | ||
> | those of the Application Administrator.(Citation: SpecterOps | > | AWS Privilege Escalation) | ||
> | Azure Privilege Escalation) Similarly, in AWS environments, | ||||
> | an adversary with appropriate permissions may be able to us | ||||
> | e the <code>CreatePolicyVersion</code> API to define a new v | ||||
> | ersion of an IAM policy or the <code>AttachUserPolicy</code> | ||||
> | API to attach an IAM policy with additional or distinct per | ||||
> | missions to a compromised user account.(Citation: Rhino Secu | ||||
> | rity Labs AWS Privilege Escalation) Similarly, an adversary | ||||
> | with the Azure AD Global Administrator role can toggle the | ||||
> | “Access management for Azure resources” option to gain the a | ||||
> | bility to assign privileged access to Azure subscriptions an | ||||
> | d virtual machines to Azure AD users, including themselves.( | ||||
> | Citation: Azure AD to AD) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-14 22:48:50.142000+00:00 | 2023-10-03 17:37:41.250000+00:00 |
description | An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)
(Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
Similarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) | An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)
(Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.2 | 2.3 |
STIX Field | Old value | New Value |
---|---|---|
kill_chain_phases | {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} | |
x_mitre_contributors | Arad Inbar, Fidelis Security |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'SpecterOps Azure Privilege Escalation', 'description': 'Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.', 'url': 'https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5'} | |
external_references | {'source_name': 'Azure AD to AD', 'description': 'Sean Metcalf. (2020, May 27). From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path. Retrieved September 28, 2022.', 'url': 'https://adsecurity.org/?p=4277'} |
Current version: 2.1
Version changed from: 2.0 → 2.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-19 14:55:26.110000+00:00 | 2023-10-03 17:38:00.554000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 2.0 | 2.1 |
STIX Field | Old value | New Value |
---|---|---|
kill_chain_phases | {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} | |
x_mitre_contributors | Arad Inbar, Fidelis Security |
Current version: 2.3
Version changed from: 2.2 → 2.3
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may attempt to position themselves between two o | t | 1 | Adversaries may attempt to position themselves between two o |
> | r more networked devices using an adversary-in-the-middle (A | > | r more networked devices using an adversary-in-the-middle (A | ||
> | iTM) technique to support follow-on behaviors such as [Netwo | > | iTM) technique to support follow-on behaviors such as [Netwo | ||
> | rk Sniffing](https://attack.mitre.org/techniques/T1040) or [ | > | rk Sniffing](https://attack.mitre.org/techniques/T1040), [Tr | ||
> | Transmitted Data Manipulation](https://attack.mitre.org/tech | > | ansmitted Data Manipulation](https://attack.mitre.org/techni | ||
> | niques/T1565/002). By abusing features of common networking | > | ques/T1565/002), or replay attacks ([Exploitation for Creden | ||
> | protocols that can determine the flow of network traffic (e. | > | tial Access](https://attack.mitre.org/techniques/T1212)). By | ||
> | g. ARP, DNS, LLMNR, etc.), adversaries may force a device to | > | abusing features of common networking protocols that can de | ||
> | communicate through an adversary controlled system so they | > | termine the flow of network traffic (e.g. ARP, DNS, LLMNR, e | ||
> | can collect information or perform additional actions.(Citat | > | tc.), adversaries may force a device to communicate through | ||
> | ion: Rapid7 MiTM Basics) For example, adversaries may manip | > | an adversary controlled system so they can collect informati | ||
> | ulate victim DNS settings to enable other malicious activiti | > | on or perform additional actions.(Citation: Rapid7 MiTM Basi | ||
> | es such as preventing/redirecting users from accessing legit | > | cs) For example, adversaries may manipulate victim DNS sett | ||
> | imate sites and/or pushing additional malware.(Citation: tti | > | ings to enable other malicious activities such as preventing | ||
> | nt_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_ | > | /redirecting users from accessing legitimate sites and/or pu | ||
> | with_miner) Adversaries may also manipulate DNS and leverage | > | shing additional malware.(Citation: ttint_rat)(Citation: dns | ||
> | their position in order to intercept user credentials and s | > | _changer_trojans)(Citation: ad_blocker_with_miner) Adversari | ||
> | ession cookies.(Citation: volexity_0day_sophos_FW) [Downgrad | > | es may also manipulate DNS and leverage their position in or | ||
> | e Attack](https://attack.mitre.org/techniques/T1562/010)s ca | > | der to intercept user credentials and session cookies.(Citat | ||
> | n also be used to establish an AiTM position, such as by neg | > | ion: volexity_0day_sophos_FW) [Downgrade Attack](https://att | ||
> | otiating a less secure, deprecated, or weaker version of com | > | ack.mitre.org/techniques/T1562/010)s can also be used to est | ||
> | munication protocol (SSL/TLS) or encryption algorithm.(Citat | > | ablish an AiTM position, such as by negotiating a less secur | ||
> | ion: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_at | > | e, deprecated, or weaker version of communication protocol ( | ||
> | t_tls)(Citation: tlseminar_downgrade_att) Adversaries may a | > | SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgra | ||
> | lso leverage the AiTM position to attempt to monitor and/or | > | de_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlse | ||
> | modify traffic, such as in [Transmitted Data Manipulation](h | > | minar_downgrade_att) Adversaries may also leverage the AiTM | ||
> | ttps://attack.mitre.org/techniques/T1565/002). Adversaries c | > | position to attempt to monitor and/or modify traffic, such | ||
> | an setup a position similar to AiTM to prevent traffic from | > | as in [Transmitted Data Manipulation](https://attack.mitre.o | ||
> | flowing to the appropriate destination, potentially to [Impa | > | rg/techniques/T1565/002). Adversaries can setup a position s | ||
> | ir Defenses](https://attack.mitre.org/techniques/T1562) and/ | > | imilar to AiTM to prevent traffic from flowing to the approp | ||
> | or in support of a [Network Denial of Service](https://attac | > | riate destination, potentially to [Impair Defenses](https:// | ||
> | k.mitre.org/techniques/T1498). | > | attack.mitre.org/techniques/T1562) and/or in support of a [N | ||
> | etwork Denial of Service](https://attack.mitre.org/technique | ||||
> | s/T1498). |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:37.568000+00:00 | 2023-09-27 20:27:50.792000+00:00 |
description | Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att) Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498). | Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att) Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498). |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 2.2 | 2.3 |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-14 19:28:21.394000+00:00 | 2023-09-15 19:02:53.995000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-18 20:12:04.110000+00:00 | 2023-08-11 21:13:52.767000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 2.0 | 2.1 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Network Traffic: Network Traffic Flow |
Current version: 2.2
Version changed from: 2.1 → 2.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:38.295000+00:00 | 2023-08-11 20:54:55.991000+00:00 |
x_mitre_version | 2.1 | 2.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may clear or remove evidence of malicious networ | t | 1 | Adversaries may clear or remove evidence of malicious networ |
> | k connections in order to clean up traces of their operation | > | k connections in order to clean up traces of their operation | ||
> | s. Configuration settings as well as various artifacts that | > | s. Configuration settings as well as various artifacts that | ||
> | highlight connection history may be created on a system from | > | highlight connection history may be created on a system and/ | ||
> | behaviors that require network connections, such as [Remote | > | or in application logs from behaviors that require network c | ||
> | Services](https://attack.mitre.org/techniques/T1021) or [Ex | > | onnections, such as [Remote Services](https://attack.mitre.o | ||
> | ternal Remote Services](https://attack.mitre.org/techniques/ | > | rg/techniques/T1021) or [External Remote Services](https://a | ||
> | T1133). Defenders may use these artifacts to monitor or othe | > | ttack.mitre.org/techniques/T1133). Defenders may use these a | ||
> | rwise analyze network connections created by adversaries. N | > | rtifacts to monitor or otherwise analyze network connections | ||
> | etwork connection history may be stored in various locations | > | created by adversaries. Network connection history may be | ||
> | on a system. For example, RDP connection history may be sto | > | stored in various locations. For example, RDP connection his | ||
> | red in Windows Registry values under (Citation: Microsoft RD | > | tory may be stored in Windows Registry values under (Citatio | ||
> | P Removal): * <code>HKEY_CURRENT_USER\Software\Microsoft\Te | > | n: Microsoft RDP Removal): * <code>HKEY_CURRENT_USER\Softwa | ||
> | rminal Server Client\Default</code> * <code>HKEY_CURRENT_USE | > | re\Microsoft\Terminal Server Client\Default</code> * <code>H | ||
> | R\Software\Microsoft\Terminal Server Client\Servers</code> | > | KEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\S | ||
> | Windows may also store information about recent RDP connecti | > | ervers</code> Windows may also store information about rece | ||
> | ons in files such as <code>C:\Users\\%username%\Documents\De | > | nt RDP connections in files such as <code>C:\Users\\%usernam | ||
> | fault.rdp</code> and `C:\Users\%username%\AppData\Local\Micr | > | e%\Documents\Default.rdp</code> and `C:\Users\%username%\App | ||
> | osoft\Terminal Server Client\Cache\`.(Citation: Moran RDPiec | > | Data\Local\Microsoft\Terminal Server Client\Cache\`.(Citatio | ||
> | es) Similarly, macOS and Linux hosts may store information h | > | n: Moran RDPieces) Similarly, macOS and Linux hosts may stor | ||
> | ighlighting connection history in system logs (such as those | > | e information highlighting connection history in system logs | ||
> | stored in `/Library/Logs` and/or `/var/log/`).(Citation: Ap | > | (such as those stored in `/Library/Logs` and/or `/var/log/` | ||
> | ple Culprit Access)(Citation: FreeDesktop Journal)(Citation: | > | ).(Citation: Apple Culprit Access)(Citation: FreeDesktop Jou | ||
> | Apple Unified Log Analysis Remote Login and Screen Sharing) | > | rnal)(Citation: Apple Unified Log Analysis Remote Login and | ||
> | Malicious network connections may also require changes to | > | Screen Sharing) Malicious network connections may also requ | ||
> | network configuration settings, such as [Disable or Modify S | > | ire changes to third-party applications or network configura | ||
> | ystem Firewall](https://attack.mitre.org/techniques/T1562/00 | > | tion settings, such as [Disable or Modify System Firewall](h | ||
> | 4) or tampering to enable [Proxy](https://attack.mitre.org/t | > | ttps://attack.mitre.org/techniques/T1562/004) or tampering t | ||
> | echniques/T1090). Adversaries may delete or modify this data | > | o enable [Proxy](https://attack.mitre.org/techniques/T1090). | ||
> | to conceal indicators and/or impede defensive analysis. | > | Adversaries may delete or modify this data to conceal indic | ||
> | ators and/or impede defensive analysis. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-21 16:24:06.968000+00:00 | 2023-09-08 18:05:28.311000+00:00 |
description | Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):
* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
Windows may also store information about recent RDP connections in files such as C:\Users\\%username%\Documents\Default.rdp and `C:\Users\%username%\AppData\Local\Microsoft\Terminal
Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)
Malicious network connections may also require changes to network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis. | Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):
* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
Windows may also store information about recent RDP connections in files such as C:\Users\\%username%\Documents\Default.rdp and `C:\Users\%username%\AppData\Local\Microsoft\Terminal
Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)
Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis. |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.3
Version changed from: 1.2 → 1.3
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 15:32:03.205000+00:00 | 2023-08-11 21:43:04.568000+00:00 |
x_mitre_version | 1.2 | 1.3 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Process: Process Creation |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-06 21:24:56.669000+00:00 | 2023-10-16 17:34:42.544000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.6
Version changed from: 1.5 → 1.6
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may obtain and abuse credentials of a cloud acco | t | 1 | Valid accounts in cloud environments may allow adversaries t |
> | unt as a means of gaining Initial Access, Persistence, Privi | > | o perform actions to achieve Initial Access, Persistence, Pr | ||
> | lege Escalation, or Defense Evasion. Cloud accounts are thos | > | ivilege Escalation, or Defense Evasion. Cloud accounts are t | ||
> | e created and configured by an organization for use by users | > | hose created and configured by an organization for use by us | ||
> | , remote support, services, or for administration of resourc | > | ers, remote support, services, or for administration of reso | ||
> | es within a cloud service provider or SaaS application. In s | > | urces within a cloud service provider or SaaS application. C | ||
> | ome cases, cloud accounts may be federated with traditional | > | loud Accounts can exist solely in the cloud or be hybrid joi | ||
> | identity management systems, such as Windows Active Director | > | ned between on-premises systems and the cloud through federa | ||
> | y.(Citation: AWS Identity Federation)(Citation: Google Feder | > | tion with other identity sources such as Windows Active Dire | ||
> | ating GC)(Citation: Microsoft Deploying AD Federation) Comp | > | ctory. (Citation: AWS Identity Federation)(Citation: Google | ||
> | romised credentials for cloud accounts can be used to harves | > | Federating GC)(Citation: Microsoft Deploying AD Federation) | ||
> | t sensitive data from online storage accounts and databases. | > | Service or user accounts may be targeted by adversaries thr | ||
> | Access to cloud accounts can also be abused to gain Initial | > | ough [Brute Force](https://attack.mitre.org/techniques/T1110 | ||
> | Access to a network by abusing a [Trusted Relationship](htt | > | ), [Phishing](https://attack.mitre.org/techniques/T1566), or | ||
> | ps://attack.mitre.org/techniques/T1199). Similar to [Domain | > | various other means to gain access to the environment. Fede | ||
> | Accounts](https://attack.mitre.org/techniques/T1078/002), co | > | rated accounts may be a pathway for the adversary to affect | ||
> | mpromise of federated cloud accounts may allow adversaries t | > | both on-premises systems and cloud environments. An adversa | ||
> | o more easily move laterally within an environment. Once a | > | ry may create long lasting [Additional Cloud Credentials](ht | ||
> | cloud account is compromised, an adversary may perform [Acco | > | tps://attack.mitre.org/techniques/T1098/001) on a compromise | ||
> | unt Manipulation](https://attack.mitre.org/techniques/T1098) | > | d cloud account to maintain persistence in the environment. | ||
> | - for example, by adding [Additional Cloud Roles](https://a | > | Such credentials may also be used to bypass security control | ||
> | ttack.mitre.org/techniques/T1098/003) - to maintain persiste | > | s such as multi-factor authentication. Cloud accounts may | ||
> | nce and potentially escalate their privileges. | > | also be able to assume [Temporary Elevated Cloud Access](htt | ||
> | ps://attack.mitre.org/techniques/T1548/005) or other privile | ||||
> | ges through various means within the environment. Misconfigu | ||||
> | rations in role assignments or role assumption policies may | ||||
> | allow an adversary to use these mechanisms to leverage permi | ||||
> | ssions outside the intended scope of the account. Such over | ||||
> | privileged accounts may be used to harvest sensitive data fr | ||||
> | om online storage accounts and databases through [Cloud API] | ||||
> | (https://attack.mitre.org/techniques/T1059/009) or other met | ||||
> | hods. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-21 13:17:14.441000+00:00 | 2023-10-16 17:25:38.546000+00:00 |
description | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges. | Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments. An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.5 | 1.6 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-03-16 12:56:36.098000+00:00 | 2023-10-16 16:51:02.852000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may modify client software binaries to establish | t | 1 | Adversaries may modify client software binaries to establish |
> | persistent access to systems. Client software enables users | > | persistent access to systems. Client software enables users | ||
> | to access services provided by a server. Common client soft | > | to access services provided by a server. Common client soft | ||
> | ware types are SSH clients, FTP clients, email clients, and | > | ware types are SSH clients, FTP clients, email clients, and | ||
> | web browsers. Adversaries may make modifications to client | > | web browsers. Adversaries may make modifications to client | ||
> | software binaries to carry out malicious tasks when those ap | > | software binaries to carry out malicious tasks when those ap | ||
> | plications are in use. For example, an adversary may copy so | > | plications are in use. For example, an adversary may copy so | ||
> | urce code for the client software, add a backdoor, compile f | > | urce code for the client software, add a backdoor, compile f | ||
> | or the target, and replace the legitimate application binary | > | or the target, and replace the legitimate application binary | ||
> | (or support files) with the backdoored one. Since these app | > | (or support files) with the backdoored one. An adversary ma | ||
> | lications may be routinely executed by the user, the adversa | > | y also modify an existing binary by patching in malicious fu | ||
> | ry can leverage this for persistent access to the host. | > | nctionality (e.g., IAT Hooking/Entry point patching)(Citatio | ||
> | n: Unit42 Banking Trojans Hooking 2022) prior to the binary’ | ||||
> | s legitimate execution. For example, an adversary may modify | ||||
> | the entry point of a binary to point to malicious code patc | ||||
> | hed in by the adversary before resuming normal execution flo | ||||
> | w.(Citation: ESET FontOnLake Analysis 2021) Since these app | ||||
> | lications may be routinely executed by the user, the adversa | ||||
> | ry can leverage this for persistent access to the host. |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-19 03:18:43.648000+00:00 | 2023-10-03 04:18:40.956000+00:00 |
description | Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host. | Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021) Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host. |
x_mitre_version | 1.0 | 1.1 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Unit42 Banking Trojans Hooking 2022', 'description': 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure. Retrieved September 27, 2023.', 'url': 'https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n'} | |
external_references | {'source_name': 'ESET FontOnLake Analysis 2021', 'description': 'Vladislav Hrčka. (2021, January 1). FontOnLake. Retrieved September 27, 2023.', 'url': 'https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf'} |
Current version: 1.4
Version changed from: 1.3 → 1.4
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may compromise third-party infrastructure that c | t | 1 | Adversaries may compromise third-party infrastructure that c |
> | an be used during targeting. Infrastructure solutions includ | > | an be used during targeting. Infrastructure solutions includ | ||
> | e physical or cloud servers, domains, and third-party web an | > | e physical or cloud servers, domains, and third-party web an | ||
> | d DNS services. Instead of buying, leasing, or renting infra | > | d DNS services. Instead of buying, leasing, or renting infra | ||
> | structure an adversary may compromise infrastructure and use | > | structure an adversary may compromise infrastructure and use | ||
> | it during other phases of the adversary lifecycle.(Citation | > | it during other phases of the adversary lifecycle.(Citation | ||
> | : Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio | > | : Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio | ||
> | n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens | > | n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens | ||
> | Part 2) Additionally, adversaries may compromise numerous ma | > | Part 2) Additionally, adversaries may compromise numerous ma | ||
> | chines to form a botnet they can leverage. Use of compromis | > | chines to form a botnet they can leverage. Use of compromis | ||
> | ed infrastructure allows adversaries to stage, launch, and e | > | ed infrastructure allows adversaries to stage, launch, and e | ||
> | xecute operations. Compromised infrastructure can help adver | > | xecute operations. Compromised infrastructure can help adver | ||
> | sary operations blend in with traffic that is seen as normal | > | sary operations blend in with traffic that is seen as normal | ||
> | , such as contact with high reputation or trusted sites. For | > | , such as contact with high reputation or trusted sites. For | ||
> | example, adversaries may leverage compromised infrastructur | > | example, adversaries may leverage compromised infrastructur | ||
> | e (potentially also in conjunction with [Digital Certificate | > | e (potentially also in conjunction with [Digital Certificate | ||
> | s](https://attack.mitre.org/techniques/T1588/004)) to furthe | > | s](https://attack.mitre.org/techniques/T1588/004)) to furthe | ||
> | r blend in and support staged information gathering and/or [ | > | r blend in and support staged information gathering and/or [ | ||
> | Phishing](https://attack.mitre.org/techniques/T1566) campaig | > | Phishing](https://attack.mitre.org/techniques/T1566) campaig | ||
> | ns.(Citation: FireEye DNS Hijack 2019) Additionally, adversa | > | ns.(Citation: FireEye DNS Hijack 2019) Additionally, adversa | ||
> | ries may also compromise infrastructure to support [Proxy](h | > | ries may also compromise infrastructure to support [Proxy](h | ||
> | ttps://attack.mitre.org/techniques/T1090).(Citation: amnesty | > | ttps://attack.mitre.org/techniques/T1090) and/or proxyware s | ||
> | _nso_pegasus) By using compromised infrastructure, adversar | > | ervices.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Pro | ||
> | ies may make it difficult to tie their actions back to them. | > | xyjacking) By using compromised infrastructure, adversaries | ||
> | Prior to targeting, adversaries may compromise the infrastr | > | may make it difficult to tie their actions back to them. Pr | ||
> | ucture of other adversaries.(Citation: NSA NCSC Turla OilRig | > | ior to targeting, adversaries may compromise the infrastruct | ||
> | ) | > | ure of other adversaries.(Citation: NSA NCSC Turla OilRig) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 13:32:15.704000+00:00 | 2023-10-02 01:10:49.053000+00:00 |
description | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking) By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Sysdig Proxyjacking', 'description': 'Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.', 'url': 'https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/'} | |
x_mitre_contributors | Goldstein Menachem |
Current version: 2.4
Version changed from: 2.3 → 2.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 23:24:48.840000+00:00 | 2023-10-16 17:42:28.207000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.3 | 2.4 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Containers | |
x_mitre_platforms | SaaS |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-14 23:05:16.857000+00:00 | 2023-10-16 16:53:12.789000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:44.951000+00:00 | 2023-08-23 22:24:50.812000+00:00 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Process: Process Creation |
Current version: 1.1
Version changed from: 1.0 → 1.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may search for common password storage locations | t | 1 | Adversaries may search for common password storage locations |
> | to obtain user credentials. Passwords are stored in several | > | to obtain user credentials. Passwords are stored in several | ||
> | places on a system, depending on the operating system or ap | > | places on a system, depending on the operating system or ap | ||
> | plication holding the credentials. There are also specific a | > | plication holding the credentials. There are also specific a | ||
> | pplications that store passwords to make it easier for users | > | pplications and services that store passwords to make them e | ||
> | manage and maintain. Once credentials are obtained, they ca | > | asier for users to manage and maintain, such as password man | ||
> | n be used to perform lateral movement and access restricted | > | agers and cloud secrets vaults. Once credentials are obtaine | ||
> | information. | > | d, they can be used to perform lateral movement and access r | ||
> | estricted information. |
New Mitigations:
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-01 18:25:13.952000+00:00 | 2023-09-30 20:16:41.759000+00:00 |
description | Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information. | Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information. |
x_mitre_version | 1.0 | 1.1 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Cloud Service: Cloud Service Enumeration | |
x_mitre_platforms | IaaS |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator', 'User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-02-07 20:49:18.834000+00:00 | 2023-07-28 18:29:56.525000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User', 'Administrator', 'root', 'SYSTEM'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-03-25 14:47:48.728000+00:00 | 2023-10-03 17:30:32.192000+00:00 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Joey Lei | |
x_mitre_platforms | Containers |
Current version: 2.1
Version changed from: 2.0 → 2.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may access data from improperly secured cloud st | t | 1 | Adversaries may access data from cloud storage. Many IaaS p |
> | orage. Many cloud service providers offer solutions for onl | > | roviders offer solutions for online data object storage such | ||
> | ine data object storage such as Amazon S3, Azure Storage, an | > | as Amazon S3, Azure Storage, and Google Cloud Storage. Simi | ||
> | d Google Cloud Storage. These solutions differ from other st | > | larly, SaaS enterprise platforms such as Office 365 and Goog | ||
> | orage solutions (such as SQL or Elasticsearch) in that there | > | le Workspace provide cloud-based document storage to users t | ||
> | is no overarching application. Data from these solutions ca | > | hrough services such as OneDrive and Google Drive, while Saa | ||
> | n be retrieved directly using the cloud provider's APIs. I | > | S application providers such as Slack, Confluence, Salesforc | ||
> | n other cases, SaaS application providers such as Slack, Con | > | e, and Dropbox may provide cloud storage solutions as a peri | ||
> | fluence, and Salesforce also provide cloud storage solutions | > | pheral or primary use case of their platform. In some case | ||
> | as a peripheral use case of their platform. These cloud obj | > | s, as with IaaS-based cloud storage, there exists no overarc | ||
> | ects can be extracted directly from their associated applica | > | hing application (such as SQL or Elasticsearch) with which t | ||
> | tion.(Citation: EA Hacked via Slack - June 2021)(Citation: S | > | o interact with the stored objects: instead, data from these | ||
> | ecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Ci | > | solutions is retrieved directly though the [Cloud API](http | ||
> | tation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)( | > | s://attack.mitre.org/techniques/T1059/009). In SaaS applicat | ||
> | Citation: Dark Clouds_Usenix_Mulazzani_08_2011) Adversaries | > | ions, adversaries may be able to collect this data directly | ||
> | may collect sensitive data from these cloud storage solutio | > | from APIs or backend cloud storage objects, rather than thro | ||
> | ns. Providers typically offer security guides to help end us | > | ugh their front-end application or interface (i.e., [Data fr | ||
> | ers configure systems, though misconfigurations are a common | > | om Information Repositories](https://attack.mitre.org/techni | ||
> | problem.(Citation: Amazon S3 Security, 2019)(Citation: Micr | > | ques/T1213)). Adversaries may collect sensitive data from | ||
> | osoft Azure Storage Security, 2019)(Citation: Google Cloud S | > | these cloud storage solutions. Providers typically offer sec | ||
> | torage Best Practices, 2019) There have been numerous incide | > | urity guides to help end users configure systems, though mis | ||
> | nts where cloud storage has been improperly secured, typical | > | configurations are a common problem.(Citation: Amazon S3 Sec | ||
> | ly by unintentionally allowing public access to unauthentica | > | urity, 2019)(Citation: Microsoft Azure Storage Security, 201 | ||
> | ted users, overly-broad access by all users, or even access | > | 9)(Citation: Google Cloud Storage Best Practices, 2019) Ther | ||
> | for any anonymous person outside the control of the Identity | > | e have been numerous incidents where cloud storage has been | ||
> | Access Management system without even needing basic user pe | > | improperly secured, typically by unintentionally allowing pu | ||
> | rmissions. This open access may expose various types of sen | > | blic access to unauthenticated users, overly-broad access by | ||
> | sitive data, such as credit cards, personally identifiable i | > | all users, or even access for any anonymous person outside | ||
> | nformation, or medical records.(Citation: Trend Micro S3 Exp | > | the control of the Identity Access Management system without | ||
> | osed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(C | > | even needing basic user permissions. This open access may | ||
> | itation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-meg | > | expose various types of sensitive data, such as credit cards | ||
> | a-extortion_05_2021) Adversaries may also obtain then abuse | > | , personally identifiable information, or medical records.(C | ||
> | leaked credentials from source repositories, logs, or other | > | itation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired M | ||
> | means as a way to gain access to cloud storage objects. | > | agecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, | ||
> | 2017)(Citation: Rclone-mega-extortion_05_2021) Adversaries | ||||
> | may also obtain then abuse leaked credentials from source r | ||||
> | epositories, logs, or other means as a way to gain access to | ||||
> | cloud storage objects. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-18 19:10:42.621000+00:00 | 2023-09-29 16:11:43.530000+00:00 |
description | Adversaries may access data from improperly secured cloud storage. Many cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. In other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011) Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions. This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021) Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects. | Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions. This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021) Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects. |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 2.0 | 2.1 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Google Workspace | |
x_mitre_platforms | Office 365 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'SecureWorld - How Secure Is Your Slack Channel - Dec 2021', 'description': ' Drew Todd. (2021, December 28). How Secure Is Your Slack Channel?. Retrieved May 31, 2022.', 'url': 'https://www.secureworld.io/industry-news/how-secure-is-your-slack-channel#:~:text=Electronic%20Arts%20hacked%20through%20Slack%20channel&text=In%20total%2C%20the%20hackers%20claim,credentials%20over%20a%20Slack%20channel.'} | |
external_references | {'source_name': 'EA Hacked via Slack - June 2021', 'description': 'Anthony Spadafora. (2021, June 11). EA hack reportedly used stolen cookies and Slack to target gaming giant. Retrieved May 31, 2022.', 'url': 'https://www.techradar.com/news/ea-hack-reportedly-used-stolen-cookies-and-slack-to-hack-gaming-giant'} | |
external_references | {'source_name': 'HackerNews - 3 SaaS App Cyber Attacks - April 2022', 'description': 'Hananel Livneh. (2022, April 7). Into the Breach: Breaking Down 3 SaaS App Cyber Attacks in 2022. Retrieved May 31, 2022.', 'url': 'https://thehackernews.com/2022/04/into-breach-breaking-down-3-saas-app.html'} | |
external_references | {'source_name': 'Dark Clouds_Usenix_Mulazzani_08_2011', 'description': 'Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl. (2011, August). Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. Retrieved July 14, 2022.', 'url': 'https://www.usenix.org/conference/usenix-security-11/dark-clouds-horizon-using-cloud-storage-attack-vector-and-online-slack'} |
Current version: 1.4
Version changed from: 1.3 → 1.4
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:35.611000+00:00 | 2023-08-11 21:06:07.690000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Network Traffic: Network Traffic Flow |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-21 12:21:06.026000+00:00 | 2023-08-14 19:28:18.334000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-20 18:14:17.197000+00:00 | 2023-10-03 17:38:39.065000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
kill_chain_phases | {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} | |
x_mitre_contributors | Arad Inbar, Fidelis Security |
Current version: 2.1
Version changed from: 2.0 → 2.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may directly access a volume to bypass file acce | t | 1 | Adversaries may directly access a volume to bypass file acce |
> | ss controls and file system monitoring. Windows allows progr | > | ss controls and file system monitoring. Windows allows progr | ||
> | ams to have direct access to logical volumes. Programs with | > | ams to have direct access to logical volumes. Programs with | ||
> | direct access may read and write files directly from the dri | > | direct access may read and write files directly from the dri | ||
> | ve by analyzing file system data structures. This technique | > | ve by analyzing file system data structures. This technique | ||
> | bypasses Windows file access controls as well as file system | > | may bypass Windows file access controls as well as file syst | ||
> | monitoring tools. (Citation: Hakobyan 2009) Utilities, suc | > | em monitoring tools. (Citation: Hakobyan 2009) Utilities, s | ||
> | h as NinjaCopy, exist to perform these actions in PowerShell | > | uch as `NinjaCopy`, exist to perform these actions in PowerS | ||
> | . (Citation: Github PowerSploit Ninjacopy) | > | hell.(Citation: Github PowerSploit Ninjacopy) Adversaries ma | ||
> | y also use built-in or third-party utilities (such as `vssad | ||||
> | min`, `wbadmin`, and [esentutl](https://attack.mitre.org/sof | ||||
> | tware/S0404)) to create shadow copies or backups of data fro | ||||
> | m system volumes.(Citation: LOLBAS Esentutl) |
New Mitigations:
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_contributors | ['Tom Simpson, CrowdStrike Falcon OverWatch'] | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-02-09 14:09:00.753000+00:00 | 2023-10-01 14:19:18.804000+00:00 |
description | Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009) Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy) | Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009) Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl) |
x_mitre_version | 2.0 | 2.1 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'LOLBAS Esentutl', 'description': 'LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.', 'url': 'https://lolbas-project.github.io/lolbas/Binaries/Esentutl/'} | |
x_mitre_data_sources | File: File Creation |
Current version: 1.3
Version changed from: 1.2 → 1.3
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-17 23:24:19.730000+00:00 | 2023-09-18 22:33:57.556000+00:00 |
x_mitre_version | 1.2 | 1.3 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Windows Registry: Windows Registry Key Modification |
Current version: 1.5
Version changed from: 1.4 → 1.5
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may modify and/or disable security tools to avoi | t | 1 | Adversaries may modify and/or disable security tools to avoi |
> | d possible detection of their malware/tools and activities. | > | d possible detection of their malware/tools and activities. | ||
> | This may take many forms, such as killing security software | > | This may take many forms, such as killing security software | ||
> | processes or services, modifying / deleting Registry keys or | > | processes or services, modifying / deleting Registry keys or | ||
> | configuration files so that tools do not operate properly, | > | configuration files so that tools do not operate properly, | ||
> | or other methods to interfere with security tools scanning o | > | or other methods to interfere with security tools scanning o | ||
> | r reporting information. Adversaries may also disable update | > | r reporting information. Adversaries may also disable update | ||
> | s to prevent the latest security patches from reaching tools | > | s to prevent the latest security patches from reaching tools | ||
> | on victim systems.(Citation: SCADAfence_ransomware) Advers | > | on victim systems.(Citation: SCADAfence_ransomware) Advers | ||
> | aries may also tamper with artifacts deployed and utilized b | > | aries may also tamper with artifacts deployed and utilized b | ||
> | y security tools. Security tools may make dynamic changes to | > | y security tools. Security tools may make dynamic changes to | ||
> | system components in order to maintain visibility into spec | > | system components in order to maintain visibility into spec | ||
> | ific events. For example, security products may load their o | > | ific events. For example, security products may load their o | ||
> | wn modules and/or modify those loaded by processes to facili | > | wn modules and/or modify those loaded by processes to facili | ||
> | tate data collection. Similar to [Indicator Blocking](https: | > | tate data collection. Similar to [Indicator Blocking](https: | ||
> | //attack.mitre.org/techniques/T1562/006), adversaries may un | > | //attack.mitre.org/techniques/T1562/006), adversaries may un | ||
> | hook or otherwise modify these features added by tools (espe | > | hook or otherwise modify these features added by tools (espe | ||
> | cially those that exist in userland or are otherwise potenti | > | cially those that exist in userland or are otherwise potenti | ||
> | ally accessible to adversaries) to avoid detection.(Citation | > | ally accessible to adversaries) to avoid detection.(Citation | ||
> | : OutFlank System Calls)(Citation: MDSec System Calls) Adv | > | : OutFlank System Calls)(Citation: MDSec System Calls) Adv | ||
> | ersaries may also focus on specific applications such as Sys | > | ersaries may also focus on specific applications such as Sys | ||
> | mon. For example, the “Start” and “Enable” values in <code>H | > | mon. For example, the “Start” and “Enable” values in <code>H | ||
> | KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autol | > | KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autol | ||
> | ogger\EventLog-Microsoft-Windows-Sysmon-Operational</code> m | > | ogger\EventLog-Microsoft-Windows-Sysmon-Operational</code> m | ||
> | ay be modified to tamper with and potentially disable Sysmon | > | ay be modified to tamper with and potentially disable Sysmon | ||
> | logging.(Citation: disable_win_evt_logging) In cloud envi | > | logging.(Citation: disable_win_evt_logging) On network de | ||
> | ronments, tools disabled by adversaries may include cloud mo | > | vices, adversaries may attempt to skip digital signature ver | ||
> | nitoring agents that report back to services such as AWS Clo | > | ification checks by altering startup configuration files and | ||
> | udWatch or Google Cloud Monitor. Furthermore, although defe | > | effectively disabling firmware verification that typically | ||
> | nsive tools may have anti-tampering mechanisms, adversaries | > | occurs at boot.(Citation: Fortinet Zero-Day and Custom Malwa | ||
> | may abuse tools such as legitimate rootkit removal kits to i | > | re Used by Suspected Chinese Actor in Espionage Operation)(C | ||
> | mpair and/or disable these tools.(Citation: chasing_avaddon_ | > | itation: Analysis of FG-IR-22-369) In cloud environments, t | ||
> | ransomware)(Citation: dharma_ransomware)(Citation: demystify | > | ools disabled by adversaries may include cloud monitoring ag | ||
> | ing_ryuk)(Citation: doppelpaymer_crowdstrike) For example, a | > | ents that report back to services such as AWS CloudWatch or | ||
> | dversaries have used tools such as GMER to find and shut dow | > | Google Cloud Monitor. Furthermore, although defensive tools | ||
> | n hidden processes and antivirus software on infected system | > | may have anti-tampering mechanisms, adversaries may abuse t | ||
> | s.(Citation: demystifying_ryuk) Additionally, adversaries m | > | ools such as legitimate rootkit removal kits to impair and/o | ||
> | ay exploit legitimate drivers from anti-virus software to ga | > | r disable these tools.(Citation: chasing_avaddon_ransomware) | ||
> | in access to kernel space (i.e. [Exploitation for Privilege | > | (Citation: dharma_ransomware)(Citation: demystifying_ryuk)(C | ||
> | Escalation](https://attack.mitre.org/techniques/T1068)), whi | > | itation: doppelpaymer_crowdstrike) For example, adversaries | ||
> | ch may lead to bypassing anti-tampering features.(Citation: | > | have used tools such as GMER to find and shut down hidden pr | ||
> | avoslocker_ransomware) | > | ocesses and antivirus software on infected systems.(Citation | ||
> | : demystifying_ryuk) Additionally, adversaries may exploit | ||||
> | legitimate drivers from anti-virus software to gain access t | ||||
> | o kernel space (i.e. [Exploitation for Privilege Escalation] | ||||
> | (https://attack.mitre.org/techniques/T1068)), which may lead | ||||
> | to bypassing anti-tampering features.(Citation: avoslocker_ | ||||
> | ransomware) |
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 13:43:42.986000+00:00 | 2023-05-28 16:57:27.185000+00:00 |
description | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) |
x_mitre_version | 1.4 | 1.5 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Analysis of FG-IR-22-369', 'description': ' Guillaume Lovet and Alex Kong. (2023, March 9). Analysis of FG-IR-22-369. Retrieved May 15, 2023.', 'url': 'https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis'} | |
external_references | {'source_name': 'Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation', 'description': 'ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.', 'url': 'https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem'} | |
x_mitre_data_sources | Process: Process Creation | |
x_mitre_platforms | Network |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-03 18:58:54.034000+00:00 | 2023-08-11 20:21:55.610000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-23 18:12:36.696000+00:00 | 2023-10-16 17:36:37.600000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-13 17:17:03.605000+00:00 | 2023-08-14 14:55:07.432000+00:00 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.2
Version changed from: 1.1 → 1.2
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may downgrade or use a version of system feature | t | 1 | Adversaries may downgrade or use a version of system feature |
> | s that may be outdated, vulnerable, and/or does not support | > | s that may be outdated, vulnerable, and/or does not support | ||
> | updated security controls such as logging. For example, [Pow | > | updated security controls. Downgrade attacks typically take | ||
> | erShell](https://attack.mitre.org/techniques/T1059/001) vers | > | advantage of a system’s backward compatibility to force it i | ||
> | ions 5+ includes Script Block Logging (SBL) which can record | > | nto less secure modes of operation. Adversaries may downgr | ||
> | executed script content. However, adversaries may attempt t | > | ade and use various less-secure versions of features of a sy | ||
> | o execute a previous version of PowerShell that does not sup | > | stem, such as [Command and Scripting Interpreter](https://at | ||
> | port SBL with the intent to [Impair Defenses](https://attack | > | tack.mitre.org/techniques/T1059)s or even network protocols | ||
> | .mitre.org/techniques/T1562) while running malicious scripts | > | that can be abused to enable [Adversary-in-the-Middle](https | ||
> | that may have otherwise been detected.(Citation: CrowdStrik | > | ://attack.mitre.org/techniques/T1557) or [Network Sniffing]( | ||
> | e BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citatio | > | https://attack.mitre.org/techniques/T1040).(Citation: Praeto | ||
> | n: att_def_ps_logging) Adversaries may downgrade and use le | > | rian TLS Downgrade Attack 2014) For example, [PowerShell](ht | ||
> | ss-secure versions of various features of a system, such as | > | tps://attack.mitre.org/techniques/T1059/001) versions 5+ inc | ||
> | [Command and Scripting Interpreter](https://attack.mitre.org | > | ludes Script Block Logging (SBL) which can record executed s | ||
> | /techniques/T1059)s or even network protocols that can be ab | > | cript content. However, adversaries may attempt to execute a | ||
> | used to enable [Adversary-in-the-Middle](https://attack.mitr | > | previous version of PowerShell that does not support SBL wi | ||
> | e.org/techniques/T1557).(Citation: Praetorian TLS Downgrade | > | th the intent to [Impair Defenses](https://attack.mitre.org/ | ||
> | Attack 2014) | > | techniques/T1562) while running malicious scripts that may h | ||
> | ave otherwise been detected.(Citation: CrowdStrike BGH Ranso | ||||
> | mware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ | ||||
> | ps_logging) Adversaries may similarly target network traffi | ||||
> | c to downgrade from an encrypted HTTPS connection to an unse | ||||
> | cured HTTP connection that exposes network data in clear tex | ||||
> | t.(Citation: Targeted SSL Stripping Attacks Are Real)(Citati | ||||
> | on: Crowdstrike Downgrade) |
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-05-19 16:28:31.041000+00:00 | 2023-10-03 16:40:15.445000+00:00 |
description | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging) Adversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014) | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging) Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_detection | Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2 ). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.
Monitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks) | Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2 ). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.
Monitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)
Monitor network data to detect cases where HTTP is used instead of HTTPS. |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Crowdstrike Downgrade', 'description': 'Bart Lenaerts-Bergman. (2023, March 14). WHAT ARE DOWNGRADE ATTACKS?. Retrieved May 24, 2023.', 'url': 'https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/'} | |
external_references | {'source_name': 'Targeted SSL Stripping Attacks Are Real', 'description': 'Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.', 'url': 'https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/'} | |
x_mitre_contributors | Arad Inbar, Fidelis Security |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-02-22 13:22:30.191000+00:00 | 2023-09-15 18:57:21.881000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-18 21:07:23.748000+00:00 | 2023-08-11 21:34:38.558000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.2 | 1.3 |
Current version: 2.5
Version changed from: 2.4 → 2.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 20:46:04.871000+00:00 | 2023-09-29 21:06:03.098000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.4 | 2.5 |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 20:42:20.079000+00:00 | 2023-10-16 16:41:53.957000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-21 14:40:48.074000+00:00 | 2023-09-29 21:14:57.263000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-03-08 21:02:16.115000+00:00 | 2023-09-11 16:06:10.376000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.3
Version changed from: 1.2 → 1.3
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-19 21:28:34.699000+00:00 | 2023-09-05 15:00:36.471000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.2 | 1.3 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Application Log: Application Log Content | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | SaaS | |
x_mitre_platforms | Google Workspace |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-08-30 12:49:02.969000+00:00 | 2023-09-15 19:11:47.547000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-28 00:58:55.433000+00:00 | 2023-09-15 19:08:16.882000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.5
Version changed from: 1.4 → 1.5
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may exploit software vulnerabilities in an attem | t | 1 | Adversaries may exploit software vulnerabilities in an attem |
> | pt to collect credentials. Exploitation of a software vulner | > | pt to collect credentials. Exploitation of a software vulner | ||
> | ability occurs when an adversary takes advantage of a progra | > | ability occurs when an adversary takes advantage of a progra | ||
> | mming error in a program, service, or within the operating s | > | mming error in a program, service, or within the operating s | ||
> | ystem software or kernel itself to execute adversary-control | > | ystem software or kernel itself to execute adversary-control | ||
> | led code. Credentialing and authentication mechanisms may be | > | led code. Credentialing and authentication mechanisms may | ||
> | targeted for exploitation by adversaries as a means to gain | > | be targeted for exploitation by adversaries as a means to ga | ||
> | access to useful credentials or circumvent the process to g | > | in access to useful credentials or circumvent the process to | ||
> | ain access to systems. One example of this is MS14-068, whic | > | gain authenticated access to systems. One example of this i | ||
> | h targets Kerberos and can be used to forge Kerberos tickets | > | s `MS14-068`, which targets Kerberos and can be used to forg | ||
> | using domain user permissions.(Citation: Technet MS14-068)( | > | e Kerberos tickets using domain user permissions.(Citation: | ||
> | Citation: ADSecurity Detecting Forged Tickets) Exploitation | > | Technet MS14-068)(Citation: ADSecurity Detecting Forged Tick | ||
> | for credential access may also result in Privilege Escalatio | > | ets) Another example of this is replay attacks, in which the | ||
> | n depending on the process targeted or credentials obtained. | > | adversary intercepts data packets sent between parties and | ||
> | then later replays these packets. If services don't properly | ||||
> | validate authentication requests, these replayed packets ma | ||||
> | y allow an adversary to impersonate one of the parties and g | ||||
> | ain unauthorized access or privileges.(Citation: Bugcrowd Re | ||||
> | play Attack)(Citation: Comparitech Replay Attack)(Citation: | ||||
> | Microsoft Midnight Blizzard Replay Attack) Such exploitatio | ||||
> | n has been demonstrated in cloud environments as well. For e | ||||
> | xample, adversaries have exploited vulnerabilities in public | ||||
> | cloud infrastructure that allowed for unintended authentica | ||||
> | tion token creation and renewal.(Citation: Storm-0558 techni | ||||
> | ques for unauthorized email access) Exploitation for creden | ||||
> | tial access may also result in Privilege Escalation dependin | ||||
> | g on the process targeted or credentials obtained. |
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-28 16:06:49.447000+00:00 | 2023-10-15 11:45:21.555000+00:00 |
description | Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained. | Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack) Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained. |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.4 | 1.5 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Bugcrowd Replay Attack', 'description': 'Bugcrowd. (n.d.). Replay Attack. Retrieved September 27, 2023.', 'url': 'https://www.bugcrowd.com/glossary/replay-attack/'} | |
external_references | {'source_name': 'Comparitech Replay Attack', 'description': 'Justin Schamotta. (2022, October 28). What is a replay attack?. Retrieved September 27, 2023.', 'url': 'https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/'} | |
external_references | {'source_name': 'Storm-0558 techniques for unauthorized email access', 'description': 'Microsoft Threat Intelligence. (2023, July 14). Analysis of Storm-0558 techniques for unauthorized email access. Retrieved September 18, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/'} | |
external_references | {'source_name': 'Microsoft Midnight Blizzard Replay Attack', 'description': 'Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 27, 2023.', 'url': 'https://twitter.com/MsftSecIntel/status/1671579359994343425'} | |
x_mitre_contributors | Mohit Rathore | |
x_mitre_platforms | Azure AD |
Current version: 1.4
Version changed from: 1.3 → 1.4
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may exploit a system or application vulnerabilit | t | 1 | Adversaries may exploit a system or application vulnerabilit |
> | y to bypass security features. Exploitation of a software vu | > | y to bypass security features. Exploitation of a vulnerabili | ||
> | lnerability occurs when an adversary takes advantage of a pr | > | ty occurs when an adversary takes advantage of a programming | ||
> | ogramming error in a program, service, or within the operati | > | error in a program, service, or within the operating system | ||
> | ng system software or kernel itself to execute adversary-con | > | software or kernel itself to execute adversary-controlled c | ||
> | trolled code. Vulnerabilities may exist in defensive securit | > | ode. Vulnerabilities may exist in defensive security softwar | ||
> | y software that can be used to disable or circumvent them. | > | e that can be used to disable or circumvent them. Adversari | ||
> | Adversaries may have prior knowledge through reconnaissance | > | es may have prior knowledge through reconnaissance that secu | ||
> | that security software exists within an environment or they | > | rity software exists within an environment or they may perfo | ||
> | may perform checks during or shortly after the system is com | > | rm checks during or shortly after the system is compromised | ||
> | promised for [Security Software Discovery](https://attack.mi | > | for [Security Software Discovery](https://attack.mitre.org/t | ||
> | tre.org/techniques/T1518/001). The security software will li | > | echniques/T1518/001). The security software will likely be t | ||
> | kely be targeted directly for exploitation. There are exampl | > | argeted directly for exploitation. There are examples of ant | ||
> | es of antivirus software being targeted by persistent threat | > | ivirus software being targeted by persistent threat groups t | ||
> | groups to avoid detection. | > | o avoid detection. There have also been examples of vulnera | ||
> | bilities in public cloud infrastructure of SaaS applications | ||||
> | that may bypass defense boundaries (Citation: Salesforce ze | ||||
> | ro-day in facebook phishing attack), evade security logs (Ci | ||||
> | tation: Bypassing CloudTrail in AWS Service Catalog), or dep | ||||
> | loy hidden infrastructure.(Citation: GhostToken GCP flaw) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-28 16:10:16.632000+00:00 | 2023-10-15 11:41:47.274000+00:00 |
description | Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection. | Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection. There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Salesforce zero-day in facebook phishing attack', 'description': 'Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.', 'url': 'https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/'} | |
external_references | {'source_name': 'Bypassing CloudTrail in AWS Service Catalog', 'description': 'Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.', 'url': 'https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/'} | |
external_references | {'source_name': 'GhostToken GCP flaw', 'description': 'Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.', 'url': 'https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/'} | |
x_mitre_platforms | SaaS | |
x_mitre_platforms | IaaS |
Current version: 1.1
Version changed from: 1.0 → 1.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may communicate using application layer protocol | t | 1 | Adversaries may communicate using application layer protocol |
> | s associated with transferring files to avoid detection/netw | > | s associated with transferring files to avoid detection/netw | ||
> | ork filtering by blending in with existing traffic. Commands | > | ork filtering by blending in with existing traffic. Commands | ||
> | to the remote system, and often the results of those comman | > | to the remote system, and often the results of those comman | ||
> | ds, will be embedded within the protocol traffic between the | > | ds, will be embedded within the protocol traffic between the | ||
> | client and server. Protocols such as FTP, FTPS, and TFTP | > | client and server. Protocols such as SMB, FTP, FTPS, and | ||
> | that transfer files may be very common in environments. Pac | > | TFTP that transfer files may be very common in environments. | ||
> | kets produced from these protocols may have many fields and | > | Packets produced from these protocols may have many fields | ||
> | headers in which data can be concealed. Data could also be c | > | and headers in which data can be concealed. Data could also | ||
> | oncealed within the transferred files. An adversary may abus | > | be concealed within the transferred files. An adversary may | ||
> | e these protocols to communicate with systems under their co | > | abuse these protocols to communicate with systems under the | ||
> | ntrol within a victim network while also mimicking normal, e | > | ir control within a victim network while also mimicking norm | ||
> | xpected traffic. | > | al, expected traffic. |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-08-21 14:41:22.911000+00:00 | 2023-10-01 02:42:15.473000+00:00 |
description | Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. | Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-06-19 17:16:41.470000+00:00 | 2023-08-14 19:30:45.123000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.4
Version changed from: 1.3 → 1.4
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may forge credential materials that can be used | t | 1 | Adversaries may forge credential materials that can be used |
> | to gain access to web applications or Internet services. Web | > | to gain access to web applications or Internet services. Web | ||
> | applications and services (hosted in cloud SaaS environment | > | applications and services (hosted in cloud SaaS environment | ||
> | s or on-premise servers) often use session cookies, tokens, | > | s or on-premise servers) often use session cookies, tokens, | ||
> | or other materials to authenticate and authorize user access | > | or other materials to authenticate and authorize user access | ||
> | . Adversaries may generate these credential materials in or | > | . Adversaries may generate these credential materials in or | ||
> | der to gain access to web resources. This differs from [Stea | > | der to gain access to web resources. This differs from [Stea | ||
> | l Web Session Cookie](https://attack.mitre.org/techniques/T1 | > | l Web Session Cookie](https://attack.mitre.org/techniques/T1 | ||
> | 539), [Steal Application Access Token](https://attack.mitre. | > | 539), [Steal Application Access Token](https://attack.mitre. | ||
> | org/techniques/T1528), and other similar behaviors in that t | > | org/techniques/T1528), and other similar behaviors in that t | ||
> | he credentials are new and forged by the adversary, rather t | > | he credentials are new and forged by the adversary, rather t | ||
> | han stolen or intercepted from legitimate users. The generat | > | han stolen or intercepted from legitimate users. The genera | ||
> | ion of web credentials often requires secret values, such as | > | tion of web credentials often requires secret values, such a | ||
> | passwords, [Private Keys](https://attack.mitre.org/techniqu | > | s passwords, [Private Keys](https://attack.mitre.org/techniq | ||
> | es/T1552/004), or other cryptographic seed values.(Citation: | > | ues/T1552/004), or other cryptographic seed values.(Citation | ||
> | GitHub AWS-ADFS-Credential-Generator) Adversaries may also | > | : GitHub AWS-ADFS-Credential-Generator) Adversaries may also | ||
> | forge tokens by taking advantage of features such as the `As | > | forge tokens by taking advantage of features such as the `A | ||
> | sumeRole` and `GetFederationToken` APIs in AWS, which allow | > | ssumeRole` and `GetFederationToken` APIs in AWS, which allow | ||
> | users to request temporary security credentials.(Citation: A | > | users to request temporary security credentials (i.e., [Tem | ||
> | WS Temporary Security Credentials) Once forged, adversaries | > | porary Elevated Cloud Access](https://attack.mitre.org/techn | ||
> | may use these web credentials to access resources (ex: [Use | > | iques/T1548/005)), or the `zmprov gdpak` command in Zimbra, | ||
> | Alternate Authentication Material](https://attack.mitre.org | > | which generates a pre-authentication key that can be used to | ||
> | /techniques/T1550)), which may bypass multi-factor and other | > | generate tokens for any user in the domain.(Citation: AWS T | ||
> | authentication protection mechanisms.(Citation: Pass The Co | > | emporary Security Credentials)(Citation: Zimbra Preauth) On | ||
> | okie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Cit | > | ce forged, adversaries may use these web credentials to acce | ||
> | ation: Microsoft SolarWinds Customer Guidance) | > | ss resources (ex: [Use Alternate Authentication Material](ht | ||
> | tps://attack.mitre.org/techniques/T1550)), which may bypass | ||||
> | multi-factor and other authentication protection mechanisms. | ||||
> | (Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Coo | ||||
> | kies January 2019)(Citation: Microsoft SolarWinds Customer G | ||||
> | uidance) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-05-04 18:05:16.877000+00:00 | 2023-10-15 11:10:03.428000+00:00 |
description | Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials) Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) | Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth) Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Zimbra Preauth', 'description': 'Zimbra. (2023, March 16). Preauth. Retrieved May 31, 2023.', 'url': 'https://wiki.zimbra.com/wiki/Preauth'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-05-19 16:29:47.637000+00:00 | 2023-07-14 14:01:41.475000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.5
Version changed from: 1.4 → 1.5
New Mitigations:
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-15 00:48:46.626000+00:00 | 2023-10-20 16:43:53.391000+00:00 |
external_references[1]['url'] | https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/#:~:text=Don’t%20Sleep%20has%20the%20capability%20to%20keep%20the%20computer%20from%20being%20shutdown%20and%20the%20user%20from%20being%20signed%20off.%20This%20was%20likely%20done%20to%20ensure%20nothing%20will%20interfere%20with%20the%20propagation%20of%20the%20ransomware%20payload | https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.4 | 1.5 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | File: File Modification | |
x_mitre_data_sources | Process: Process Modification | |
x_mitre_data_sources | File: File Deletion | |
x_mitre_data_sources | Process: OS API Execution |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 15:25:10.496000+00:00 | 2023-09-18 22:23:55.329000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 2.3
Version changed from: 2.2 → 2.3
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may transfer tools or other files from an extern | t | 1 | Adversaries may transfer tools or other files from an extern |
> | al system into a compromised environment. Tools or files may | > | al system into a compromised environment. Tools or files may | ||
> | be copied from an external adversary-controlled system to t | > | be copied from an external adversary-controlled system to t | ||
> | he victim network through the command and control channel or | > | he victim network through the command and control channel or | ||
> | through alternate protocols such as [ftp](https://attack.mi | > | through alternate protocols such as [ftp](https://attack.mi | ||
> | tre.org/software/S0095). Once present, adversaries may also | > | tre.org/software/S0095). Once present, adversaries may also | ||
> | transfer/spread tools between victim devices within a compro | > | transfer/spread tools between victim devices within a compro | ||
> | mised environment (i.e. [Lateral Tool Transfer](https://atta | > | mised environment (i.e. [Lateral Tool Transfer](https://atta | ||
> | ck.mitre.org/techniques/T1570)). Files can also be transfe | > | ck.mitre.org/techniques/T1570)). On Windows, adversaries m | ||
> | rred using various [Web Service](https://attack.mitre.org/te | > | ay use various utilities to download tools, such as `copy`, | ||
> | chniques/T1102)s as well as native or otherwise present tool | > | `finger`, [certutil](https://attack.mitre.org/software/S0160 | ||
> | s on the victim system.(Citation: PTSecurity Cobalt Dec 2016 | > | ), and [PowerShell](https://attack.mitre.org/techniques/T105 | ||
> | ) On Windows, adversaries may use various utilities to down | > | 9/001) commands such as <code>IEX(New-Object Net.WebClient). | ||
> | load tools, such as `copy`, `finger`, [certutil](https://att | > | downloadString()</code> and <code>Invoke-WebRequest</code>. | ||
> | ack.mitre.org/software/S0160), and [PowerShell](https://atta | > | On Linux and macOS systems, a variety of utilities also exis | ||
> | ck.mitre.org/techniques/T1059/001) commands such as <code>IE | > | t, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, | ||
> | X(New-Object Net.WebClient).downloadString()</code> and <cod | > | and `wget`.(Citation: t1105_lolbas) Adversaries may also a | ||
> | e>Invoke-WebRequest</code>. On Linux and macOS systems, a va | > | buse installers and package managers, such as `yum` or `wing | ||
> | riety of utilities also exist, such as `curl`, `scp`, `sftp` | > | et`, to download tools to victim hosts. Files can also be t | ||
> | , `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lol | > | ransferred using various [Web Service](https://attack.mitre. | ||
> | bas) | > | org/techniques/T1102)s as well as native or otherwise presen | ||
> | t tools on the victim system.(Citation: PTSecurity Cobalt De | ||||
> | c 2016) In some cases, adversaries may be able to leverage s | ||||
> | ervices that sync between a web-based and an on-premises cli | ||||
> | ent, such as Dropbox or OneDrive, to transfer files onto vic | ||||
> | tim systems. For example, by compromising a cloud account an | ||||
> | d logging into the service's web portal, an adversary may be | ||||
> | able to trigger an automatic syncing process that transfers | ||||
> | the file onto the victim's machine.(Citation: Dropbox Malwa | ||||
> | re Sync) |
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-14 19:27:57.370000+00:00 | 2023-10-03 21:27:20.702000+00:00 |
description | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).
Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)
On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest . On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).
On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest . On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)
Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.
Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.2 | 2.3 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Dropbox Malware Sync', 'description': 'David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.', 'url': 'https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/'} | |
x_mitre_contributors | Shailesh Tiwary (Indian Army) | |
x_mitre_contributors | The DFIR Report | |
x_mitre_contributors | Alain Homewood | |
x_mitre_data_sources | Command: Command Execution |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-05-04 18:05:57.725000+00:00 | 2023-10-03 17:30:59.482000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Joey Lei | |
x_mitre_platforms | Containers |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator', 'User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:45.661000+00:00 | 2023-09-15 17:26:02.203000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may log user keystrokes to intercept credentials | t | 1 | Adversaries may log user keystrokes to intercept credentials |
> | as the user types them. Keylogging is likely to be used to | > | as the user types them. Keylogging is likely to be used to | ||
> | acquire credentials for new access opportunities when [OS Cr | > | acquire credentials for new access opportunities when [OS Cr | ||
> | edential Dumping](https://attack.mitre.org/techniques/T1003) | > | edential Dumping](https://attack.mitre.org/techniques/T1003) | ||
> | efforts are not effective, and may require an adversary to | > | efforts are not effective, and may require an adversary to | ||
> | intercept keystrokes on a system for a substantial period of | > | intercept keystrokes on a system for a substantial period of | ||
> | time before credentials can be successfully captured. Keyl | > | time before credentials can be successfully captured. In or | ||
> | ogging is the most prevalent type of input capture, with man | > | der to increase the likelihood of capturing credentials quic | ||
> | y different ways of intercepting keystrokes.(Citation: Adven | > | kly, an adversary may also perform actions such as clearing | ||
> | tures of a Keystroke) Some methods include: * Hooking API c | > | browser cookies to force users to reauthenticate to systems. | ||
> | allbacks used for processing keystrokes. Unlike [Credential | > | (Citation: Talos Kimsuky Nov 2021) Keylogging is the most p | ||
> | API Hooking](https://attack.mitre.org/techniques/T1056/004), | > | revalent type of input capture, with many different ways of | ||
> | this focuses solely on API functions intended for processin | > | intercepting keystrokes.(Citation: Adventures of a Keystroke | ||
> | g keystroke data. * Reading raw keystroke data from the hard | > | ) Some methods include: * Hooking API callbacks used for pr | ||
> | ware buffer. * Windows Registry modifications. * Custom driv | > | ocessing keystrokes. Unlike [Credential API Hooking](https:/ | ||
> | ers. * [Modify System Image](https://attack.mitre.org/techni | > | /attack.mitre.org/techniques/T1056/004), this focuses solely | ||
> | ques/T1601) may provide adversaries with hooks into the oper | > | on API functions intended for processing keystroke data. * | ||
> | ating system of network devices to read raw keystrokes for l | > | Reading raw keystroke data from the hardware buffer. * Windo | ||
> | ogin sessions.(Citation: Cisco Blog Legacy Device Attacks) | > | ws Registry modifications. * Custom drivers. * [Modify Syste | ||
> | m Image](https://attack.mitre.org/techniques/T1601) may prov | ||||
> | ide adversaries with hooks into the operating system of netw | ||||
> | ork devices to read raw keystrokes for login sessions.(Citat | ||||
> | ion: Cisco Blog Legacy Device Attacks) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | ['TruKno'] | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator', 'root', 'SYSTEM', 'User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:37.930000+00:00 | 2023-10-01 14:01:12.167000+00:00 |
description | Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data. * Reading raw keystroke data from the hardware buffer. * Windows Registry modifications. * Custom drivers. * [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) | Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021) Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data. * Reading raw keystroke data from the hardware buffer. * Windows Registry modifications. * Custom drivers. * [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Talos Kimsuky Nov 2021', 'description': 'An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.', 'url': 'https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html'} |
Current version: 1.3
Version changed from: 1.2 → 1.3
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-03 18:54:21.492000+00:00 | 2023-07-24 18:52:29.338000+00:00 |
x_mitre_version | 1.2 | 1.3 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Olaf Hartong, Falcon Force | |
x_mitre_data_sources | Windows Registry: Windows Registry Key Modification | |
x_mitre_data_sources | Logon Session: Logon Session Creation |
Current version: 1.3
Version changed from: 1.2 → 1.3
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may transfer tools or other files between system | t | 1 | Adversaries may transfer tools or other files between system |
> | s in a compromised environment. Once brought into the victim | > | s in a compromised environment. Once brought into the victim | ||
> | environment (i.e. [Ingress Tool Transfer](https://attack.mi | > | environment (i.e., [Ingress Tool Transfer](https://attack.m | ||
> | tre.org/techniques/T1105)) files may then be copied from one | > | itre.org/techniques/T1105)) files may then be copied from on | ||
> | system to another to stage adversary tools or other files o | > | e system to another to stage adversary tools or other files | ||
> | ver the course of an operation. Adversaries may copy files b | > | over the course of an operation. Adversaries may copy files | ||
> | etween internal victim systems to support lateral movement u | > | between internal victim systems to support lateral movement | ||
> | sing inherent file sharing protocols such as file sharing ov | > | using inherent file sharing protocols such as file sharing | ||
> | er [SMB/Windows Admin Shares](https://attack.mitre.org/techn | > | over [SMB/Windows Admin Shares](https://attack.mitre.org/tec | ||
> | iques/T1021/002) to connected network shares or with authent | > | hniques/T1021/002) to connected network shares or with authe | ||
> | icated connections via [Remote Desktop Protocol](https://att | > | nticated connections via [Remote Desktop Protocol](https://a | ||
> | ack.mitre.org/techniques/T1021/001).(Citation: Unit42 Locker | > | ttack.mitre.org/techniques/T1021/001).(Citation: Unit42 Lock | ||
> | Goga 2019) Files can also be transferred using native or ot | > | erGoga 2019) Files can also be transferred using native or | ||
> | herwise present tools on the victim system, such as scp, rsy | > | otherwise present tools on the victim system, such as scp, r | ||
> | nc, curl, sftp, and [ftp](https://attack.mitre.org/software/ | > | sync, curl, sftp, and [ftp](https://attack.mitre.org/softwar | ||
> | S0095). | > | e/S0095). In some cases, adversaries may be able to leverage | ||
> | [Web Service](https://attack.mitre.org/techniques/T1102)s s | ||||
> | uch as Dropbox or OneDrive to copy files from one machine to | ||||
> | another via shared, automatically synced folders.(Citation: | ||||
> | Dropbox Malware Sync) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | ['Shailesh Tiwary (Indian Army)'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-19 15:34:49.016000+00:00 | 2023-10-01 13:48:28.738000+00:00 |
description | Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019) Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). | Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019) Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Dropbox Malware Sync', 'description': 'David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.', 'url': 'https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/'} |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User', 'root'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-09-13 21:08:09.985000+00:00 | 2023-08-14 17:54:22.970000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.3
Version changed from: 1.2 → 1.3
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may create a local account to maintain access to | t | 1 | Adversaries may create a local account to maintain access to |
> | victim systems. Local accounts are those configured by an o | > | victim systems. Local accounts are those configured by an o | ||
> | rganization for use by users, remote support, services, or f | > | rganization for use by users, remote support, services, or f | ||
> | or administration on a single system or service. With a suff | > | or administration on a single system or service. For examp | ||
> | icient level of access, the <code>net user /add</code> comma | > | le, with a sufficient level of access, the Windows <code>net | ||
> | nd can be used to create a local account. On macOS systems t | > | user /add</code> command can be used to create a local acco | ||
> | he <code>dscl -create</code> command can be used to create a | > | unt. On macOS systems the <code>dscl -create</code> command | ||
> | local account. Local accounts may also be added to network | > | can be used to create a local account. Local accounts may al | ||
> | devices, often via common [Network Device CLI](https://attac | > | so be added to network devices, often via common [Network De | ||
> | k.mitre.org/techniques/T1059/008) commands such as <code>use | > | vice CLI](https://attack.mitre.org/techniques/T1059/008) com | ||
> | rname</code>.(Citation: cisco_username_cmd) Such accounts m | > | mands such as <code>username</code>, or to Kubernetes cluste | ||
> | ay be used to establish secondary credentialed access that d | > | rs using the `kubectl` utility.(Citation: cisco_username_cmd | ||
> | o not require persistent remote access tools to be deployed | > | )(Citation: Kubernetes Service Accounts Security) Such acco | ||
> | on the system. | > | unts may be used to establish secondary credentialed access | ||
> | that do not require persistent remote access tools to be dep | ||||
> | loyed on the system. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 23:23:35.209000+00:00 | 2023-10-16 17:40:37.995000+00:00 |
description | Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username .(Citation: cisco_username_cmd)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. | Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username , or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Kubernetes Service Accounts Security', 'description': 'Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.', 'url': 'https://kubernetes.io/docs/concepts/security/service-accounts/'} | |
x_mitre_platforms | Containers |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-13 17:17:49.889000+00:00 | 2023-07-14 13:04:04.591000+00:00 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Network |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-15 23:57:07.973000+00:00 | 2023-08-14 19:23:58.317000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-18 13:24:52.618000+00:00 | 2023-09-29 20:30:58.300000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.6
Version changed from: 1.5 → 1.6
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may attempt to manipulate features of their arti | t | 1 | Adversaries may attempt to manipulate features of their arti |
> | facts to make them appear legitimate or benign to users and/ | > | facts to make them appear legitimate or benign to users and/ | ||
> | or security tools. Masquerading occurs when the name or loca | > | or security tools. Masquerading occurs when the name or loca | ||
> | tion of an object, legitimate or malicious, is manipulated o | > | tion of an object, legitimate or malicious, is manipulated o | ||
> | r abused for the sake of evading defenses and observation. T | > | r abused for the sake of evading defenses and observation. T | ||
> | his may include manipulating file metadata, tricking users i | > | his may include manipulating file metadata, tricking users i | ||
> | nto misidentifying the file type, and giving legitimate task | > | nto misidentifying the file type, and giving legitimate task | ||
> | or service names. Renaming abusable system utilities to ev | > | or service names. Renaming abusable system utilities to ev | ||
> | ade security monitoring is also a form of [Masquerading](htt | > | ade security monitoring is also a form of [Masquerading](htt | ||
> | ps://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Ma | > | ps://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Ma | ||
> | in Site) | > | in Site) Masquerading may also include the use of [Proxy](ht | ||
> | tps://attack.mitre.org/techniques/T1090) or VPNs to disguise | ||||
> | IP addresses, which can allow adversaries to blend in with | ||||
> | normal network traffic and bypass conditional access policie | ||||
> | s or anti-abuse protections. |
New Mitigations:
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-07 17:04:34.648000+00:00 | 2023-10-15 09:52:11.875000+00:00 |
description | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. |
external_references[2]['url'] | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf | https://www.elastic.co/blog/how-hunt-masquerade-ball |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.5 | 1.6 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Goldstein Menachem | |
x_mitre_data_sources | Process: Process Creation | |
x_mitre_data_sources | Process: OS API Execution |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:42.277000+00:00 | 2023-09-14 21:12:48.409000+00:00 |
external_references[3]['url'] | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf | https://www.elastic.co/blog/how-hunt-masquerade-ball |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Process: Process Creation |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-04-20 14:51:01.759000+00:00 | 2023-09-05 20:45:22.041000+00:00 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Cloud Service: Cloud Service Metadata |
Current version: 1.4
Version changed from: 1.3 → 1.4
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-21 12:19:38.962000+00:00 | 2023-08-14 19:19:54.148000+00:00 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Network Traffic: Network Traffic Flow |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-02-09 14:18:59.080000+00:00 | 2023-10-16 16:47:26.119000+00:00 |
external_references[2]['description'] | Manidant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022. | Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022. |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-03-08 21:00:52.774000+00:00 | 2023-07-28 14:41:38.908000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 2.2
Version changed from: 2.1 → 2.2
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may interact with the native OS application prog | t | 1 | Adversaries may interact with the native OS application prog |
> | ramming interface (API) to execute behaviors. Native APIs pr | > | ramming interface (API) to execute behaviors. Native APIs pr | ||
> | ovide a controlled means of calling low-level OS services wi | > | ovide a controlled means of calling low-level OS services wi | ||
> | thin the kernel, such as those involving hardware/devices, m | > | thin the kernel, such as those involving hardware/devices, m | ||
> | emory, and processes.(Citation: NT API Windows)(Citation: Li | > | emory, and processes.(Citation: NT API Windows)(Citation: Li | ||
> | nux Kernel API) These native APIs are leveraged by the OS du | > | nux Kernel API) These native APIs are leveraged by the OS du | ||
> | ring system boot (when other system components are not yet i | > | ring system boot (when other system components are not yet i | ||
> | nitialized) as well as carrying out tasks and requests durin | > | nitialized) as well as carrying out tasks and requests durin | ||
> | g routine operations. Native API functions (such as <code>N | > | g routine operations. Adversaries may abuse these OS API fu | ||
> | tCreateProcess</code>) may be directed invoked via system ca | > | nctions as a means of executing behaviors. Similar to [Comma | ||
> | lls / syscalls, but these features are also often exposed to | > | nd and Scripting Interpreter](https://attack.mitre.org/techn | ||
> | user-mode applications via interfaces and libraries.(Citati | > | iques/T1059), the native API and its hierarchy of interfaces | ||
> | on: OutFlank System Calls)(Citation: CyberBit System Calls)( | > | provide mechanisms to interact with and utilize various com | ||
> | Citation: MDSec System Calls) For example, functions such as | > | ponents of a victimized system. Native API functions (such | ||
> | the Windows API <code>CreateProcess()</code> or GNU <code>f | > | as <code>NtCreateProcess</code>) may be directed invoked via | ||
> | ork()</code> will allow programs and scripts to start other | > | system calls / syscalls, but these features are also often | ||
> | processes.(Citation: Microsoft CreateProcess)(Citation: GNU | > | exposed to user-mode applications via interfaces and librari | ||
> | Fork) This may allow API callers to execute a binary, run a | > | es.(Citation: OutFlank System Calls)(Citation: CyberBit Syst | ||
> | CLI command, load modules, etc. as thousands of similar API | > | em Calls)(Citation: MDSec System Calls) For example, functio | ||
> | functions exist for various system operations.(Citation: Mic | > | ns such as the Windows API <code>CreateProcess()</code> or G | ||
> | rosoft Win32)(Citation: LIBC)(Citation: GLIBC) Higher level | > | NU <code>fork()</code> will allow programs and scripts to st | ||
> | software frameworks, such as Microsoft .NET and macOS Cocoa | > | art other processes.(Citation: Microsoft CreateProcess)(Cita | ||
> | , are also available to interact with native APIs. These fra | > | tion: GNU Fork) This may allow API callers to execute a bina | ||
> | meworks typically provide language wrappers/abstractions to | > | ry, run a CLI command, load modules, etc. as thousands of si | ||
> | API functionalities and are designed for ease-of-use/portabi | > | milar API functions exist for various system operations.(Cit | ||
> | lity of code.(Citation: Microsoft NET)(Citation: Apple Core | > | ation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) Hi | ||
> | Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) | > | gher level software frameworks, such as Microsoft .NET and m | ||
> | Adversaries may abuse these OS API functions as a means of | > | acOS Cocoa, are also available to interact with native APIs. | ||
> | executing behaviors. Similar to [Command and Scripting Inte | > | These frameworks typically provide language wrappers/abstra | ||
> | rpreter](https://attack.mitre.org/techniques/T1059), the nat | > | ctions to API functionalities and are designed for ease-of-u | ||
> | ive API and its hierarchy of interfaces provide mechanisms t | > | se/portability of code.(Citation: Microsoft NET)(Citation: A | ||
> | o interact with and utilize various components of a victimiz | > | pple Core Services)(Citation: MACOS Cocoa)(Citation: macOS F | ||
> | ed system. While invoking API functions, adversaries may als | > | oundation) Adversaries may use assembly to directly or in-d | ||
> | o attempt to bypass defensive tools (ex: unhooking monitored | > | irectly invoke syscalls in an attempt to subvert defensive s | ||
> | functions via [Disable or Modify Tools](https://attack.mitr | > | ensors and detection signatures such as user mode API-hooks. | ||
> | e.org/techniques/T1562/001)). | > | (Citation: Redops Syscalls) Adversaries may also attempt to | ||
> | tamper with sensors and defensive tools associated with API | ||||
> | monitoring, such as unhooking monitored functions via [Disab | ||||
> | le or Modify Tools](https://attack.mitre.org/techniques/T156 | ||||
> | 2/001). |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-19 20:30:00.118000+00:00 | 2023-10-13 16:01:07.538000+00:00 |
description | Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Native API functions (such as NtCreateProcess ) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). | Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.
Native API functions (such as NtCreateProcess ) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001). |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 2.1 | 2.2 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Redops Syscalls', 'description': 'Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.', 'url': 'https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls'} | |
x_mitre_contributors | Tristan Madani (Cybereason) |
Current version: 3.1
Version changed from: 3.0 → 3.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:43.682000+00:00 | 2023-08-11 21:10:09.547000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 3.0 | 3.1 |
Current version: 3.2
Version changed from: 3.1 → 3.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:46.370000+00:00 | 2023-09-29 19:44:43.870000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 3.1 | 3.2 |
Current version: 1.5
Version changed from: 1.4 → 1.5
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 23:31:49.085000+00:00 | 2023-07-10 15:48:01.560000+00:00 |
x_mitre_version | 1.4 | 1.5 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Itamar Mizrahi, Cymptom |
Current version: 2.3
Version changed from: 2.2 → 2.3
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-20 19:11:53.499000+00:00 | 2023-09-29 21:07:31.570000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.2 | 2.3 |
Current version: 1.5
Version changed from: 1.4 → 1.5
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:43.857000+00:00 | 2023-08-28 19:17:53.015000+00:00 |
x_mitre_version | 1.4 | 1.5 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:45.141000+00:00 | 2023-07-28 18:24:16.246000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.5
Version changed from: 1.4 → 1.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-14 23:04:08.394000+00:00 | 2023-10-16 16:57:41.743000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.4 | 1.5 |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-14 23:04:38.816000+00:00 | 2023-10-16 16:55:18.014000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.1
Version changed from: 1.0 → 1.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may execute their own malicious payloads by hija | t | 1 | Adversaries may execute their own malicious payloads by hija |
> | cking environment variables used to load libraries. Adversar | > | cking environment variables used to load libraries. The PATH | ||
> | ies may place a program in an earlier entry in the list of d | > | environment variable contains a list of directories (User a | ||
> | irectories stored in the PATH environment variable, which Wi | > | nd System) that the OS searches sequentially through in sear | ||
> | ndows will then execute when it searches sequentially throug | > | ch of the binary that was called from a script or the comman | ||
> | h that PATH listing in search of the binary that was called | > | d line. Adversaries can place a malicious program in an ea | ||
> | from a script or the command line. The PATH environment var | > | rlier entry in the list of directories stored in the PATH en | ||
> | iable contains a list of directories. Certain methods of exe | > | vironment variable, resulting in the operating system execut | ||
> | cuting a program (namely using cmd.exe or the command-line) | > | ing the malicious binary rather than the legitimate binary w | ||
> | rely solely on the PATH environment variable to determine th | > | hen it searches sequentially through that PATH listing. For | ||
> | e locations that are searched for a program when the path fo | > | example, on Windows if an adversary places a malicious prog | ||
> | r the program is not given. If any directories are listed in | > | ram named "net.exe" in `C:\example path`, which by default p | ||
> | the PATH environment variable before the Windows directory, | > | recedes `C:\Windows\system32\net.exe` in the PATH environmen | ||
> | <code>%SystemRoot%\system32</code> (e.g., <code>C:\Windows\ | > | t variable, when "net" is executed from the command-line the | ||
> | system32</code>), a program may be placed in the preceding d | > | `C:\example path` will be called instead of the system's le | ||
> | irectory that is named the same as a Windows program (such a | > | gitimate executable at `C:\Windows\system32\net.exe`. Some m | ||
> | s cmd, PowerShell, or Python), which will be executed when t | > | ethods of executing a program rely on the PATH environment v | ||
> | hat command is executed from a script or command-line. For | > | ariable to determine the locations that are searched when th | ||
> | example, if <code>C:\example path</code> precedes </code>C:\ | > | e path for the program is not given, such as executing progr | ||
> | Windows\system32</code> is in the PATH environment variable, | > | ams from a [Command and Scripting Interpreter](https://attac | ||
> | a program that is named net.exe and placed in <code>C:\exam | > | k.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env | ||
> | ple path</code> will be called instead of the Windows system | > | Windows 2021) Adversaries may also directly modify the $PA | ||
> | "net" when "net" is executed from the command-line. | > | TH variable specifying the directories to be searched. An a | ||
> | dversary can modify the `$PATH` variable to point to a direc | ||||
> | tory they have write access. When a program using the $PATH | ||||
> | variable is called, the OS searches the specified directory | ||||
> | and executes the malicious binary. On macOS, this can also b | ||||
> | e performed through modifying the $HOME variable. These vari | ||||
> | ables can be modified using the command-line, launchctl, [Un | ||||
> | ix Shell Configuration Modification](https://attack.mitre.or | ||||
> | g/techniques/T1546/004), or modifying the `/etc/paths.d` fol | ||||
> | der contents.(Citation: uptycs Fake POC linux malware 2023)( | ||||
> | Citation: nixCraft macOS PATH variables)(Citation: Elastic R | ||||
> | ules macOS launchctl 2022) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:39.426000+00:00 | 2023-10-03 03:29:57.078000+00:00 |
description | Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32 ), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. | Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing. For example, on Windows if an adversary places a malicious program named "net.exe" in `C:\example path`, which by default precedes `C:\Windows\system32\net.exe` in the PATH environment variable, when "net" is executed from the command-line the `C:\example path` will be called instead of the system's legitimate executable at `C:\Windows\system32\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021) Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Elastic Rules macOS launchctl 2022', 'description': 'Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.', 'url': 'https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html'} | |
external_references | {'source_name': 'ExpressVPN PATH env Windows 2021', 'description': 'ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.', 'url': 'https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/'} | |
external_references | {'source_name': 'uptycs Fake POC linux malware 2023', 'description': 'Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.', 'url': 'https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware'} | |
external_references | {'source_name': 'nixCraft macOS PATH variables', 'description': 'Vivek Gite. (2023, August 22). MacOS – Set / Change $PATH Variable Command. Retrieved September 28, 2023.', 'url': 'https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/'} | |
x_mitre_platforms | macOS | |
x_mitre_platforms | Linux |
Current version: 2.4
Version changed from: 2.3 → 2.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-14 17:42:15.871000+00:00 | 2023-09-08 20:27:52.947000+00:00 |
x_mitre_version | 2.3 | 2.4 |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-14 17:42:38.063000+00:00 | 2023-09-08 20:28:49.600000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.1
Version changed from: 1.0 → 1.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may abuse print processors to run malicious DLLs | t | 1 | Adversaries may abuse print processors to run malicious DLLs |
> | during system boot for persistence and/or privilege escalat | > | during system boot for persistence and/or privilege escalat | ||
> | ion. Print processors are DLLs that are loaded by the print | > | ion. Print processors are DLLs that are loaded by the print | ||
> | spooler service, spoolsv.exe, during boot. Adversaries may | > | spooler service, `spoolsv.exe`, during boot.(Citation: Micro | ||
> | abuse the print spooler service by adding print processors | > | soft Intro Print Processors) Adversaries may abuse the prin | ||
> | that load malicious DLLs at startup. A print processor can b | > | t spooler service by adding print processors that load malic | ||
> | e installed through the <code>AddPrintProcessor</code> API c | > | ious DLLs at startup. A print processor can be installed thr | ||
> | all with an account that has <code>SeLoadDriverPrivilege</co | > | ough the <code>AddPrintProcessor</code> API call with an acc | ||
> | de> enabled. Alternatively, a print processor can be registe | > | ount that has <code>SeLoadDriverPrivilege</code> enabled. Al | ||
> | red to the print spooler service by adding the <code>HKLM\SY | > | ternatively, a print processor can be registered to the prin | ||
> | STEM\\[CurrentControlSet or ControlSet001]\Control\Print\Env | > | t spooler service by adding the <code>HKLM\SYSTEM\\[CurrentC | ||
> | ironments\\[Windows architecture: e.g., Windows x64]\Print P | > | ontrolSet or ControlSet001]\Control\Print\Environments\\[Win | ||
> | rocessors\\[user defined]\Driver</code> Registry key that po | > | dows architecture: e.g., Windows x64]\Print Processors\\[use | ||
> | ints to the DLL. For the print processor to be correctly ins | > | r defined]\Driver</code> Registry key that points to the DLL | ||
> | talled, it must be located in the system print-processor dir | > | . For the malicious print processor to be correctly install | ||
> | ectory that can be found with the <code>GetPrintProcessorDir | > | ed, the payload must be located in the dedicated system prin | ||
> | ectory</code> API call.(Citation: Microsoft AddPrintProcesso | > | t-processor directory, that can be found with the <code>GetP | ||
> | r May 2018) After the print processors are installed, the pr | > | rintProcessorDirectory</code> API call, or referenced via a | ||
> | int spooler service, which starts during boot, must be resta | > | relative path from this directory.(Citation: Microsoft AddPr | ||
> | rted in order for them to run.(Citation: ESET PipeMon May 20 | > | intProcessor May 2018) After the print processors are instal | ||
> | 20) The print spooler service runs under SYSTEM level permis | > | led, the print spooler service, which starts during boot, mu | ||
> | sions, therefore print processors installed by an adversary | > | st be restarted in order for them to run.(Citation: ESET Pip | ||
> | may run under elevated privileges. | > | eMon May 2020) The print spooler service runs under SYSTEM | ||
> | level permissions, therefore print processors installed by a | ||||
> | n adversary may run under elevated privileges. |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-10-09 16:05:36.344000+00:00 | 2023-10-04 14:16:17.655000+00:00 |
description | Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges. | Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL.
For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)
The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges. |
x_mitre_version | 1.0 | 1.1 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Microsoft Intro Print Processors', 'description': 'Microsoft. (2023, June 26). Introduction to print processors. Retrieved September 27, 2023.', 'url': 'https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors'} | |
x_mitre_contributors | Tahseen Bin Taj |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 23:34:02.125000+00:00 | 2023-08-11 21:40:56.448000+00:00 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.3
Version changed from: 1.2 → 1.3
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-11-29 17:22:32.704000+00:00 | 2023-08-11 21:37:00.009000+00:00 |
x_mitre_version | 1.2 | 1.3 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Process: Process Creation |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['SYSTEM'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-23 23:24:39.182000+00:00 | 2023-08-14 15:37:02.771000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 16:21:09.679000+00:00 | 2023-09-29 21:09:49.267000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 2.2
Version changed from: 2.1 → 2.2
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | An adversary may use legitimate desktop support and remote a | t | 1 | An adversary may use legitimate desktop support and remote a |
> | ccess software, such as Team Viewer, AnyDesk, Go2Assist, Log | > | ccess software to establish an interactive command and contr | ||
> | Mein, AmmyyAdmin, etc, to establish an interactive command a | > | ol channel to target systems within networks. These services | ||
> | nd control channel to target systems within networks. These | > | , such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, | ||
> | services are commonly used as legitimate technical support s | > | `LogMein`, `AmmyyAdmin`, and other remote monitoring and man | ||
> | oftware, and may be allowed by application control within a | > | agement (RMM) tools, are commonly used as legitimate technic | ||
> | target environment. Remote access tools like VNC, Ammyy, and | > | al support software and may be allowed by application contro | ||
> | Teamviewer are used frequently when compared with other leg | > | l within a target environment.(Citation: Symantec Living off | ||
> | itimate software commonly used by adversaries.(Citation: Sym | > | the Land)(Citation: CrowdStrike 2015 Global Threat Report)( | ||
> | antec Living off the Land) Remote access tools may be insta | > | Citation: CrySyS Blog TeamSpy) Remote access software may b | ||
> | lled and used post-compromise as alternate communications ch | > | e installed and used post-compromise as an alternate communi | ||
> | annel for redundant access or as a way to establish an inter | > | cations channel for redundant access or as a way to establis | ||
> | active remote desktop session with the target system. They m | > | h an interactive remote desktop session with the target syst | ||
> | ay also be used as a component of malware to establish a rev | > | em. They may also be used as a component of malware to estab | ||
> | erse connection or back-connect to a service or adversary co | > | lish a reverse connection or back-connect to a service or ad | ||
> | ntrolled system. Installation of many remote access tools ma | > | versary controlled system. Adversaries may similarly abuse | ||
> | y also include persistence (ex: the tool's installation rout | > | response features included in EDR and other defensive tools | ||
> | ine creates a [Windows Service](https://attack.mitre.org/tec | > | that enable remote access. Installation of many remote acc | ||
> | hniques/T1543/003)). Admin tools such as TeamViewer have be | > | ess software may also include persistence (e.g., the softwar | ||
> | en used by several groups targeting institutions in countrie | > | e's installation routine creates a [Windows Service](https:/ | ||
> | s of interest to the Russian state and criminal campaigns.(C | > | /attack.mitre.org/techniques/T1543/003)). | ||
> | itation: CrowdStrike 2015 Global Threat Report)(Citation: Cr | ||||
> | ySyS Blog TeamSpy) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 14:54:10.899000+00:00 | 2023-09-28 16:23:51.194000+00:00 |
description | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.(Citation: Symantec Living off the Land) Remote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Installation of many remote access tools may also include persistence (ex: the tool's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns.(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) | An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access. Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 2.1 | 2.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Remote Desktop Users', 'User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:41.927000+00:00 | 2023-08-07 14:23:30.265000+00:00 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Logon Session: Logon Session Metadata |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-03-25 13:12:56.909000+00:00 | 2023-05-31 12:34:03.420000+00:00 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Application Log: Application Log Content |
Current version: 1.4
Version changed from: 1.3 → 1.4
New Mitigations:
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:42.821000+00:00 | 2023-06-02 15:31:40.498000+00:00 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | WMI: WMI Creation | |
x_mitre_platforms | IaaS |
Current version: 3.5
Version changed from: 3.4 → 3.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:50.033000+00:00 | 2023-08-14 19:08:59.741000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 3.4 | 3.5 |
Current version: 1.4
Version changed from: 1.3 → 1.4
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may leverage the resources of co-opted systems i | t | 1 | Adversaries may leverage the resources of co-opted systems t |
> | n order to solve resource intensive problems, which may impa | > | o complete resource-intensive tasks, which may impact system | ||
> | ct system and/or hosted service availability. One common p | > | and/or hosted service availability. One common purpose fo | ||
> | urpose for Resource Hijacking is to validate transactions of | > | r Resource Hijacking is to validate transactions of cryptocu | ||
> | cryptocurrency networks and earn virtual currency. Adversar | > | rrency networks and earn virtual currency. Adversaries may c | ||
> | ies may consume enough system resources to negatively impact | > | onsume enough system resources to negatively impact and/or c | ||
> | and/or cause affected machines to become unresponsive.(Cita | > | ause affected machines to become unresponsive.(Citation: Kas | ||
> | tion: Kaspersky Lazarus Under The Hood Blog 2017) Servers an | > | persky Lazarus Under The Hood Blog 2017) Servers and cloud-b | ||
> | d cloud-based systems are common targets because of the high | > | ased systems are common targets because of the high potentia | ||
> | potential for available resources, but user endpoint system | > | l for available resources, but user endpoint systems may als | ||
> | s may also be compromised and used for Resource Hijacking an | > | o be compromised and used for Resource Hijacking and cryptoc | ||
> | d cryptocurrency mining.(Citation: CloudSploit - Unused AWS | > | urrency mining.(Citation: CloudSploit - Unused AWS Regions) | ||
> | Regions) Containerized environments may also be targeted due | > | Containerized environments may also be targeted due to the e | ||
> | to the ease of deployment via exposed APIs and the potentia | > | ase of deployment via exposed APIs and the potential for sca | ||
> | l for scaling mining activities by deploying or compromising | > | ling mining activities by deploying or compromising multiple | ||
> | multiple containers within an environment or cluster.(Citat | > | containers within an environment or cluster.(Citation: Unit | ||
> | ion: Unit 42 Hildegard Malware)(Citation: Trend Micro Expose | > | 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker | ||
> | d Docker APIs) Additionally, some cryptocurrency mining mal | > | APIs) Additionally, some cryptocurrency mining malware iden | ||
> | ware identify then kill off processes for competing malware | > | tify then kill off processes for competing malware to ensure | ||
> | to ensure it’s not competing for resources.(Citation: Trend | > | it’s not competing for resources.(Citation: Trend Micro War | ||
> | Micro War of Crypto Miners) Adversaries may also use malwar | > | of Crypto Miners) Adversaries may also use malware that le | ||
> | e that leverages a system's network bandwidth as part of a b | > | verages a system's network bandwidth as part of a botnet in | ||
> | otnet in order to facilitate [Network Denial of Service](htt | > | order to facilitate [Network Denial of Service](https://atta | ||
> | ps://attack.mitre.org/techniques/T1498) campaigns and/or to | > | ck.mitre.org/techniques/T1498) campaigns and/or to seed mali | ||
> | seed malicious torrents.(Citation: GoBotKR) | > | cious torrents.(Citation: GoBotKR) Alternatively, they may e | ||
> | ngage in proxyjacking by selling use of the victims' network | ||||
> | bandwidth and IP address to proxyware services.(Citation: S | ||||
> | ysdig Proxyjacking) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-18 20:16:44.560000+00:00 | 2023-10-02 01:11:32.822000+00:00 |
description | Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners) Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) | Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners) Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Sysdig Proxyjacking', 'description': 'Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.', 'url': 'https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/'} | |
x_mitre_contributors | Goldstein Menachem |
Current version: 2.2
Version changed from: 2.1 → 2.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-21 12:25:32.096000+00:00 | 2023-08-14 15:35:28.965000+00:00 |
x_mitre_version | 2.1 | 2.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-03 18:57:59.554000+00:00 | 2023-07-28 17:34:51.250000+00:00 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Process: Process Creation |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:49.323000+00:00 | 2023-08-11 20:24:03.069000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.3
Version changed from: 1.2 → 1.3
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may modify the SSH <code>authorized_keys</code> | t | 1 | Adversaries may modify the SSH <code>authorized_keys</code> |
> | file to maintain persistence on a victim host. Linux distrib | > | file to maintain persistence on a victim host. Linux distrib | ||
> | utions and macOS commonly use key-based authentication to se | > | utions and macOS commonly use key-based authentication to se | ||
> | cure the authentication process of SSH sessions for remote m | > | cure the authentication process of SSH sessions for remote m | ||
> | anagement. The <code>authorized_keys</code> file in SSH spec | > | anagement. The <code>authorized_keys</code> file in SSH spec | ||
> | ifies the SSH keys that can be used for logging into the use | > | ifies the SSH keys that can be used for logging into the use | ||
> | r account for which the file is configured. This file is usu | > | r account for which the file is configured. This file is usu | ||
> | ally found in the user's home directory under <code><user | > | ally found in the user's home directory under <code><user | ||
> | -home>/.ssh/authorized_keys</code>.(Citation: SSH Authori | > | -home>/.ssh/authorized_keys</code>.(Citation: SSH Authori | ||
> | zed Keys) Users may edit the system’s SSH config file to mod | > | zed Keys) Users may edit the system’s SSH config file to mod | ||
> | ify the directives PubkeyAuthentication and RSAAuthenticatio | > | ify the directives PubkeyAuthentication and RSAAuthenticatio | ||
> | n to the value “yes” to ensure public key and RSA authentica | > | n to the value “yes” to ensure public key and RSA authentica | ||
> | tion are enabled. The SSH config file is usually located und | > | tion are enabled. The SSH config file is usually located und | ||
> | er <code>/etc/ssh/sshd_config</code>. Adversaries may modif | > | er <code>/etc/ssh/sshd_config</code>. Adversaries may modif | ||
> | y SSH <code>authorized_keys</code> files directly with scrip | > | y SSH <code>authorized_keys</code> files directly with scrip | ||
> | ts or shell commands to add their own adversary-supplied pub | > | ts or shell commands to add their own adversary-supplied pub | ||
> | lic keys. In cloud environments, adversaries may be able to | > | lic keys. In cloud environments, adversaries may be able to | ||
> | modify the SSH authorized_keys file of a particular virtual | > | modify the SSH authorized_keys file of a particular virtual | ||
> | machine via the command line interface or rest API. For exam | > | machine via the command line interface or rest API. For exam | ||
> | ple, by using the Google Cloud CLI’s “add-metadata” command | > | ple, by using the Google Cloud CLI’s “add-metadata” command | ||
> | an adversary may add SSH keys to a user account.(Citation: G | > | an adversary may add SSH keys to a user account.(Citation: G | ||
> | oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E | > | oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E | ||
> | scalation) Similarly, in Azure, an adversary may update the | > | scalation) Similarly, in Azure, an adversary may update the | ||
> | authorized_keys file of a virtual machine via a PATCH reques | > | authorized_keys file of a virtual machine via a PATCH reques | ||
> | t to the API.(Citation: Azure Update Virtual Machines) This | > | t to the API.(Citation: Azure Update Virtual Machines) This | ||
> | ensures that an adversary possessing the corresponding priva | > | ensures that an adversary possessing the corresponding priva | ||
> | te key may log in as an existing user via SSH.(Citation: Ven | > | te key may log in as an existing user via SSH.(Citation: Ven | ||
> | afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) W | > | afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It | ||
> | here authorized_keys files are modified via cloud APIs or co | > | may also lead to privilege escalation where the virtual mach | ||
> | mmand line interfaces, an adversary may achieve privilege es | > | ine or instance has distinct permissions from the requesting | ||
> | calation on the target virtual machine if they add a key to | > | user. Where authorized_keys files are modified via cloud A | ||
> | a higher-privileged user. SSH keys can also be added to ac | > | PIs or command line interfaces, an adversary may achieve pri | ||
> | counts on network devices, such as with the `ip ssh pubkey-c | > | vilege escalation on the target virtual machine if they add | ||
> | hain` [Network Device CLI](https://attack.mitre.org/techniqu | > | a key to a higher-privileged user. SSH keys can also be ad | ||
> | es/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd) | > | ded to accounts on network devices, such as with the `ip ssh | ||
> | pubkey-chain` [Network Device CLI](https://attack.mitre.org | ||||
> | /techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubke | ||||
> | y_ch_cmd) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 23:28:34.599000+00:00 | 2023-10-03 17:38:21.121000+00:00 |
description | Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys .(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config .
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.
SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd) | Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys .(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config .
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.
SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
STIX Field | Old value | New Value |
---|---|---|
kill_chain_phases | {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} | |
x_mitre_contributors | Arad Inbar, Fidelis Security |
Current version: 1.4
Version changed from: 1.3 → 1.4
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-07 17:11:17.807000+00:00 | 2023-08-11 21:20:10.882000+00:00 |
external_references[1]['description'] | BlackB0lt. (2022, April 15). https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml. Retrieved June 1, 2022. | Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022. |
external_references[1]['url'] | https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml | https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | File: File Creation | |
x_mitre_data_sources | Network Traffic: Network Traffic Flow |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-21 12:31:54.177000+00:00 | 2023-07-28 18:17:34.185000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-06-15 16:17:19.049000+00:00 | 2023-07-24 18:53:10.860000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.0 | 1.1 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Olaf Hartong, Falcon Force | |
x_mitre_data_sources | File: File Creation |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator', 'SYSTEM'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-08-30 17:42:40.945000+00:00 | 2023-08-14 15:53:00.999000+00:00 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Network Traffic: Network Traffic Flow |
Current version: 2.2
Version changed from: 2.1 → 2.2
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may execute malicious payloads via loading share | t | 1 | Adversaries may execute malicious payloads via loading share |
> | d modules. The Windows module loader can be instructed to lo | > | d modules. Shared modules are executable files that are load | ||
> | ad DLLs from arbitrary local paths and arbitrary Universal N | > | ed into processes to provide access to reusable code, such a | ||
> | aming Convention (UNC) network paths. This functionality res | > | s specific custom functions or invoking OS API functions (i. | ||
> | ides in NTDLL.dll and is part of the Windows [Native API](ht | > | e., [Native API](https://attack.mitre.org/techniques/T1106)) | ||
> | tps://attack.mitre.org/techniques/T1106) which is called fro | > | . Adversaries may use this functionality as a way to execut | ||
> | m functions like <code>CreateProcess</code>, <code>LoadLibra | > | e arbitrary payloads on a victim system. For example, advers | ||
> | ry</code>, etc. of the Win32 API.(Citation: Wikipedia Window | > | aries can modularize functionality of their malware into sha | ||
> | s Library Files) The module loader can load DLLs: * via sp | > | red objects that perform various functions such as managing | ||
> | ecification of the (fully-qualified or relative) DLL pathnam | > | C2 network communications or execution of specific actions o | ||
> | e in the IMPORT directory; * via EXPORT forwarded to an | > | n objective. The Linux & macOS module loader can load and e | ||
> | other DLL, specified with (fully-qualified or relative) path | > | xecute shared objects from arbitrary local paths. This funct | ||
> | name (but without extension); * via an NTFS junction or | > | ionality resides in `dlfcn.h` in functions such as `dlopen` | ||
> | symlink program.exe.local with the fully-qualified or relat | > | and `dlsym`. Although macOS can execute `.so` files, common | ||
> | ive pathname of a directory containing the DLLs specified in | > | practice uses `.dylib` files.(Citation: Apple Dev Dynamic Li | ||
> | the IMPORT directory or forwarded EXPORTs; * via <code | > | braries)(Citation: Linux Shared Libraries)(Citation: RotaJak | ||
> | ><file name="filename.extension" loadFrom="fully-qualif | > | iro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 201 | ||
> | ied or relative pathname"></code> in an embedded or ext | > | 7) The Windows module loader can be instructed to load DLLs | ||
> | ernal "application manifest". The file name refers to an ent | > | from arbitrary local paths and arbitrary Universal Naming C | ||
> | ry in the IMPORT directory or a forwarded EXPORT. Adversari | > | onvention (UNC) network paths. This functionality resides in | ||
> | es may use this functionality as a way to execute arbitrary | > | `NTDLL.dll` and is part of the Windows [Native API](https:/ | ||
> | payloads on a victim system. For example, malware may execut | > | /attack.mitre.org/techniques/T1106) which is called from fun | ||
> | e share modules to load additional components or features. | > | ctions like `LoadLibrary` at run time.(Citation: Microsoft D | ||
> | LL) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-19 20:31:10.657000+00:00 | 2023-10-12 21:17:14.868000+00:00 |
description | Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess , LoadLibrary , etc. of the Win32 API.(Citation: Wikipedia Windows Library Files)
The module loader can load DLLs:
* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;
* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);
* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;
* via <file name="filename.extension" loadFrom="fully-qualified or relative pathname"> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.
Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features. | Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)). Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective. The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017) The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL) |
external_references[1]['source_name'] | Wikipedia Windows Library Files | RotaJakiro 2021 netlab360 analysis |
external_references[1]['description'] | Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017. | Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023. |
external_references[1]['url'] | https://en.wikipedia.org/wiki/Microsoft_Windows_library_files | https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_detection | Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths.
Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior. | Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to `%SystemRoot%` and `%ProgramFiles%` directories will protect against module loads from unsafe paths. Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior. |
x_mitre_version | 2.1 | 2.2 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Apple Dev Dynamic Libraries', 'description': 'Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.', 'url': 'https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html'} | |
external_references | {'source_name': 'Unit42 OceanLotus 2017', 'description': 'Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.', 'url': 'https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/'} | |
external_references | {'source_name': 'Microsoft DLL', 'description': 'Microsoft. (2023, April 28). What is a DLL. Retrieved September 7, 2023.', 'url': 'https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library'} | |
external_references | {'source_name': 'Linux Shared Libraries', 'description': 'Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.', 'url': 'https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html'} | |
x_mitre_platforms | macOS | |
x_mitre_platforms | Linux |
Current version: 2.2
Version changed from: 2.1 → 2.2
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may gain access to and use third-party software | t | 1 | Adversaries may gain access to and use third-party software |
> | suites installed within an enterprise network, such as admin | > | suites installed within an enterprise network, such as admin | ||
> | istration, monitoring, and deployment systems, to move later | > | istration, monitoring, and deployment systems, to move later | ||
> | ally through the network. Third-party applications and softw | > | ally through the network. Third-party applications and softw | ||
> | are deployment systems may be in use in the network environm | > | are deployment systems may be in use in the network environm | ||
> | ent for administration purposes (e.g., SCCM, HBSS, Altiris, | > | ent for administration purposes (e.g., SCCM, HBSS, Altiris, | ||
> | etc.). Access to a third-party network-wide or enterprise-w | > | etc.). Access to a third-party network-wide or enterprise | ||
> | ide software system may enable an adversary to have remote c | > | -wide software system may enable an adversary to have remote | ||
> | ode execution on all systems that are connected to such a sy | > | code execution on all systems that are connected to such a | ||
> | stem. The access may be used to laterally move to other syst | > | system. The access may be used to laterally move to other sy | ||
> | ems, gather information, or cause a specific effect, such as | > | stems, gather information, or cause a specific effect, such | ||
> | wiping the hard drives on all endpoints. The permissions r | > | as wiping the hard drives on all endpoints. Network infrastr | ||
> | equired for this action vary by system configuration; local | > | ucture may also have administration tools that can be simila | ||
> | credentials may be sufficient with direct access to the thir | > | rly abused by adversaries. (Citation: Fortinet Zero-Day and | ||
> | d-party system, or specific domain credentials may be requir | > | Custom Malware Used by Suspected Chinese Actor in Espionage | ||
> | ed. However, the system may require an administrative accoun | > | Operation) The permissions required for this action vary by | ||
> | t to log in or to perform it's intended purpose. | > | system configuration; local credentials may be sufficient w | ||
> | ith direct access to the third-party system, or specific dom | ||||
> | ain credentials may be required. However, the system may req | ||||
> | uire an administrative account to log in or to perform it's | ||||
> | intended purpose. |
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:36.669000+00:00 | 2023-09-27 20:31:36.724000+00:00 |
description | Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose. | Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation) The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose. |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.1 | 2.2 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation', 'description': 'ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.', 'url': 'https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem'} | |
x_mitre_contributors | Joe Gumke, U.S. Bank | |
x_mitre_platforms | Network |
Current version: 1.5
Version changed from: 1.4 → 1.5
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may send spearphishing messages with a malicious | t | 1 | Adversaries may send spearphishing messages with a malicious |
> | link to elicit sensitive information that can be used durin | > | link to elicit sensitive information that can be used durin | ||
> | g targeting. Spearphishing for information is an attempt to | > | g targeting. Spearphishing for information is an attempt to | ||
> | trick targets into divulging information, frequently credent | > | trick targets into divulging information, frequently credent | ||
> | ials or other actionable information. Spearphishing for info | > | ials or other actionable information. Spearphishing for info | ||
> | rmation frequently involves social engineering techniques, s | > | rmation frequently involves social engineering techniques, s | ||
> | uch as posing as a source with a reason to collect informati | > | uch as posing as a source with a reason to collect informati | ||
> | on (ex: [Establish Accounts](https://attack.mitre.org/techni | > | on (ex: [Establish Accounts](https://attack.mitre.org/techni | ||
> | ques/T1585) or [Compromise Accounts](https://attack.mitre.or | > | ques/T1585) or [Compromise Accounts](https://attack.mitre.or | ||
> | g/techniques/T1586)) and/or sending multiple, seemingly urge | > | g/techniques/T1586)) and/or sending multiple, seemingly urge | ||
> | nt messages. All forms of spearphishing are electronically | > | nt messages. All forms of spearphishing are electronically | ||
> | delivered social engineering targeted at a specific individu | > | delivered social engineering targeted at a specific individu | ||
> | al, company, or industry. In this scenario, the malicious em | > | al, company, or industry. In this scenario, the malicious em | ||
> | ails contain links generally accompanied by social engineeri | > | ails contain links generally accompanied by social engineeri | ||
> | ng text to coax the user to actively click or copy and paste | > | ng text to coax the user to actively click or copy and paste | ||
> | a URL into a browser.(Citation: TrendMictro Phishing)(Citat | > | a URL into a browser.(Citation: TrendMictro Phishing)(Citat | ||
> | ion: PCMag FakeLogin) The given website may be a clone of a | > | ion: PCMag FakeLogin) The given website may be a clone of a | ||
> | legitimate site (such as an online or corporate login portal | > | legitimate site (such as an online or corporate login portal | ||
> | ) or may closely resemble a legitimate site in appearance an | > | ) or may closely resemble a legitimate site in appearance an | ||
> | d have a URL containing elements from the real site. Advers | > | d have a URL containing elements from the real site. URLs ma | ||
> | aries may also link to "web bugs" or "web beacons" within ph | > | y also be obfuscated by taking advantage of quirks in the UR | ||
> | ishing messages to verify the receipt of an email, while als | > | L schema, such as the acceptance of integer- or hexadecimal- | ||
> | o potentially profiling and tracking victim information such | > | based hostname formats and the automatic discarding of text | ||
> | as IP address.(Citation: NIST Web Bug) Adversaries may als | > | before an “@” symbol: for example, `hxxp://google.com@115758 | ||
> | o be able to spoof a complete website using what is known as | > | 6937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries | ||
> | a "browser-in-the-browser" (BitB) attack. By generating a f | > | may also link to "web bugs" or "web beacons" within phishin | ||
> | ake browser popup window with an HTML-based address bar that | > | g messages to verify the receipt of an email, while also pot | ||
> | appears to contain a legitimate URL (such as an authenticat | > | entially profiling and tracking victim information such as I | ||
> | ion portal), they may be able to prompt users to enter their | > | P address.(Citation: NIST Web Bug) Adversaries may also be | ||
> | credentials while bypassing typical URL verification method | > | able to spoof a complete website using what is known as a "b | ||
> | s.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) | > | rowser-in-the-browser" (BitB) attack. By generating a fake b | ||
> | From the fake website, information is gathered in web form | > | rowser popup window with an HTML-based address bar that appe | ||
> | s and sent to the adversary. Adversaries may also use inform | > | ars to contain a legitimate URL (such as an authentication p | ||
> | ation from previous reconnaissance efforts (ex: [Search Open | > | ortal), they may be able to prompt users to enter their cred | ||
> | Websites/Domains](https://attack.mitre.org/techniques/T1593 | > | entials while bypassing typical URL verification methods.(Ci | ||
> | ) or [Search Victim-Owned Websites](https://attack.mitre.org | > | tation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) Adv | ||
> | /techniques/T1594)) to craft persuasive and believable lures | > | ersaries can use phishing kits such as `EvilProxy` and `Evil | ||
> | . | > | ginx2` to proxy the connection between the victim and the le | ||
> | gitimate website. On a successful login, the victim is redir | ||||
> | ected to the legitimate website, while the adversary capture | ||||
> | s their session cookie (i.e., [Steal Web Session Cookie](htt | ||||
> | ps://attack.mitre.org/techniques/T1539)) in addition to thei | ||||
> | r username and password. This may enable the adversary to th | ||||
> | en bypass MFA via [Web Session Cookie](https://attack.mitre. | ||||
> | org/techniques/T1550/004).(Citation: Proofpoint Human Factor | ||||
> | ) From the fake website, information is gathered in web for | ||||
> | ms and sent to the adversary. Adversaries may also use infor | ||||
> | mation from previous reconnaissance efforts (ex: [Search Ope | ||||
> | n Websites/Domains](https://attack.mitre.org/techniques/T159 | ||||
> | 3) or [Search Victim-Owned Websites](https://attack.mitre.or | ||||
> | g/techniques/T1594)) to craft persuasive and believable lure | ||||
> | s. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-15 17:38:48.406000+00:00 | 2023-10-02 01:44:28.081000+00:00 |
description | Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. Adversaries may also link to "web bugs" or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug) Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. | Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries may also link to "web bugs" or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug) Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor) From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.4 | 1.5 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Mandiant URL Obfuscation 2023', 'description': "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", 'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'} | |
external_references | {'source_name': 'Proofpoint Human Factor', 'description': 'Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.', 'url': 'https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf'} | |
x_mitre_contributors | Austin Herrin |
Current version: 2.5
Version changed from: 2.4 → 2.5
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may send spearphishing emails with a malicious l | t | 1 | Adversaries may send spearphishing emails with a malicious l |
> | ink in an attempt to gain access to victim systems. Spearphi | > | ink in an attempt to gain access to victim systems. Spearphi | ||
> | shing with a link is a specific variant of spearphishing. It | > | shing with a link is a specific variant of spearphishing. It | ||
> | is different from other forms of spearphishing in that it e | > | is different from other forms of spearphishing in that it e | ||
> | mploys the use of links to download malware contained in ema | > | mploys the use of links to download malware contained in ema | ||
> | il, instead of attaching malicious files to the email itself | > | il, instead of attaching malicious files to the email itself | ||
> | , to avoid defenses that may inspect email attachments. Spea | > | , to avoid defenses that may inspect email attachments. Spea | ||
> | rphishing may also involve social engineering techniques, su | > | rphishing may also involve social engineering techniques, su | ||
> | ch as posing as a trusted source. All forms of spearphishin | > | ch as posing as a trusted source. All forms of spearphishin | ||
> | g are electronically delivered social engineering targeted a | > | g are electronically delivered social engineering targeted a | ||
> | t a specific individual, company, or industry. In this case, | > | t a specific individual, company, or industry. In this case, | ||
> | the malicious emails contain links. Generally, the links wi | > | the malicious emails contain links. Generally, the links wi | ||
> | ll be accompanied by social engineering text and require the | > | ll be accompanied by social engineering text and require the | ||
> | user to actively click or copy and paste a URL into a brows | > | user to actively click or copy and paste a URL into a brows | ||
> | er, leveraging [User Execution](https://attack.mitre.org/tec | > | er, leveraging [User Execution](https://attack.mitre.org/tec | ||
> | hniques/T1204). The visited website may compromise the web b | > | hniques/T1204). The visited website may compromise the web b | ||
> | rowser using an exploit, or the user will be prompted to dow | > | rowser using an exploit, or the user will be prompted to dow | ||
> | nload applications, documents, zip files, or even executable | > | nload applications, documents, zip files, or even executable | ||
> | s depending on the pretext for the email in the first place. | > | s depending on the pretext for the email in the first place. | ||
> | Adversaries may also include links that are intended to int | > | Adversaries may also include links that are intended to in | ||
> | eract directly with an email reader, including embedded imag | > | teract directly with an email reader, including embedded ima | ||
> | es intended to exploit the end system directly. Additionally | > | ges intended to exploit the end system directly. Additionall | ||
> | , adversaries may use seemingly benign links that abuse spec | > | y, adversaries may use seemingly benign links that abuse spe | ||
> | ial characters to mimic legitimate websites (known as an "ID | > | cial characters to mimic legitimate websites (known as an "I | ||
> | N homograph attack").(Citation: CISA IDN ST05-016) Adversar | > | DN homograph attack").(Citation: CISA IDN ST05-016) URLs may | ||
> | ies may also utilize links to perform consent phishing, typi | > | also be obfuscated by taking advantage of quirks in the URL | ||
> | cally with OAuth 2.0 request URLs that when accepted by the | > | schema, such as the acceptance of integer- or hexadecimal-b | ||
> | user provide permissions/access for malicious applications, | > | ased hostname formats and the automatic discarding of text b | ||
> | allowing adversaries to [Steal Application Access Token](ht | > | efore an “@” symbol: for example, `hxxp://google.com@1157586 | ||
> | tps://attack.mitre.org/techniques/T1528)s.(Citation: Trend M | > | 937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries | ||
> | icro Pawn Storm OAuth 2017) These stolen access tokens allow | > | may also utilize links to perform consent phishing, typicall | ||
> | the adversary to perform various actions on behalf of the u | > | y with OAuth 2.0 request URLs that when accepted by the user | ||
> | ser via API calls. (Citation: Microsoft OAuth 2.0 Consent Ph | > | provide permissions/access for malicious applications, allo | ||
> | ishing 2021) | > | wing adversaries to [Steal Application Access Token](https: | ||
> | //attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro | ||||
> | Pawn Storm OAuth 2017) These stolen access tokens allow the | ||||
> | adversary to perform various actions on behalf of the user | ||||
> | via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishi | ||||
> | ng 2021) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-11 00:44:21.193000+00:00 | 2023-09-06 14:08:51.616000+00:00 |
description | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021) | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021) |
x_mitre_version | 2.4 | 2.5 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Mandiant URL Obfuscation 2023', 'description': "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", 'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'} |
Current version: 1.6
Version changed from: 1.5 → 1.6
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:38.842000+00:00 | 2023-07-28 14:40:54.580000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.5 | 1.6 |
Current version: 1.5
Version changed from: 1.4 → 1.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 23:35:40.261000+00:00 | 2023-09-29 19:50:06.736000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.4 | 1.5 |
Current version: 1.4
Version changed from: 1.3 → 1.4
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may create or modify systemd services to repeate | t | 1 | Adversaries may create or modify systemd services to repeate |
> | dly execute malicious payloads as part of persistence. Syste | > | dly execute malicious payloads as part of persistence. Syste | ||
> | md is a system and service manager commonly used for managin | > | md is a system and service manager commonly used for managin | ||
> | g background daemon processes (also known as services) and o | > | g background daemon processes (also known as services) and o | ||
> | ther system resources.(Citation: Linux man-pages: systemd Ja | > | ther system resources.(Citation: Linux man-pages: systemd Ja | ||
> | nuary 2014) Systemd is the default initialization (init) sys | > | nuary 2014) Systemd is the default initialization (init) sys | ||
> | tem on many Linux distributions replacing legacy init system | > | tem on many Linux distributions replacing legacy init system | ||
> | s, including SysVinit and Upstart, while remaining backwards | > | s, including SysVinit and Upstart, while remaining backwards | ||
> | compatible. Systemd utilizes unit configuration files wi | > | compatible. Systemd utilizes unit configuration files wi | ||
> | th the `.service` file extension to encode information about | > | th the `.service` file extension to encode information about | ||
> | a service's process. By default, system level unit files ar | > | a service's process. By default, system level unit files ar | ||
> | e stored in the `/systemd/system` directory of the root owne | > | e stored in the `/systemd/system` directory of the root owne | ||
> | d directories (`/`). User level unit files are stored in the | > | d directories (`/`). User level unit files are stored in the | ||
> | `/systemd/user` directories of the user owned directories ( | > | `/systemd/user` directories of the user owned directories ( | ||
> | `$HOME`). (Citation: lambert systemd 2022) Service unit fi | > | `$HOME`).(Citation: lambert systemd 2022) Inside the `.ser | ||
> | les use the following directives to execute system commands: | > | vice` unit files, the following directives are used to execu | ||
> | (Citation: freedesktop systemd.service) * `ExecStart`, `E | > | te commands:(Citation: freedesktop systemd.service) * `Ex | ||
> | xecStartPre`, and `ExecStartPost` directives cover execution | > | ecStart`, `ExecStartPre`, and `ExecStartPost` directives exe | ||
> | of commands when a service is started manually by `systemct | > | cute when a service is started manually by `systemctl` or on | ||
> | l`, or on system start if the service is set to automaticall | > | system start if the service is set to automatically start. | ||
> | y start. * `ExecReload` directive covers when a service rest | > | * `ExecReload` directive executes when a service restarts. | ||
> | arts. * `ExecStop`, `ExecStopPre`, and `ExecStopPost` direc | > | * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives e | ||
> | tives cover when a service is stopped. Adversaries may ab | > | xecute when a service is stopped. Adversaries have create | ||
> | use systemd functionality to establish persistent access to | > | d new service files, altered the commands a `.service` file’ | ||
> | victim systems by creating and/or modifying service unit fil | > | s directive executes, and modified the user directive a `.se | ||
> | es systemd uses upon reboot or starting a service.(Citation: | > | rvice` file executes as, which could result in privilege esc | ||
> | Anomali Rocke March 2019) Adversaries may also place symbol | > | alation. Adversaries may also place symbolic links in these | ||
> | ic links in these directories, enabling systemd to find thes | > | directories, enabling systemd to find these payloads regardl | ||
> | e payloads regardless of where they reside on the filesystem | > | ess of where they reside on the filesystem.(Citation: Anomal | ||
> | . The `.service` file’s `User` directive can be used to run | > | i Rocke March 2019)(Citation: airwalk backdoor unix systems) | ||
> | service as a specific user, which could result in privilege | > | (Citation: Rapid7 Service Persistence 22JUNE2016) | ||
> | escalation based on specific user/group permissions.(Citati | ||||
> | on: Rapid7 Service Persistence 22JUNE2016) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-12 20:13:07.604000+00:00 | 2023-10-09 16:19:01.408000+00:00 |
description | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) Service unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service) * `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start. * `ExecReload` directive covers when a service restarts. * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped. Adversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem. The `.service` file’s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) * `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start. * `ExecReload` directive executes when a service restarts. * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. Adversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'airwalk backdoor unix systems', 'description': 'airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.', 'url': 'http://www.ouah.org/backdoors.html'} | |
x_mitre_contributors | Tim (Wadhwa-)Brown |
Current version: 1.2
Version changed from: 1.1 → 1.2
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may abuse systemd timers to perform task schedul | t | 1 | Adversaries may abuse systemd timers to perform task schedul |
> | ing for initial or recurring execution of malicious code. Sy | > | ing for initial or recurring execution of malicious code. Sy | ||
> | stemd timers are unit files with file extension <code>.timer | > | stemd timers are unit files with file extension <code>.timer | ||
> | </code> that control services. Timers can be set to run on a | > | </code> that control services. Timers can be set to run on a | ||
> | calendar event or after a time span relative to a starting | > | calendar event or after a time span relative to a starting | ||
> | point. They can be used as an alternative to [Cron](https:// | > | point. They can be used as an alternative to [Cron](https:// | ||
> | attack.mitre.org/techniques/T1053/003) in Linux environments | > | attack.mitre.org/techniques/T1053/003) in Linux environments | ||
> | .(Citation: archlinux Systemd Timers Aug 2020) Systemd timer | > | .(Citation: archlinux Systemd Timers Aug 2020) Systemd timer | ||
> | s may be activated remotely via the <code>systemctl</code> c | > | s may be activated remotely via the <code>systemctl</code> c | ||
> | ommand line utility, which operates over [SSH](https://attac | > | ommand line utility, which operates over [SSH](https://attac | ||
> | k.mitre.org/techniques/T1021/004).(Citation: Systemd Remote | > | k.mitre.org/techniques/T1021/004).(Citation: Systemd Remote | ||
> | Control) Each <code>.timer</code> file must have a correspo | > | Control) Each <code>.timer</code> file must have a correspo | ||
> | nding <code>.service</code> file with the same name, e.g., < | > | nding <code>.service</code> file with the same name, e.g., < | ||
> | code>example.timer</code> and <code>example.service</code>. | > | code>example.timer</code> and <code>example.service</code>. | ||
> | <code>.service</code> files are [Systemd Service](https://at | > | <code>.service</code> files are [Systemd Service](https://at | ||
> | tack.mitre.org/techniques/T1543/002) unit files that are man | > | tack.mitre.org/techniques/T1543/002) unit files that are man | ||
> | aged by the systemd system and service manager.(Citation: Li | > | aged by the systemd system and service manager.(Citation: Li | ||
> | nux man-pages: systemd January 2014) Privileged timers are w | > | nux man-pages: systemd January 2014) Privileged timers are w | ||
> | ritten to <code>/etc/systemd/system/</code> and <code>/usr/l | > | ritten to <code>/etc/systemd/system/</code> and <code>/usr/l | ||
> | ib/systemd/system</code> while user level are written to <co | > | ib/systemd/system</code> while user level are written to <co | ||
> | de>~/.config/systemd/user/</code>. An adversary may use sys | > | de>~/.config/systemd/user/</code>. An adversary may use sys | ||
> | temd timers to execute malicious code at system startup or o | > | temd timers to execute malicious code at system startup or o | ||
> | n a scheduled basis for persistence.(Citation: Arch Linux Pa | > | n a scheduled basis for persistence.(Citation: Arch Linux Pa | ||
> | ckage Systemd Compromise BleepingComputer 10JUL2018)(Citatio | > | ckage Systemd Compromise BleepingComputer 10JUL2018)(Citatio | ||
> | n: gist Arch package compromise 10JUL2018)(Citation: acrorea | > | n: gist Arch package compromise 10JUL2018)(Citation: acrorea | ||
> | d package compromised Arch Linux Mail 8JUL2018) Timers insta | > | d package compromised Arch Linux Mail 8JUL2018) Timers insta | ||
> | lled using privileged paths may be used to maintain root lev | > | lled using privileged paths may be used to maintain root lev | ||
> | el persistence. Adversaries may also install user level time | > | el persistence. Adversaries may also install user level time | ||
> | rs to achieve user level persistence. | > | rs to achieve user level persistence.(Citation: Falcon Sandb | ||
> | ox smp: 28553b3a9d) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-07-27 16:43:25.027000+00:00 | 2023-09-08 11:56:26.862000+00:00 |
description | Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service . .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/ .
An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence. | Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service . .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/ .
An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d) |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Falcon Sandbox smp: 28553b3a9d', 'description': 'Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7. Retrieved September 8, 2023.', 'url': 'https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300'} |
Current version: 1.4
Version changed from: 1.3 → 1.4
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:36.145000+00:00 | 2023-05-31 12:33:20.915000+00:00 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-11 21:19:05.544000+00:00 | 2023-09-29 21:08:45.174000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-11 15:21:27.965000+00:00 | 2023-09-29 20:22:37.414000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-07-26 17:13:07.345000+00:00 | 2023-07-28 17:50:21.947000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.4
Version changed from: 1.3 → 1.4
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-07 17:10:13.696000+00:00 | 2023-07-24 20:38:58.283000+00:00 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Olaf Hartong, Falcon Force | |
x_mitre_data_sources | WMI: WMI Creation |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User', 'Administrator'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-06-23 19:22:52.870000+00:00 | 2023-08-11 15:26:41.941000+00:00 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Network Traffic: Network Traffic Flow |
Current version: 1.4
Version changed from: 1.3 → 1.4
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-21 12:30:35.872000+00:00 | 2023-09-15 16:42:25.014000+00:00 |
x_mitre_version | 1.3 | 1.4 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_data_sources | Network Traffic: Network Traffic Flow | |
x_mitre_data_sources | File: File Metadata |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:47.069000+00:00 | 2023-08-14 15:11:30.220000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may modify XDG autostart entries to execute prog | t | 1 | Adversaries may add or modify XDG Autostart Entries to execu |
> | rams or commands during system boot. Linux desktop environme | > | te malicious programs or commands when a user’s desktop envi | ||
> | nts that are XDG compliant implement functionality for XDG a | > | ronment is loaded at login. XDG Autostart entries are availa | ||
> | utostart entries. These entries will allow an application to | > | ble for any XDG-compliant Linux system. XDG Autostart entrie | ||
> | automatically start during the startup of a desktop environ | > | s use Desktop Entry files (`.desktop`) to configure the user | ||
> | ment after user logon. By default, XDG autostart entries are | > | ’s desktop environment upon user login. These configuration | ||
> | stored within the <code>/etc/xdg/autostart</code> or <code> | > | files determine what applications launch upon user login, de | ||
> | ~/.config/autostart</code> directories and have a .desktop f | > | fine associated applications to open specific file types, an | ||
> | ile extension.(Citation: Free Desktop Application Autostart | > | d define applications used to open removable media.(Citation | ||
> | Feb 2006) Within an XDG autostart entry file, the <code>Typ | > | : Free Desktop Application Autostart Feb 2006)(Citation: Fre | ||
> | e</code> key specifies if the entry is an application (type | > | e Desktop Entry Keys) Adversaries may abuse this feature to | ||
> | 1), link (type 2) or directory (type 3). The <code>Name</cod | > | establish persistence by adding a path to a malicious binar | ||
> | e> key indicates an arbitrary name assigned by the creator a | > | y or command to the `Exec` directive in the `.desktop` confi | ||
> | nd the <code>Exec</code> key indicates the application and c | > | guration file. When the user’s desktop environment is loaded | ||
> | ommand line arguments to execute.(Citation: Free Desktop Ent | > | at user login, the `.desktop` files located in the XDG Auto | ||
> | ry Keys) Adversaries may use XDG autostart entries to maint | > | start directories are automatically executed. System-wide Au | ||
> | ain persistence by executing malicious commands and payloads | > | tostart entries are located in the `/etc/xdg/autostart` dire | ||
> | , such as remote access tools, during the startup of a deskt | > | ctory while the user entries are located in the `~/.config/a | ||
> | op environment. Commands included in XDG autostart entries w | > | utostart` directory. Adversaries may combine this technique | ||
> | ith execute after user logon in the context of the currently | > | with [Masquerading](https://attack.mitre.org/techniques/T10 | ||
> | logged on user. Adversaries may also use [Masquerading](htt | > | 36) to blend malicious Autostart entries with legitimate pro | ||
> | ps://attack.mitre.org/techniques/T1036) to make XDG autostar | > | grams.(Citation: Red Canary Netwire Linux 2022) | ||
> | t entries look as if they are associated with legitimate pro | ||||
> | grams. |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-11-10 15:55:10.103000+00:00 | 2023-10-16 16:35:12.501000+00:00 |
description | Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)
Within an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)
Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs. | Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys) Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user’s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory. Adversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022) |
x_mitre_version | 1.0 | 1.1 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Red Canary Netwire Linux 2022', 'description': 'TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.', 'url': 'https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/'} |
Current version: 1.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-05-04 18:04:17.588000+00:00 | 2023-09-19 21:24:45.231000+00:00 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Jack Burns, HubSpot |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Jen Burns, HubSpot |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['SYSTEM'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-24 20:41:08.996000+00:00 | 2023-10-19 18:37:57.025000+00:00 |
external_references[1]['description'] | Microsfot. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020. | Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020. |
Current version: 1.3
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | An adversary may attempt to enumerate the cloud services run | t | 1 | An adversary may attempt to enumerate the cloud services run |
> | ning on a system after gaining access. These methods can dif | > | ning on a system after gaining access. These methods can dif | ||
> | fer from platform-as-a-service (PaaS), to infrastructure-as- | > | fer from platform-as-a-service (PaaS), to infrastructure-as- | ||
> | a-service (IaaS), or software-as-a-service (SaaS). Many serv | > | a-service (IaaS), or software-as-a-service (SaaS). Many serv | ||
> | ices exist throughout the various cloud providers and can in | > | ices exist throughout the various cloud providers and can in | ||
> | clude Continuous Integration and Continuous Delivery (CI/CD) | > | clude Continuous Integration and Continuous Delivery (CI/CD) | ||
> | , Lambda Functions, Azure AD, etc. They may also include sec | > | , Lambda Functions, Azure AD, etc. They may also include sec | ||
> | urity services, such as AWS GuardDuty and Microsoft Defender | > | urity services, such as AWS GuardDuty and Microsoft Defender | ||
> | for Cloud, and logging services, such as AWS CloudTrail and | > | for Cloud, and logging services, such as AWS CloudTrail and | ||
> | Google Cloud Audit Logs. Adversaries may attempt to discov | > | Google Cloud Audit Logs. Adversaries may attempt to discov | ||
> | er information about the services enabled throughout the env | > | er information about the services enabled throughout the env | ||
> | ironment. Azure tools and APIs, such as the Azure AD Graph A | > | ironment. Azure tools and APIs, such as the Azure AD Graph A | ||
> | PI and Azure Resource Manager API, can enumerate resources a | > | PI and Azure Resource Manager API, can enumerate resources a | ||
> | nd services, including applications, management groups, reso | > | nd services, including applications, management groups, reso | ||
> | urces and policy definitions, and their relationships that a | > | urces and policy definitions, and their relationships that a | ||
> | re accessible by an identity.(Citation: Azure - Resource Man | > | re accessible by an identity.(Citation: Azure - Resource Man | ||
> | ager API)(Citation: Azure AD Graph API) For example, Storms | > | ager API)(Citation: Azure AD Graph API) For example, Storms | ||
> | potter is an open source tool for enumerating and constructi | > | potter is an open source tool for enumerating and constructi | ||
> | ng a graph for Azure resources and services, and Pacu is an | > | ng a graph for Azure resources and services, and Pacu is an | ||
> | open source AWS exploitation framework that supports several | > | open source AWS exploitation framework that supports several | ||
> | methods for discovering cloud services.(Citation: Azure - S | > | methods for discovering cloud services.(Citation: Azure - S | ||
> | tormspotter)(Citation: GitHub Pacu) Adversaries may use the | > | tormspotter)(Citation: GitHub Pacu) Adversaries may use the | ||
> | information gained to shape follow-on behaviors, such as ta | > | information gained to shape follow-on behaviors, such as ta | ||
> | rgeting data or credentials from enumerated services or evad | > | rgeting data or credentials from enumerated services or evad | ||
> | ing identified defenses through [Disable or Modify Tools](ht | > | ing identified defenses through [Disable or Modify Tools](ht | ||
> | tps://attack.mitre.org/techniques/T1562/001) or [Disable Clo | > | tps://attack.mitre.org/techniques/T1562/001) or [Disable or | ||
> | ud Logs](https://attack.mitre.org/techniques/T1562/008). | > | Modify Cloud Logs](https://attack.mitre.org/techniques/T1562 | ||
> | /008). |
STIX Field | Old value | New Value |
---|---|---|
description | An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API) For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu) Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008). | An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API) For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu) Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008). |
Current version: 2.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-21 12:23:17.694000+00:00 | 2023-10-18 16:31:56.936000+00:00 |
external_references[5]['url'] | https://msitpros.com/?p=3909 | https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-11 22:37:42.319000+00:00 | 2023-06-14 23:03:51.540000+00:00 |
x_mitre_contributors[1] | Ben Smith | Ben Smith, @ezaspy |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-02-08 16:39:08.851000+00:00 | 2023-10-20 17:04:13.976000+00:00 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Matt Green, @mgreen27 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Matthew Green |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-07 17:07:20.038000+00:00 | 2023-09-14 21:12:48.411000+00:00 |
external_references[2]['url'] | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf | https://www.elastic.co/blog/how-hunt-masquerade-ball |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-21 19:14:13.179000+00:00 | 2023-10-17 20:42:21.453000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_contributors[0] | Joas Antonio dos Santos, @Cr4zyC0d3 | Joas Antonio dos Santos, @C0d3Cr4zy |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['Administrator'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-09-20 16:47:19.173000+00:00 | 2023-09-19 21:25:46.568000+00:00 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Jack Burns, HubSpot |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Jen Burns, HubSpot |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-21 16:25:11.482000+00:00 | 2023-09-19 21:23:50.233000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_contributors[6] | Jen Burns, HubSpot | Jack Burns, HubSpot |
Current version: 1.2
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | An adversary may steal web application or service session co | t | 1 | An adversary may steal web application or service session co |
> | okies and use them to gain access to web applications or Int | > | okies and use them to gain access to web applications or Int | ||
> | ernet services as an authenticated user without needing cred | > | ernet services as an authenticated user without needing cred | ||
> | entials. Web applications and services often use session coo | > | entials. Web applications and services often use session coo | ||
> | kies as an authentication token after a user has authenticat | > | kies as an authentication token after a user has authenticat | ||
> | ed to a website. Cookies are often valid for an extended pe | > | ed to a website. Cookies are often valid for an extended pe | ||
> | riod of time, even if the web application is not actively us | > | riod of time, even if the web application is not actively us | ||
> | ed. Cookies can be found on disk, in the process memory of t | > | ed. Cookies can be found on disk, in the process memory of t | ||
> | he browser, and in network traffic to remote systems. Additi | > | he browser, and in network traffic to remote systems. Additi | ||
> | onally, other applications on the targets machine might stor | > | onally, other applications on the targets machine might stor | ||
> | e sensitive authentication cookies in memory (e.g. apps whic | > | e sensitive authentication cookies in memory (e.g. apps whic | ||
> | h authenticate to cloud services). Session cookies can be us | > | h authenticate to cloud services). Session cookies can be us | ||
> | ed to bypasses some multi-factor authentication protocols.(C | > | ed to bypasses some multi-factor authentication protocols.(C | ||
> | itation: Pass The Cookie) There are several examples of mal | > | itation: Pass The Cookie) There are several examples of mal | ||
> | ware targeting cookies from web browsers on the local system | > | ware targeting cookies from web browsers on the local system | ||
> | .(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 | > | .(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 | ||
> | Mac Crypto Cookies January 2019) There are also open source | > | Mac Crypto Cookies January 2019) There are also open source | ||
> | frameworks such as Evilginx 2 and Muraena that can gather s | > | frameworks such as `Evilginx2` and `Muraena` that can gathe | ||
> | ession cookies through a malicious proxy (ex: [Adversary-in- | > | r session cookies through a malicious proxy (ex: [Adversary- | ||
> | the-Middle](https://attack.mitre.org/techniques/T1557)) that | > | in-the-Middle](https://attack.mitre.org/techniques/T1557)) t | ||
> | can be set up by an adversary and used in phishing campaign | > | hat can be set up by an adversary and used in phishing campa | ||
> | s.(Citation: Github evilginx2)(Citation: GitHub Mauraena) A | > | igns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) | ||
> | fter an adversary acquires a valid cookie, they can then per | > | After an adversary acquires a valid cookie, they can then | ||
> | form a [Web Session Cookie](https://attack.mitre.org/techniq | > | perform a [Web Session Cookie](https://attack.mitre.org/tech | ||
> | ues/T1550/004) technique to login to the corresponding web a | > | niques/T1550/004) technique to login to the corresponding we | ||
> | pplication. | > | b application. |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_permissions_required | ['User'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-07-28 01:26:51.971000+00:00 | 2023-08-03 20:19:01.074000+00:00 |
description | An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application. | An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application. |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-09-20 16:48:28.041000+00:00 | 2023-09-19 21:25:10.511000+00:00 |
x_mitre_contributors[0] | Jen Burns, HubSpot | Jack Burns, HubSpot |
Current version: 1.3
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 21:01:51.836000+00:00 | 2023-09-19 21:26:24.725000+00:00 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Jack Burns, HubSpot |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Jen Burns, HubSpot |
Current version: 1.0
Description: An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android_app_breaking_bad) This technique could also be accomplished by compromising a developer’s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves.
Current version: 1.0
Description: Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.
To achieve data destruction, adversaries may use the `pm uninstall` command to uninstall packages or the `rm` command to remove specific files. For example, adversaries may first use `pm uninstall` to uninstall non-system apps, and then use `rm (-f)
Current version: 1.0
Description: Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. Adversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution. ### SMS/iMessage Delivery SMS and iMessage in iOS are common targets through [Drive-By Compromise](https://attack.mitre.org/techniques/T1456), [Phishing](https://attack.mitre.org/techniques/T1660), etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required. ### AirDrop Unique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user.
Current version: 1.0
Description: Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)
Current version: 1.0
Description: Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). Adversaries may also use the same icon of the file or application they are trying to mimic.
Current version: 1.0
Description: Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as “spearphishing”. Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages. Mobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. Mobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: - SMS messages: Adversaries may send SMS messages (known as “smishing”) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device. - Quick Response (QR) Codes: Adversaries may use QR codes (known as “quishing”) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user’s desktop computer to their mobile device. - Phone Calls: Adversaries may call victims (known as “vishing”) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.
Current version: 1.0
Description: Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices. Remote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-16 13:32:55.266000+00:00 | 2023-08-14 16:34:55.968000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
Dropped Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-16 18:31:37.189000+00:00 | 2023-08-10 21:57:52.009000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 15:16:19.547000+00:00 | 2023-08-07 22:15:34.693000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 15:56:04.790000+00:00 | 2023-08-14 16:33:56.861000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-05 19:59:22.888000+00:00 | 2023-08-14 16:19:54.832000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.5
Version changed from: 1.4 → 1.5
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:21:59.494000+00:00 | 2023-08-08 16:23:41.271000+00:00 |
x_mitre_version | 1.4 | 1.5 |
Current version: 2.2
Version changed from: 2.1 → 2.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:24:56.530000+00:00 | 2023-08-07 17:12:07.620000+00:00 |
x_mitre_version | 2.1 | 2.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-05 19:57:15.734000+00:00 | 2023-08-14 16:19:34.225000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-29 17:29:00.038000+00:00 | 2023-08-14 16:39:22.707000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_detection | Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. | [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-08 16:25:44.552000+00:00 | 2023-08-14 16:41:52+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_detection | Exfiltration over C2 channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. | [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-06 13:23:10.087000+00:00 | 2023-08-14 16:40:40.166000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_detection | Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. | [Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior. |
x_mitre_version | 1.0 | 1.1 |
Current version: 2.2
Version changed from: 2.1 → 2.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:43:44.687000+00:00 | 2023-08-14 16:21:05.728000+00:00 |
x_mitre_version | 2.1 | 2.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-24 15:09:07.609000+00:00 | 2023-08-08 22:50:32.775000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.3
Version changed from: 1.2 → 1.3
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | An adversary with physical access to a mobile device may see | t | 1 | An adversary with physical access to a mobile device may see |
> | k to bypass the device’s lockscreen. Several methods exist t | > | k to bypass the device’s lockscreen. Several methods exist t | ||
> | o accomplish this, including: * Biometric spoofing: If biom | > | o accomplish this, including: * Biometric spoofing: If biom | ||
> | etric authentication is used, an adversary could attempt to | > | etric authentication is used, an adversary could attempt to | ||
> | spoof a mobile device’s biometric authentication mechanism. | > | spoof a mobile device’s biometric authentication mechanism. | ||
> | Both iOS and Android partly mitigate this attack by requirin | > | Both iOS and Android partly mitigate this attack by requirin | ||
> | g the device’s passcode rather than biometrics to unlock the | > | g the device’s passcode rather than biometrics to unlock the | ||
> | device after every device restart, and after a set or rando | > | device after every device restart, and after a set or rando | ||
> | m amount of time.(Citation: SRLabs-Fingerprint)(Citation: Th | > | m amount of time.(Citation: SRLabs-Fingerprint)(Citation: Th | ||
> | eSun-FaceID) * Unlock code bypass: An adversaries could atte | > | eSun-FaceID) * Unlock code bypass: An adversary could attemp | ||
> | mpt to brute-force or otherwise guess the lockscreen passcod | > | t to brute-force or otherwise guess the lockscreen passcode | ||
> | e (typically a PIN or password), including physically observ | > | (typically a PIN or password), including physically observin | ||
> | ing (“shoulder surfing”) the device owner’s use of the locks | > | g (“shoulder surfing”) the device owner’s use of the lockscr | ||
> | creen passcode. Mobile OS vendors partly mitigate this by im | > | een passcode. Mobile OS vendors partly mitigate this by impl | ||
> | plementing incremental backoff timers after a set number of | > | ementing incremental backoff timers after a set number of fa | ||
> | failed unlock attempts, as well as a configurable full devic | > | iled unlock attempts, as well as a configurable full device | ||
> | e wipe after several failed unlock attempts. * Vulnerability | > | wipe after several failed unlock attempts. * Vulnerability e | ||
> | exploit: Techniques have been periodically demonstrated tha | > | xploit: Techniques have been periodically demonstrated that | ||
> | t exploit mobile devices to bypass the lockscreen. The vulne | > | exploit mobile devices to bypass the lockscreen. The vulnera | ||
> | rabilities are generally patched by the device or OS vendor | > | bilities are generally patched by the device or OS vendor on | ||
> | once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kas | > | ce disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspe | ||
> | persky-iOSBypass) | > | rsky-iOSBypass) |
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-19 15:36:12.312000+00:00 | 2023-10-16 16:23:05.146000+00:00 |
description | An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including: * Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID) * Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts. * Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass) | An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including: * Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID) * Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts. * Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
Current version: 3.1
Version changed from: 3.0 → 3.1
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-06 12:36:31.652000+00:00 | 2023-08-09 14:38:34.859000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 3.0 | 3.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:53:34.118000+00:00 | 2023-08-14 16:35:55.739000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may abuse the Android device administration API | t | 1 | Adversaries may abuse the Android device administration API |
> | to prevent the user from uninstalling a target application. | > | to prevent the user from uninstalling a target application. | ||
> | In earlier versions of Android, device administrator applica | > | In earlier versions of Android, device administrator applica | ||
> | tions needed their administration capabilities explicitly de | > | tions needed their administration capabilities explicitly de | ||
> | activated by the user before the application could be uninst | > | activated by the user before the application could be uninst | ||
> | alled. This was later updated so the user could deactivate a | > | alled. This was later updated so the user could deactivate a | ||
> | nd uninstall the administrator application in one step. Adv | > | nd uninstall the administrator application in one step. Adv | ||
> | ersaries may also abuse the device accessibility APIs to pre | > | ersaries may also abuse the device accessibility APIs to pre | ||
> | vent removal. This set of APIs allows the application to per | > | vent removal. This set of APIs allows the application to per | ||
> | form certain actions on behalf of the user and programmatica | > | form certain actions on behalf of the user and programmatica | ||
> | lly determine what is being shown on the screen. The malicio | > | lly determine what is being shown on the screen. The malicio | ||
> | us application could monitor the device screen for certain m | > | us application could monitor the device screen for certain m | ||
> | odals (e.g., the confirmation modal to uninstall an applicat | > | odals (e.g., the confirmation modal to uninstall an applicat | ||
> | ion) and inject screen input or a back button tap to close t | > | ion) and inject screen input or a back button tap to close t | ||
> | he modal. | > | he modal. For example, Android's `performGlobalAction(int)` | ||
> | API could be utilized to prevent the user from removing the | ||||
> | malicious application from the device after installation. If | ||||
> | the user wants to uninstall the malicious application, two | ||||
> | cases may occur, both preventing the user from removing the | ||||
> | application. * Case 1: If the integer argument passed to th | ||||
> | e API call is `2` or `GLOBAL_ACTION_HOME`, the malicious app | ||||
> | lication may direct the user to the home screen from setting | ||||
> | s screen * Case 2: If the integer argument passed to the A | ||||
> | PI call is `1` or `GLOBAL_ACTION_BACK`, the malicious applic | ||||
> | ation may emulate the back press event |
New Detections:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | ['Shankar Raman, Gen Digital and Abhinand, Amrita University'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:54:36.502000+00:00 | 2023-09-28 15:38:41.106000+00:00 |
description | Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step. Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. | Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step. Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application. * Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen * Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 2.1
Version changed from: 2.0 → 2.1
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-08 15:53:11.864000+00:00 | 2023-08-07 17:13:04.396000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 2.0 | 2.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:41:18.389000+00:00 | 2023-08-07 22:48:30.418000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.3
Version changed from: 1.2 → 1.3
New Detections:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:37:13.730000+00:00 | 2023-08-14 16:31:37.317000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may search common password storage locations to | t | 1 | Adversaries may search common password storage locations to |
> | obtain user credentials. Passwords can be stored in several | > | obtain user credentials. Passwords can be stored in several | ||
> | places on a device, depending on the operating system or app | > | places on a device, depending on the operating system or app | ||
> | lication holding the credentials. There are also specific ap | > | lication holding the credentials. There are also specific ap | ||
> | plications that store passwords to make it easier for users | > | plications that store passwords to make it easier for users | ||
> | manage and maintain. Once credentials are obtained, they can | > | to manage and maintain. Once credentials are obtained, they | ||
> | be used to perform lateral movement and access restricted i | > | can be used to perform lateral movement and access restricte | ||
> | nformation. | > | d information. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 15:45:44.103000+00:00 | 2023-09-08 19:19:37.927000+00:00 |
description | Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information. | Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information. |
Current version: 2.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may exploit software vulnerabilities in order to | t | 1 | Adversaries may exploit software vulnerabilities in order to |
> | to elevate privileges. Exploitation of a software vulnerabi | > | elevate privileges. Exploitation of a software vulnerabilit | ||
> | lity occurs when an adversary takes advantage of a programmi | > | y occurs when an adversary takes advantage of a programming | ||
> | ng error in an application, service, within the operating sy | > | error in an application, service, within the operating syste | ||
> | stem software, or kernel itself to execute adversary-control | > | m software, or kernel itself to execute adversary-controlled | ||
> | led code. Security constructions, such as permission levels, | > | code. Security constructions, such as permission levels, wi | ||
> | will often hinder access to information and use of certain | > | ll often hinder access to information and use of certain tec | ||
> | techniques. Adversaries will likely need to perform privileg | > | hniques. Adversaries will likely need to perform privilege e | ||
> | e escalation to include use of software exploitation to circ | > | scalation to include use of software exploitation to circumv | ||
> | umvent those restrictions. When initially gaining access t | > | ent those restrictions. When initially gaining access to a | ||
> | o a device, an adversary may be operating within a lower pri | > | device, an adversary may be operating within a lower privil | ||
> | vileged process which will prevent them from accessing certa | > | eged process which will prevent them from accessing certain | ||
> | in resources on the system. Vulnerabilities may exist, usual | > | resources on the system. Vulnerabilities may exist, usually | ||
> | ly in operating system components and applications running a | > | in operating system components and applications running at h | ||
> | t higher permissions, that can be exploited to gain higher l | > | igher permissions, that can be exploited to gain higher leve | ||
> | evels of access on the system. This could enable someone to | > | ls of access on the system. This could enable someone to mov | ||
> | move from unprivileged or user- level permission to root per | > | e from unprivileged or user- level permission to root permis | ||
> | missions depending on the component that is vulnerable. | > | sions depending on the component that is vulnerable. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:49:53.301000+00:00 | 2023-09-08 19:20:13.836000+00:00 |
description | Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. | Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:41:45.256000+00:00 | 2023-08-15 15:06:03.427000+00:00 |
external_references[2]['url'] | https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf | https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf |
Current version: 2.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may generate network traffic using a protocol an | t | 1 | Adversaries may generate network traffic using a protocol an |
> | d port paring that are typically not associated. For example | > | d port pairing that are typically not associated. For exampl | ||
> | , HTTPS over port 8088 or port 587 as opposed to the traditi | > | e, HTTPS over port 8088 or port 587 as opposed to the tradit | ||
> | onal port 443. Adversaries may make changes to the standard | > | ional port 443. Adversaries may make changes to the standard | ||
> | port used by a protocol to bypass filtering or muddle analys | > | port used by a protocol to bypass filtering or muddle analy | ||
> | is/parsing of network data. | > | sis/parsing of network data. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:51:58.228000+00:00 | 2023-09-08 19:21:40.736000+00:00 |
description | Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. | Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. |
Current version: 1.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may execute their own malicious payloads by hija | t | 1 | Adversaries may execute their own malicious payloads by hija |
> | cking the way an operating system run applications. Hijackin | > | cking the way an operating system runs applications. Hijacki | ||
> | g execution flow can be for the purposes of persistence sinc | > | ng execution flow can be for the purposes of persistence sin | ||
> | e this hijacked execution may reoccur at later points in tim | > | ce this hijacked execution may reoccur at later points in ti | ||
> | e. On Android, adversaries may overwrite the standard OS | > | me. On Android, adversaries may overwrite the standard OS | ||
> | API library with a malicious alternative to hook into core f | > | API library with a malicious alternative to hook into core | ||
> | unctions to achieve persistence. By doing this, the adversar | > | functions to achieve persistence. By doing this, the adversa | ||
> | y’s code will be executed every time the overwritten API fun | > | ry’s code will be executed every time the overwritten API fu | ||
> | ction is called by an app on the infected device. | > | nction is called by an app on the infected device. |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-20 18:46:08.412000+00:00 | 2023-09-08 19:20:51.220000+00:00 |
description | Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device. | Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device. |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False | |
x_mitre_detection |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-24 15:09:07.609000+00:00 | 2023-10-13 17:56:58.380000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Device Configuration/Parameters |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:56:58.991000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.1 | 1.2 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.3
Version changed from: 1.2 → 1.3
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-05 14:15:29.756000+00:00 | 2023-10-13 17:56:58.786000+00:00 |
x_mitre_version | 1.2 | 1.3 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Safety Instrumented System/Protection Relay | |
x_mitre_platforms | Human-Machine Interface |
Current version: 1.2
Version changed from: 1.1 → 1.2
New Mitigations:
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-20 17:01:10.138000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False | |
x_mitre_detection |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-24 15:09:07.609000+00:00 | 2023-10-13 17:56:58.586000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Enterprise ATT&CK', 'description': 'Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 ', 'url': 'https://attack.mitre.org/techniques/T1489/'} | |
x_mitre_platforms | Control Server | |
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Engineering Workstation |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-24 15:09:07.609000+00:00 | 2023-10-13 17:56:59.593000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 2.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:08.233000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Human-Machine Interface |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:13:55.599000+00:00 | 2023-10-13 17:57:01.578000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay | |
x_mitre_platforms | Device Configuration/Parameters |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:04.179000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay | |
x_mitre_platforms | Control Server |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-09-19 13:57:23.538000+00:00 | 2023-10-13 17:57:04.376000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Input/Output Server | |
x_mitre_platforms | Device Configuration/Parameters |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-20 21:02:54.674000+00:00 | 2023-10-13 17:57:00.184000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Input/Output Server | |
x_mitre_platforms | Device Configuration/Parameters |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-29 16:17:27.903000+00:00 | 2023-10-13 17:57:08.037000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Field Controller/RTU/PLC/IED |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-07 13:40:53.842000+00:00 | 2023-10-13 17:57:14.123000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:01.367000+00:00 |
x_mitre_platforms[0] | Safety Instrumented System/Protection Relay | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Field Controller/RTU/PLC/IED |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:00.378000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Input/Output Server |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:12.723000+00:00 |
x_mitre_platforms[0] | Safety Instrumented System/Protection Relay | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Control Server | |
x_mitre_platforms | Engineering Workstation |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:11.730000+00:00 |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:14:42.829000+00:00 | 2023-10-13 17:57:06.993000+00:00 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-09-19 14:12:22.878000+00:00 | 2023-10-13 17:57:04.784000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Field Controller/RTU/PLC/IED |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 19:09:43.744000+00:00 | 2023-10-13 17:57:03.187000+00:00 |
x_mitre_platforms[0] | Data Historian | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-05 14:14:48.109000+00:00 | 2023-10-13 17:57:13.921000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay | |
x_mitre_platforms | Control Server | |
x_mitre_platforms | Input/Output Server | |
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Engineering Workstation |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:07.653000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Safety Instrumented System/Protection Relay | |
x_mitre_platforms | Control Server | |
x_mitre_platforms | Engineering Workstation |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:15:14.260000+00:00 | 2023-10-13 17:57:12.329000+00:00 |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:16:01.922000+00:00 | 2023-10-13 17:56:59.992000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:16:25.031000+00:00 | 2023-10-13 17:57:05.576000+00:00 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:01.778000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-09-26 16:50:56.401000+00:00 | 2023-10-13 17:57:00.768000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:06.780000+00:00 |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:05.776000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:02.990000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:08.425000+00:00 |
x_mitre_platforms[0] | Safety Instrumented System/Protection Relay | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Field Controller/RTU/PLC/IED |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-09-27 16:38:58.028000+00:00 | 2023-10-13 17:57:11.342000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:07.457000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Engineering Workstation |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:16:55.602000+00:00 | 2023-10-13 17:57:07.840000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Input/Output Server |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:08.992000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:10.962000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay | |
x_mitre_platforms | Control Server | |
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Engineering Workstation |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-13 13:32:08.619000+00:00 | 2023-10-13 17:57:08.803000+00:00 |
x_mitre_platforms[0] | Engineering Workstation | None |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:05.375000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:05.190000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:13.719000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Input/Output Server | |
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:13.327000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Control Server | |
x_mitre_platforms | Data Historian |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:09.581000+00:00 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:08.613000+00:00 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:06.362000+00:00 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:01.994000+00:00 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:06.171000+00:00 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:56:59.396000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Engineering Workstation |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-20 20:46:11.459000+00:00 | 2023-10-13 17:57:03.589000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:56:59.793000+00:00 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:04.993000+00:00 |
x_mitre_platforms[0] | Engineering Workstation | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Field Controller/RTU/PLC/IED |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:10.181000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Control Server |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:17:43.803000+00:00 | 2023-10-13 17:57:12.528000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Control Server | |
x_mitre_platforms | Safety Instrumented System/Protection Relay | |
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Device Configuration/Parameters |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:13.531000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:02.197000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Control Server | |
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:09.388000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Input/Output Server | |
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:13.131000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:03.783000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:00.575000+00:00 |
x_mitre_platforms[0] | Data Historian | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Control Server | |
x_mitre_platforms | Human-Machine Interface |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:10.374000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:02.785000+00:00 |
x_mitre_platforms[0] | Safety Instrumented System/Protection Relay | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Field Controller/RTU/PLC/IED |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-05-08 18:58:24.092000+00:00 | 2023-10-13 17:57:12.926000+00:00 |
x_mitre_platforms[0] | Engineering Workstation | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Human-Machine Interface |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:12.125000+00:00 |
x_mitre_platforms[0] | Engineering Workstation | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Control Server |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:11.536000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Safety Instrumented System/Protection Relay | |
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Human-Machine Interface |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-17 15:14:31.276000+00:00 | 2023-10-13 17:57:02.595000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:10.581000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Control Server |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:18:41.277000+00:00 | 2023-10-13 17:57:09.193000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Control Server | |
x_mitre_platforms | Engineering Workstation |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:03.989000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:10.768000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:02.398000+00:00 |
x_mitre_platforms[0] | Engineering Workstation | None |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:06.577000+00:00 |
x_mitre_platforms[0] | Engineering Workstation | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Control Server | |
x_mitre_platforms | Data Historian |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:19:14.351000+00:00 | 2023-10-13 17:57:07.260000+00:00 |
x_mitre_platforms[0] | Control Server | None |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:11.924000+00:00 |
x_mitre_platforms[0] | Human-Machine Interface | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Control Server | |
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Engineering Workstation |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:05.975000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Input/Output Server | |
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:09.988000+00:00 |
x_mitre_platforms[0] | Safety Instrumented System/Protection Relay | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Input/Output Server |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:09.780000+00:00 |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:19:41.272000+00:00 | 2023-10-13 17:57:03.395000+00:00 |
external_references[1]['url'] | https://www.nerc.com/files/glossary_of_terms.pdf | https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_platforms[0] | Engineering Workstation | None |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-05 14:16:02.811000+00:00 | 2023-10-13 17:57:04.582000+00:00 |
x_mitre_platforms[0] | Field Controller/RTU/PLC/IED | None |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:00.969000+00:00 |
x_mitre_platforms[0] | Engineering Workstation | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Human-Machine Interface |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:57:11.152000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Data Historian | |
x_mitre_platforms | Engineering Workstation | |
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Human-Machine Interface | |
x_mitre_platforms | Input/Output Server | |
x_mitre_platforms | Safety Instrumented System/Protection Relay |
Current version: 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:20:38.285000+00:00 | 2023-10-13 17:57:01.165000+00:00 |
x_mitre_platforms[0] | Control Server | None |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_platforms | Field Controller/RTU/PLC/IED | |
x_mitre_platforms | Input/Output Server |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-09 18:38:51.471000+00:00 | 2023-10-13 17:56:59.193000+00:00 |
Current version: 1.0
Description: [ANDROMEDA](https://attack.mitre.org/software/S1074) is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://attack.mitre.org/campaigns/C0026) campaign, threat actors re-registered expired [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains to spread malware to select targets in Ukraine.(Citation: Mandiant Suspected Turla Campaign February 2023)
Current version: 1.0
Description: [AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)
Current version: 1.0
Description: [BADHATCH](https://attack.mitre.org/software/S1081) is a backdoor that has been utilized by [FIN8](https://attack.mitre.org/groups/G0061) since at least 2019. [BADHATCH](https://attack.mitre.org/software/S1081) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)
Current version: 1.0
Description: [Disco](https://attack.mitre.org/software/S1088) is a custom implant that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.(Citation: MoustachedBouncer ESET August 2023)
Current version: 1.0
Description: [KOPILUWAK](https://attack.mitre.org/software/S1075) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.(Citation: Mandiant Suspected Turla Campaign February 2023)
Current version: 1.0
Description: [NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)
Current version: 1.0
Description: Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
Current version: 1.0
Description: [QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign February 2023)
Current version: 1.0
Description: [QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
Current version: 1.0
Description: [RotaJakiro](https://attack.mitre.org/software/S1078) is a 64-bit Linux backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://attack.mitre.org/software/S1078) can determine it's permission level and execute according to access type (`root` or `user`).(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: netlab360 rotajakiro vs oceanlotus)
Current version: 1.0
Description: [Sardonic](https://attack.mitre.org/software/S1085) is a backdoor written in C and C++ that is known to be used by [FIN8](https://attack.mitre.org/groups/G0061), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://attack.mitre.org/software/S1085) has a plugin system that can load specially made DLLs and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)
Current version: 1.0
Description: [SharpDisco](https://attack.mitre.org/software/S1089) is a dropper developed in C# that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 to load malicious plugins.(Citation: MoustachedBouncer ESET August 2023)
Current version: 1.0
Description: [Snip3](https://attack.mitre.org/software/S1086) is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including [AsyncRAT](https://attack.mitre.org/software/S1087), [Revenge RAT](https://attack.mitre.org/software/S0379), [Agent Tesla](https://attack.mitre.org/software/S0331), and [NETWIRE](https://attack.mitre.org/software/S0198).(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)
Current version: 1.2
Description: [ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)
Current version: 3.0
Version changed from: 2.2 → 3.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) | t | 1 | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) |
> | is a MacOS backdoor with several variants that has been used | > | is a macOS backdoor used by [APT32](https://attack.mitre.org | ||
> | by [APT32](https://attack.mitre.org/groups/G0050).(Citation | > | /groups/G0050). First discovered in 2015, [APT32](https://at | ||
> | : TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS B | > | tack.mitre.org/groups/G0050) has continued to make improveme | ||
> | ackdoor November 2020) | > | nts using a plugin architecture to extend capabilities, spec | ||
> | ifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://at | ||||
> | tack.mitre.org/software/S0352) can also determine it's permi | ||||
> | ssion level and execute according to access type (`root` or | ||||
> | `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMi | ||||
> | cro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor N | ||||
> | ovember 2020) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-01-14 21:53:00.543000+00:00 | 2023-10-12 20:21:08.235000+00:00 |
description | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor with several variants that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020) | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 2.2 | 3.0 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Unit42 OceanLotus 2017', 'description': 'Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.', 'url': 'https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/'} |
Current version: 2.0
Version changed from: 1.0 → 2.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [Uroburos](https://attack.mitre.org/software/S0022) is a roo | t | 1 | [Uroburos](https://attack.mitre.org/software/S0022) is a sop |
> | tkit used by [Turla](https://attack.mitre.org/groups/G0010). | > | histicated cyber espionage tool written in C that has been u | ||
> | (Citation: Kaspersky Turla) | > | sed by units within Russia's Federal Security Service (FSB) | ||
> | associated with the [Turla](https://attack.mitre.org/groups/ | ||||
> | G0010) toolset to collect intelligence on sensitive targets | ||||
> | worldwide. [Uroburos](https://attack.mitre.org/software/S002 | ||||
> | 2) has several variants and has undergone nearly constant up | ||||
> | grade since its initial development in 2003 to keep it viabl | ||||
> | e after public disclosures. [Uroburos](https://attack.mitre. | ||||
> | org/software/S0022) is typically deployed to external-facing | ||||
> | nodes on a targeted network and has the ability to leverage | ||||
> | additional tools and TTPs to further exploit an internal ne | ||||
> | twork. [Uroburos](https://attack.mitre.org/software/S0022) h | ||||
> | as interoperable implants for Windows, Linux, and macOS, emp | ||||
> | loys a high level of stealth in communications and architect | ||||
> | ure, and can easily incorporate new or replacement component | ||||
> | s.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Ma | ||||
> | lware May 2023)(Citation: Kaspersky Turla) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_aliases | ['Uroburos', 'Snake'] | |
x_mitre_deprecated | False | |
x_mitre_platforms | ['Linux', 'Windows', 'macOS'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2018-10-17 00:14:20.652000+00:00 | 2023-10-02 17:26:25.052000+00:00 |
description | [Uroburos](https://attack.mitre.org/software/S0022) is a rootkit used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla) | [Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla) |
external_references[1]['source_name'] | Uroburos | Snake |
external_references[1]['description'] | (Citation: Kaspersky Turla) | (Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 2.0 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023', 'description': 'FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.', 'url': 'https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf'} |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-02 20:44:17.690000+00:00 | 2023-08-09 16:50:06.756000+00:00 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-04-21 02:04:30.060000+00:00 | 2023-09-11 20:13:18.738000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-12-07 18:27:04.603000+00:00 | 2023-07-25 19:24:08.305000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-13 18:56:28.568000+00:00 | 2023-08-03 18:31:04.851000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-12 17:33:00.482000+00:00 | 2023-10-06 14:08:40.134000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.5
Version changed from: 1.4 → 1.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-02-16 18:51:10.090000+00:00 | 2023-08-09 18:00:13.178000+00:00 |
x_mitre_version | 1.4 | 1.5 |
Current version: 1.11
Version changed from: 1.10 → 1.11
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-07 13:05:11.028000+00:00 | 2023-08-09 16:47:36.538000+00:00 |
x_mitre_version | 1.10 | 1.11 |
Current version: 2.2
Version changed from: 2.1 → 2.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-09-29 16:45:13.038000+00:00 | 2023-08-09 18:13:14.416000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 2.1 | 2.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-30 15:26:42.369000+00:00 | 2023-09-28 21:03:22.526000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 2.1
Version changed from: 2.0 → 2.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-01 20:30:30.043000+00:00 | 2023-08-03 21:55:20.998000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 2.0 | 2.1 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Jennifer Kim Roman, CrowdStrike |
Current version: 1.5
Version changed from: 1.4 → 1.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-01-17 22:19:58.856000+00:00 | 2023-09-29 19:44:43.868000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.4 | 1.5 |
Current version: 1.7
Version changed from: 1.6 → 1.7
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-22 03:43:09.336000+00:00 | 2023-07-27 15:44:31.364000+00:00 |
x_mitre_version | 1.6 | 1.7 |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-11-06 15:24:20.400000+00:00 | 2023-10-01 16:58:20.224000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
Current version: 2.2
Version changed from: 2.1 → 2.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-27 19:46:46.532000+00:00 | 2023-08-30 16:31:52.140000+00:00 |
x_mitre_version | 2.1 | 2.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-07-10 13:39:26.417000+00:00 | 2023-10-03 19:35:03.646000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.5
Version changed from: 1.4 → 1.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-01-23 20:52:37.112000+00:00 | 2023-07-27 15:31:10.648000+00:00 |
x_mitre_version | 1.4 | 1.5 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-08 22:13:42.357000+00:00 | 2023-10-06 14:09:52.833000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.5
Version changed from: 1.4 → 1.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-02 20:48:02.590000+00:00 | 2023-08-03 18:35:09.021000+00:00 |
x_mitre_version | 1.4 | 1.5 |
Current version: 1.8
Version changed from: 1.7 → 1.8
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-07 13:04:10.731000+00:00 | 2023-07-27 15:33:07.594000+00:00 |
x_mitre_version | 1.7 | 1.8 |
Current version: 1.6
Version changed from: 1.5 → 1.6
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-26 19:24:00.073000+00:00 | 2023-09-20 20:04:20.149000+00:00 |
x_mitre_version | 1.5 | 1.6 |
Current version: 2.5
Version changed from: 2.4 → 2.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-03 16:49:41.059000+00:00 | 2023-07-25 19:25:59.767000+00:00 |
x_mitre_version | 2.4 | 2.5 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-07 16:41:18.760000+00:00 | 2023-08-09 18:03:17.167000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-19 16:35:18.493000+00:00 | 2023-08-30 16:28:36.699000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-01-04 21:59:04.229000+00:00 | 2023-09-06 15:12:11.358000+00:00 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.5
Version changed from: 1.4 → 1.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-02 20:43:41.287000+00:00 | 2023-08-09 18:07:11.859000+00:00 |
x_mitre_version | 1.4 | 1.5 |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-05-13 22:57:00.921000+00:00 | 2023-09-28 21:08:47.128000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-04-13 23:52:18.803000+00:00 | 2023-09-06 15:08:53.375000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-06-29 01:54:53.301000+00:00 | 2023-10-01 02:47:21.211000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-30 18:05:10.885000+00:00 | 2023-10-02 23:04:26.238000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-13 23:27:32.465000+00:00 | 2023-08-03 18:30:05.885000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-05-24 21:10:44.381000+00:00 | 2023-08-09 18:11:35.634000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.3 | 1.4 |
Current version: 2.1
Version changed from: 2.0 → 2.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-02-23 19:45:50.419000+00:00 | 2023-08-09 16:44:56.511000+00:00 |
x_mitre_version | 2.0 | 2.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-04-15 14:24:50.745000+00:00 | 2023-10-03 19:33:26.976000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-03 00:40:22.280000+00:00 | 2023-07-27 15:28:27.482000+00:00 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.3
Version changed from: 1.2 → 1.3
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-01 17:48:10.492000+00:00 | 2023-09-28 03:45:36.045000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
Current version: 2.2
Version changed from: 2.1 → 2.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-01-25 15:43:45.842000+00:00 | 2023-10-03 19:38:43.114000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 2.1 | 2.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-12 21:29:16.407000+00:00 | 2023-07-25 19:25:05.678000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.5
Version changed from: 1.4 → 1.5
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-09-16 19:33:56.130000+00:00 | 2023-09-20 20:03:22.206000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.4 | 1.5 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-17 21:40:50.124000+00:00 | 2023-06-15 18:33:45.154000+00:00 |
external_references[3]['url'] | https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat | https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-30 01:58:55.849000+00:00 | 2023-09-21 19:42:40.612000+00:00 |
external_references[3]['url'] | https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days | https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-04-01 16:03:31.574000+00:00 | 2023-08-17 19:51:14.195000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
Current version: 1.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [Doki](https://attack.mitre.org/software/S0600) is a backdoo | t | 1 | [Doki](https://attack.mitre.org/software/S0600) is a backdoo |
> | r that uses a unique Dogecoin-based Domain Generation Algori | > | r that uses a unique Dogecoin-based Domain Generation Algori | ||
> | thm and was first observed in July 2020. [Doki](https://atta | > | thm and was first observed in July 2020. [Doki](https://atta | ||
> | ck.mitre.org/software/S0600) was used in conjunction with th | > | ck.mitre.org/software/S0600) was used in conjunction with th | ||
> | e [Ngrok](https://attack.mitre.org/software/S0508) Mining Bo | > | e [ngrok](https://attack.mitre.org/software/S0508) Mining Bo | ||
> | tnet in a campaign that targeted Docker servers in cloud pla | > | tnet in a campaign that targeted Docker servers in cloud pla | ||
> | tforms. (Citation: Intezer Doki July 20) | > | tforms. (Citation: Intezer Doki July 20) |
STIX Field | Old value | New Value |
---|---|---|
description | [Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [Ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20) | [Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20) |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-20 20:37:50.556000+00:00 | 2023-10-17 20:09:38.062000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_contributors[1] | Joe Slowik - Dragos | Joe Slowik - Dragos |
Current version: 2.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-08 22:03:50.370000+00:00 | 2023-10-17 20:05:34.648000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_contributors[0] | Joe Slowik - Dragos | Joe Slowik - Dragos |
Current version: 2.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-02-09 14:07:10.907000+00:00 | 2023-09-19 13:31:34.134000+00:00 |
external_references[4]['description'] | Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. | Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-17 14:48:43.852000+00:00 | 2023-09-19 13:31:34.134000+00:00 |
external_references[3]['description'] | Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. | Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
Current version: 1.6
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-22 05:12:48.213000+00:00 | 2023-08-17 19:50:17.832000+00:00 |
Current version: 1.1
This object has been revoked by [S0508] ngrok
Description for [S0508] ngrok: [ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-13 13:24:56.579000+00:00 | 2023-09-25 18:56:12.154000+00:00 |
description | [Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021) | |
revoked | False | True |
external_references[0] | {'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/software/S0508', 'external_id': 'S0508'} | {'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/software/S9000', 'external_id': 'S9000'} |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Zdnet Ngrok September 2018', 'description': 'Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.', 'url': 'https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/'} | |
external_references | {'source_name': 'Cyware Ngrok May 2019', 'description': 'Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020.', 'url': 'https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44'} | |
external_references | {'source_name': 'MalwareBytes LazyScripter Feb 2021', 'description': 'Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.', 'url': 'https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf'} | |
external_references | {'source_name': 'FireEye Maze May 2020', 'description': 'Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html'} |
Current version: 1.0
Description: [BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)
Current version: 1.0
Description: [Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)
Current version: 1.0
Description: [Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)
Current version: 1.0
Description: [Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422)
Current version: 1.0
Description: [FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap)
Current version: 1.0
Description: [Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)
Current version: 1.0
Description: [Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-12 17:33:00.482000+00:00 | 2023-10-06 14:08:40.134000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-08 22:13:42.357000+00:00 | 2023-10-06 14:09:52.833000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
Current version: 1.4
Version changed from: 1.3 → 1.4
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-05-24 21:10:44.381000+00:00 | 2023-08-09 18:11:35.634000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.3 | 1.4 |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-20 20:37:50.556000+00:00 | 2023-10-17 20:09:38.062000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_contributors[1] | Joe Slowik - Dragos | Joe Slowik - Dragos |
Current version: 2.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-08 22:03:50.370000+00:00 | 2023-10-17 20:05:34.648000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_contributors[0] | Joe Slowik - Dragos | Joe Slowik - Dragos |
Current version: 1.0
Description: [Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [[Charming Kitten](https://attack.mitre.org/groups/G0058) often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities.(Citation: ClearSky Charming Kitten Dec 2017)
Current version: 1.0
Description: [FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
Current version: 1.0
Description: [MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)
Current version: 1.0
Description: [Scattered Spider](https://attack.mitre.org/groups/G1015) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.(Citation: CrowdStrike Scattered Spider Profile)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)
Current version: 1.0
Description: [TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)
Current version: 1.0
Description: [Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://attack.mitre.org/groups/G1017) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)
Current version: 5.0
Version changed from: 4.0 → 5.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-16 22:25:01.191000+00:00 | 2023-10-02 21:33:07.807000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 4.0 | 5.0 |
STIX Field | Old value | New Value |
---|---|---|
aliases | UNC3524 | |
external_references | {'source_name': 'UNC3524', 'description': '(Citation: Mandiant APT29 Eye Spy Email Nov 22)'} | |
external_references | {'source_name': 'Mandiant APT29 Eye Spy Email Nov 22', 'description': 'Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.', 'url': 'https://www.mandiant.com/resources/blog/unc3524-eye-spy-email'} |
Current version: 3.0
Version changed from: 2.2 → 3.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [FIN7](https://attack.mitre.org/groups/G0046) is a financial | t | 1 | [FIN7](https://attack.mitre.org/groups/G0046) is a financial |
> | ly-motivated threat group that has been active since 2013 pr | > | ly-motivated threat group that has been active since 2013. [ | ||
> | imarily targeting the U.S. retail, restaurant, and hospitali | > | FIN7](https://attack.mitre.org/groups/G0046) has primarily t | ||
> | ty sectors, often using point-of-sale malware. A portion of | > | argeted the retail, restaurant, hospitality, software, consu | ||
> | [FIN7](https://attack.mitre.org/groups/G0046) was run out of | > | lting, financial services, medical equipment, cloud services | ||
> | a front company called Combi Security. Since 2020 [FIN7](ht | > | , media, food and beverage, transportation, and utilities in | ||
> | tps://attack.mitre.org/groups/G0046) shifted operations to a | > | dustries in the U.S. A portion of [FIN7](https://attack.mitr | ||
> | big game hunting (BGH) approach including use of [REvil](ht | > | e.org/groups/G0046) was run out of a front company called Co | ||
> | tps://attack.mitre.org/software/S0496) ransomware and their | > | mbi Security and often used point-of-sale malware for target | ||
> | own Ransomware as a Service (RaaS), Darkside. [FIN7](https:/ | > | ing efforts. Since 2020, [FIN7](https://attack.mitre.org/gro | ||
> | /attack.mitre.org/groups/G0046) may be linked to the [Carban | > | ups/G0046) shifted operations to a big game hunting (BGH) ap | ||
> | ak](https://attack.mitre.org/groups/G0008) Group, but there | > | proach including use of [REvil](https://attack.mitre.org/sof | ||
> | appears to be several groups using [Carbanak](https://attack | > | tware/S0496) ransomware and their own Ransomware as a Servic | ||
> | .mitre.org/software/S0030) malware and are therefore tracked | > | e (RaaS), Darkside. FIN7 may be linked to the [Carbanak](htt | ||
> | separately.(Citation: FireEye FIN7 March 2017)(Citation: Fi | > | ps://attack.mitre.org/groups/G0008) Group, but there appears | ||
> | reEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017) | > | to be several groups using [Carbanak](https://attack.mitre. | ||
> | (Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carb | > | org/software/S0030) malware and are therefore tracked separa | ||
> | on Spider August 2021) | > | tely.(Citation: FireEye FIN7 March 2017)(Citation: FireEye F | ||
> | IN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citati | ||||
> | on: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spid | ||||
> | er August 2021)(Citation: Mandiant FIN7 Apr 2022) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-22 03:51:04.185000+00:00 | 2023-10-04 18:10:49.054000+00:00 |
description | [FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021) | [FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.2 | 3.0 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Mandiant FIN7 Apr 2022', 'description': 'Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.', 'url': 'https://www.mandiant.com/resources/evolution-of-fin7'} |
Current version: 2.0
Version changed from: 1.3 → 2.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [FIN8](https://attack.mitre.org/groups/G0061) is a financial | t | 1 | [FIN8](https://attack.mitre.org/groups/G0061) is a financial |
> | ly motivated threat group known to launch tailored spearphis | > | ly motivated threat group that has been active since at leas | ||
> | hing campaigns targeting the retail, restaurant, and hospita | > | t January 2016, and known for targeting organizations in the | ||
> | lity industries. (Citation: FireEye Obfuscation June 2017) ( | > | hospitality, retail, entertainment, insurance, technology, | ||
> | Citation: FireEye Fin8 May 2016) | > | chemical, and financial sectors. In June 2021, security rese | ||
> | archers detected [FIN8](https://attack.mitre.org/groups/G006 | ||||
> | 1) switching from targeting point-of-sale (POS) devices to d | ||||
> | istributing a number of ransomware variants.(Citation: FireE | ||||
> | ye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(C | ||||
> | itation: Bitdefender Sardonic Aug 2021)(Citation: Symantec F | ||||
> | IN8 Jul 2023) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-22 03:52:13.089000+00:00 | 2023-09-19 14:08:59.296000+00:00 |
description | [FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016) | [FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023) |
external_references[3]['description'] | Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. | Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. |
x_mitre_version | 1.3 | 2.0 |
STIX Field | Old value | New Value |
---|---|---|
aliases | Syssphinx | |
external_references | {'source_name': 'Syssphinx', 'description': '(Citation: Symantec FIN8 Jul 2023)'} | |
external_references | {'source_name': 'Bitdefender Sardonic Aug 2021', 'description': 'Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.', 'url': 'https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf'} | |
external_references | {'source_name': 'Symantec FIN8 Jul 2023', 'description': 'Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.', 'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor'} | |
x_mitre_contributors | Serhii Melnyk, Trustwave SpiderLabs |
Current version: 3.0
Version changed from: 2.1 → 3.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [Indrik Spider](https://attack.mitre.org/groups/G0119) is a | t | 1 | [Indrik Spider](https://attack.mitre.org/groups/G0119) is a |
> | Russia-based cybercriminal group that has been active since | > | Russia-based cybercriminal group that has been active since | ||
> | at least 2014. [Indrik Spider](https://attack.mitre.org/grou | > | at least 2014. [Indrik Spider](https://attack.mitre.org/grou | ||
> | ps/G0119) initially started with the [Dridex](https://attack | > | ps/G0119) initially started with the [Dridex](https://attack | ||
> | .mitre.org/software/S0384) banking Trojan, and then by 2017 | > | .mitre.org/software/S0384) banking Trojan, and then by 2017 | ||
> | they began running ransomware operations using [BitPaymer](h | > | they began running ransomware operations using [BitPaymer](h | ||
> | ttps://attack.mitre.org/software/S0570), [WastedLocker](http | > | ttps://attack.mitre.org/software/S0570), [WastedLocker](http | ||
> | s://attack.mitre.org/software/S0612), and Hades ransomware.( | > | s://attack.mitre.org/software/S0612), and Hades ransomware. | ||
> | Citation: Crowdstrike Indrik November 2018)(Citation: Crowds | > | Following U.S. sanctions and an indictment in 2019, [Indrik | ||
> | trike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2 | > | Spider](https://attack.mitre.org/groups/G0119) changed their | ||
> | 019) | > | tactics and diversified their toolset.(Citation: Crowdstrik | ||
> | e Indrik November 2018)(Citation: Crowdstrike EvilCorp March | ||||
> | 2021)(Citation: Treasury EvilCorp Dec 2019) |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | ['Jennifer Kim Roman, CrowdStrike'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-09-15 19:49:18.799000+00:00 | 2023-08-03 21:39:36.666000+00:00 |
description | [Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019) | [Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019) |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 2.1 | 3.0 |
Current version: 4.0
Version changed from: 3.1 → 4.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [Turla](https://attack.mitre.org/groups/G0010) is a Russian- | t | 1 | [Turla](https://attack.mitre.org/groups/G0010) is a cyber es |
> | based threat group that has infected victims in over 45 coun | > | pionage threat group that has been attributed to Russia's Fe | ||
> | tries, spanning a range of industries including government, | > | deral Security Service (FSB). They have compromised victims | ||
> | embassies, military, education, research and pharmaceutical | > | in over 50 countries since at least 2004, spanning a range | ||
> | companies since 2004. Heightened activity was seen in mid-20 | > | of industries including government, embassies, military, edu | ||
> | 15. [Turla](https://attack.mitre.org/groups/G0010) is known | > | cation, research and pharmaceutical companies. [Turla](https | ||
> | for conducting watering hole and spearphishing campaigns and | > | ://attack.mitre.org/groups/G0010) is known for conducting wa | ||
> | leveraging in-house tools and malware. [Turla](https://atta | > | tering hole and spearphishing campaigns, and leveraging in-h | ||
> | ck.mitre.org/groups/G0010)’s espionage platform is mainly us | > | ouse tools and malware, such as [Uroburos](https://attack.mi | ||
> | ed against Windows machines, but has also been seen used aga | > | tre.org/software/S0022).(Citation: Kaspersky Turla)(Citation | ||
> | inst macOS and Linux machines.(Citation: Kaspersky Turla)(Ci | > | : ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)( | ||
> | tation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS | > | Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybe | ||
> | BEAR)(Citation: ESET Turla Mosquito Jan 2018) | > | rsecurity Advisory AA23-129A Snake Malware May 2023) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-22 05:41:28.428000+00:00 | 2023-08-02 19:48:08.774000+00:00 |
description | [Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018) | [Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://attack.mitre.org/software/S0022).(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) |
x_mitre_version | 3.1 | 4.0 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023', 'description': 'FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.', 'url': 'https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf'} |
Current version: 3.0
Version changed from: 2.1 → 3.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a | t | 1 | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a |
> | Russia-based financially motivated threat group originally k | > | Russia-based financially motivated threat group originally k | ||
> | nown for the creation and deployment of [TrickBot](https://a | > | nown for the creation and deployment of [TrickBot](https://a | ||
> | ttack.mitre.org/software/S0266) since at least 2016. [Wizard | > | ttack.mitre.org/software/S0266) since at least 2016. [Wizard | ||
> | Spider](https://attack.mitre.org/groups/G0102) possesses a | > | Spider](https://attack.mitre.org/groups/G0102) possesses a | ||
> | diverse arsenal of tools and has conducted ransomware campai | > | diverse aresenal of tools and has conducted ransomware campa | ||
> | gns against a variety of organizations, ranging from major c | > | igns against a variety of organizations, ranging from major | ||
> | orporations to hospitals.(Citation: CrowdStrike Ryuk January | > | corporations to hospitals.(Citation: CrowdStrike Ryuk Januar | ||
> | 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare Oc | > | y 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare O | ||
> | tober 2020)(Citation: CrowdStrike Wizard Spider October 2020 | > | ctober 2020)(Citation: CrowdStrike Wizard Spider October 202 | ||
> | ) | > | 0) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-22 05:44:27.289000+00:00 | 2023-09-12 14:35:52.920000+00:00 |
description | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020) | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
x_mitre_version | 2.1 | 3.0 |
STIX Field | Old value | New Value |
---|---|---|
aliases | FIN12 | |
aliases | GOLD BLACKBURN | |
aliases | ITG23 | |
aliases | Periwinkle Tempest | |
external_references | {'source_name': 'ITG23', 'description': '(Citation: IBM X-Force ITG23 Oct 2021)'} | |
external_references | {'source_name': 'FIN12', 'description': '(Citation: Mandiant FIN12 Oct 2021)'} | |
external_references | {'source_name': 'GOLD BLACKBURN', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'} | |
external_references | {'source_name': 'Periwinkle Tempest', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'} | |
external_references | {'source_name': 'Secureworks Gold Blackburn Mar 2022', 'description': 'Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-blackburn'} | |
external_references | {'source_name': 'Mandiant FIN12 Oct 2021', 'description': 'Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.', 'url': 'https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf'} | |
external_references | {'source_name': 'IBM X-Force ITG23 Oct 2021', 'description': 'Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.', 'url': 'https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/'} |
Current version: 2.7
Version changed from: 2.6 → 2.7
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-21 21:04:18.158000+00:00 | 2023-10-12 21:15:24.393000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.6 | 2.7 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-06-30 20:15:32.697000+00:00 | 2023-09-22 20:43:16.504000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
x_mitre_version | 1.0 | 1.1 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_domains | mobile-attack |
Current version: 3.2
Version changed from: 3.1 → 3.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-08 22:03:28.170000+00:00 | 2023-10-01 02:45:48.973000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 3.1 | 3.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-11 00:01:29.232000+00:00 | 2023-10-20 17:06:10.335000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | Caio Silva |
Current version: 5.2
Version changed from: 5.1 → 5.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-01-13 21:18:18.077000+00:00 | 2023-09-11 20:43:14.739000+00:00 |
x_mitre_version | 5.1 | 5.2 |
Current version: 3.1
Version changed from: 3.0 → 3.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-08 22:12:31.238000+00:00 | 2023-10-06 14:13:06.011000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 3.0 | 3.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-05-19 23:26:11.780000+00:00 | 2023-09-27 20:22:05.127000+00:00 |
x_mitre_version | 1.1 | 1.2 |
Current version: 2.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-10-15 16:54:01.193000+00:00 | 2023-06-26 18:59:30.461000+00:00 |
external_references[2]['source_name'] | Richochet Chollima | Ricochet Chollima |
external_references[11]['description'] | CrowdStrike. (2021, September 30). Adversary Profile - Richochet Chollima. Retrieved September 30, 2021. | CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021. |
external_references[11]['url'] | https://adversary.crowdstrike.com/en-US/adversary/ricochet-chollima/ | https://www.crowdstrike.com/adversaries/ricochet-chollima/ |
STIX Field | Old value | New Value |
---|---|---|
aliases | Ricochet Chollima |
STIX Field | Old value | New Value |
---|---|---|
aliases | Richochet Chollima |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2021-12-17 19:27:27.246000+00:00 | 2023-10-09 16:46:55.719000+00:00 |
external_references[6]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf | https://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf |
Current version: 2.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-19 22:07:30.243000+00:00 | 2023-10-17 20:21:44.687000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_contributors[0] | Harry, CODEMIZE | Harry Kim, CODEMIZE |
Current version: 3.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-11-30 22:53:00.875000+00:00 | 2023-09-27 20:08:25.814000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
Current version: 1.1
Description: [Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)
Current version: 1.0
Description: [MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)
Current version: 3.1
Version changed from: 3.0 → 3.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-08 22:12:31.238000+00:00 | 2023-10-06 14:13:06.011000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 3.0 | 3.1 |
Current version: 3.0
Version changed from: 2.2 → 3.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [FIN7](https://attack.mitre.org/groups/G0046) is a financial | t | 1 | [FIN7](https://attack.mitre.org/groups/G0046) is a financial |
> | ly-motivated threat group that has been active since 2013 pr | > | ly-motivated threat group that has been active since 2013. [ | ||
> | imarily targeting the U.S. retail, restaurant, and hospitali | > | FIN7](https://attack.mitre.org/groups/G0046) has primarily t | ||
> | ty sectors, often using point-of-sale malware. A portion of | > | argeted the retail, restaurant, hospitality, software, consu | ||
> | [FIN7](https://attack.mitre.org/groups/G0046) was run out of | > | lting, financial services, medical equipment, cloud services | ||
> | a front company called Combi Security. Since 2020 [FIN7](ht | > | , media, food and beverage, transportation, and utilities in | ||
> | tps://attack.mitre.org/groups/G0046) shifted operations to a | > | dustries in the U.S. A portion of [FIN7](https://attack.mitr | ||
> | big game hunting (BGH) approach including use of [REvil](ht | > | e.org/groups/G0046) was run out of a front company called Co | ||
> | tps://attack.mitre.org/software/S0496) ransomware and their | > | mbi Security and often used point-of-sale malware for target | ||
> | own Ransomware as a Service (RaaS), Darkside. [FIN7](https:/ | > | ing efforts. Since 2020, [FIN7](https://attack.mitre.org/gro | ||
> | /attack.mitre.org/groups/G0046) may be linked to the [Carban | > | ups/G0046) shifted operations to a big game hunting (BGH) ap | ||
> | ak](https://attack.mitre.org/groups/G0008) Group, but there | > | proach including use of [REvil](https://attack.mitre.org/sof | ||
> | appears to be several groups using [Carbanak](https://attack | > | tware/S0496) ransomware and their own Ransomware as a Servic | ||
> | .mitre.org/software/S0030) malware and are therefore tracked | > | e (RaaS), Darkside. FIN7 may be linked to the [Carbanak](htt | ||
> | separately.(Citation: FireEye FIN7 March 2017)(Citation: Fi | > | ps://attack.mitre.org/groups/G0008) Group, but there appears | ||
> | reEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017) | > | to be several groups using [Carbanak](https://attack.mitre. | ||
> | (Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carb | > | org/software/S0030) malware and are therefore tracked separa | ||
> | on Spider August 2021) | > | tely.(Citation: FireEye FIN7 March 2017)(Citation: FireEye F | ||
> | IN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citati | ||||
> | on: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spid | ||||
> | er August 2021)(Citation: Mandiant FIN7 Apr 2022) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-22 03:51:04.185000+00:00 | 2023-10-04 18:10:49.054000+00:00 |
description | [FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021) | [FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.2 | 3.0 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Mandiant FIN7 Apr 2022', 'description': 'Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.', 'url': 'https://www.mandiant.com/resources/evolution-of-fin7'} |
Current version: 3.0
Version changed from: 2.1 → 3.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a | t | 1 | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a |
> | Russia-based financially motivated threat group originally k | > | Russia-based financially motivated threat group originally k | ||
> | nown for the creation and deployment of [TrickBot](https://a | > | nown for the creation and deployment of [TrickBot](https://a | ||
> | ttack.mitre.org/software/S0266) since at least 2016. [Wizard | > | ttack.mitre.org/software/S0266) since at least 2016. [Wizard | ||
> | Spider](https://attack.mitre.org/groups/G0102) possesses a | > | Spider](https://attack.mitre.org/groups/G0102) possesses a | ||
> | diverse arsenal of tools and has conducted ransomware campai | > | diverse aresenal of tools and has conducted ransomware campa | ||
> | gns against a variety of organizations, ranging from major c | > | igns against a variety of organizations, ranging from major | ||
> | orporations to hospitals.(Citation: CrowdStrike Ryuk January | > | corporations to hospitals.(Citation: CrowdStrike Ryuk Januar | ||
> | 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare Oc | > | y 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare O | ||
> | tober 2020)(Citation: CrowdStrike Wizard Spider October 2020 | > | ctober 2020)(Citation: CrowdStrike Wizard Spider October 202 | ||
> | ) | > | 0) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-22 05:44:27.289000+00:00 | 2023-09-12 14:35:52.920000+00:00 |
description | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020) | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
x_mitre_version | 2.1 | 3.0 |
STIX Field | Old value | New Value |
---|---|---|
aliases | FIN12 | |
aliases | GOLD BLACKBURN | |
aliases | ITG23 | |
aliases | Periwinkle Tempest | |
external_references | {'source_name': 'ITG23', 'description': '(Citation: IBM X-Force ITG23 Oct 2021)'} | |
external_references | {'source_name': 'FIN12', 'description': '(Citation: Mandiant FIN12 Oct 2021)'} | |
external_references | {'source_name': 'GOLD BLACKBURN', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'} | |
external_references | {'source_name': 'Periwinkle Tempest', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'} | |
external_references | {'source_name': 'Secureworks Gold Blackburn Mar 2022', 'description': 'Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-blackburn'} | |
external_references | {'source_name': 'Mandiant FIN12 Oct 2021', 'description': 'Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.', 'url': 'https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf'} | |
external_references | {'source_name': 'IBM X-Force ITG23 Oct 2021', 'description': 'Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.', 'url': 'https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/'} |
Current version: 3.2
Version changed from: 3.1 → 3.2
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-08 22:03:28.170000+00:00 | 2023-10-01 02:45:48.973000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 3.1 | 3.2 |
Current version: 3.1
Version changed from: 3.0 → 3.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-08 22:12:31.238000+00:00 | 2023-10-06 14:13:06.011000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 3.0 | 3.1 |
Current version: 1.0
Description: [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
Current version: 1.0
Description: [C0026](https://attack.mitre.org/campaigns/C0026) was a campaign identified in September 2022 that included the selective distribution of [KOPILUWAK](https://attack.mitre.org/software/S1075) and [QUIETCANARY](https://attack.mitre.org/software/S1076) malware to previous [ANDROMEDA](https://attack.mitre.org/software/S1074) malware victims in Ukraine through re-registered [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains. Several tools and tactics used during [C0026](https://attack.mitre.org/campaigns/C0026) were consistent with historic [Turla](https://attack.mitre.org/groups/G0010) operations.(Citation: Mandiant Suspected Turla Campaign February 2023)
Current version: 1.0
Description: [C0027](https://attack.mitre.org/campaigns/C0027) was a financially-motivated campaign linked to [Scattered Spider](https://attack.mitre.org/groups/G1015) that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During [C0027](https://attack.mitre.org/campaigns/C0027) [Scattered Spider](https://attack.mitre.org/groups/G1015) used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.(Citation: Crowdstrike TELCO BPO Campaign December 2022)
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-10 19:18:19.033000+00:00 | 2023-09-27 20:12:54.984000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.0
Description: [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
Current version: 1.0
Description: [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)
STIX Field | Old value | New Value |
---|---|---|
modified | 2022-10-21 15:56:01.070000+00:00 | 2023-09-20 22:40:13.147000+00:00 |
x_mitre_attack_spec_version | 3.0.0 | 3.1.0 |
x_mitre_deprecated | False | True |
Current version: 1.0
Description: Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).
Current version: 1.0
Description: Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.
Current version: 1.0
Description: Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including: * Protocol Translation: Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. * Media Converter: Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. * Data Aggregation: Collect and combine data from different devices into one consistent format and protocol interface. Data gateways are often critical to the forwarding/transmission of critical control or monitoring data within the ICS. Further, these devices often have remote various network services that are used to communicate across different zones or networks. These assets may focus on a single function listed below or combinations of these functions to best fit the industry use-case.
Current version: 1.0
Description: Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network.
Current version: 1.0
Description: Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes.
Current version: 1.0
Description: Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.
Current version: 1.0
Description: An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.
Current version: 1.0
Description: Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts.
Current version: 1.0
Description: A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device’s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.
Current version: 1.0
Description: A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.
Current version: 1.0
Description: A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.(Citation: IETF RFC4949 2007)
Current version: 1.0
Description: Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.
Current version: 1.0
Description: A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.
Current version: 1.0
Description: Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2018-10-17 00:14:20.652000+00:00 | 2023-09-27 20:18:19.004000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.0
Description: Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.2.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2018-10-17 00:14:20.652000+00:00 | 2023-09-27 20:18:19.004000+00:00 |
x_mitre_version | 1.0 | 1.1 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_attack_spec_version | 3.1.0 | |
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2018-10-17 00:14:20.652000+00:00 | 2023-08-15 15:06:03.428000+00:00 |
external_references[1]['url'] | https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf | https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:13.851000+00:00 | 2023-10-20 17:01:38.562000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
labels[2] | NIST SP 800-53 Rev. 4 - AC-3 | NIST SP 800-53 Rev. 5 - AC-3 |
Current version: 1.1
Version changed from: 1.0 → 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:14.615000+00:00 | 2023-10-20 17:02:00.299000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
labels[2] | NIST SP 800-53 Rev. 4 - IA-2 | NIST SP 800-53 Rev. 5 - IA-2 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:14.081000+00:00 | 2023-09-19 21:30:56.250000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - AC-3 | NIST SP 800-53 Rev. 5 - AC-3 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:19.383000+00:00 | 2023-09-19 21:31:48.809000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - IA-5 | NIST SP 800-53 Rev. 5 - IA-5 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:21.180000+00:00 | 2023-09-19 21:32:18.375000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
STIX Field | Old value | New Value |
---|---|---|
labels | NIST SP 800-53 Rev. 5 - SI-3 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:16.730000+00:00 | 2023-09-19 21:32:48.390000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:21.006000+00:00 | 2023-09-19 21:33:26.200000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - SI-3 | NIST SP 800-53 Rev. 5 - SI-3 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:20.836000+00:00 | 2023-09-19 21:34:08.571000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
STIX Field | Old value | New Value |
---|---|---|
labels | NIST SP 800-53 Rev. 5 - SI-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:20.632000+00:00 | 2023-09-19 21:38:22.681000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[1] | NIST SP 800-53 Rev. 4 - SI-7 | NIST SP 800-53 Rev. 5 - SI-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:20.464000+00:00 | 2023-09-19 21:39:41.056000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - SI-7 | NIST SP 800-53 Rev. 5 - SI-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:14.263000+00:00 | 2023-09-19 21:40:49.135000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - SC-8; SC-23 | NIST SP 800-53 Rev. 5 - SC-8; SC-23 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:21.679000+00:00 | 2023-09-19 21:41:39.667000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - CP-9 | NIST SP 800-53 Rev. 5 - CP-9 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:20.110000+00:00 | 2023-09-19 21:42:11.231000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - CM-7 | NIST SP 800-53 Rev. 5 - CM-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:15.230000+00:00 | 2023-09-19 21:42:52.198000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - SC-8 | NIST SP 800-53 Rev. 5 - SC-8 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:19.946000+00:00 | 2023-09-19 21:43:17.085000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - SC-28 | NIST SP 800-53 Rev. 5 - SC-28 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:19.774000+00:00 | 2023-09-19 21:43:44.551000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - SI-3 | NIST SP 800-53 Rev. 5 - SI-3 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:21.352000+00:00 | 2023-09-19 21:44:04.416000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - SI-16 | NIST SP 800-53 Rev. 5 - SI-16 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:19.604000+00:00 | 2023-09-19 21:44:59.425000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - AC-3; SC-7 | NIST SP 800-53 Rev. 5 - AC-3; SC-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:19.179000+00:00 | 2023-09-19 21:48:00.950000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - AC-3; SC-7 | NIST SP 800-53 Rev. 5 - AC-3; SC-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:19.007000+00:00 | 2023-09-19 21:48:22.980000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - MP-7 | NIST SP 800-53 Rev. 5 - MP-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:14.800000+00:00 | 2023-09-19 21:48:44.925000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - SC-40 | NIST SP 800-53 Rev. 5 - SC-40 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:18.842000+00:00 | 2023-09-19 21:49:12.466000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - IA-2 | NIST SP 800-53 Rev. 5 - IA-2 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:14.969000+00:00 | 2023-09-19 21:49:34.958000+00:00 |
labels[0] | NIST SP 800-53 Rev. 4 - AC-3 | NIST SP 800-53 Rev. 5 - AC-3 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:18.665000+00:00 | 2023-09-19 21:49:53.366000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - SI-4 | NIST SP 800-53 Rev. 5 - SI-4 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:18.480000+00:00 | 2023-09-19 21:50:12.354000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - AC-3 | NIST SP 800-53 Rev. 5 - AC-3 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:18.276000+00:00 | 2023-09-19 21:50:30.709000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - CM-7 | NIST SP 800-53 Rev. 5 - CM-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:15.598000+00:00 | 2023-09-19 21:50:55.129000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[0] | NIST SP 800-53 Rev. 4 - SC-37 | NIST SP 800-53 Rev. 5 - SC-37 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:18.097000+00:00 | 2023-09-19 21:51:14.526000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - IA-5 | NIST SP 800-53 Rev. 5 - IA-5 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:17.929000+00:00 | 2023-09-19 21:51:40.366000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - AC-2 | NIST SP 800-53 Rev. 5 - AC-2 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:15.773000+00:00 | 2023-09-19 21:52:11.728000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[0] | NIST SP 800-53 Rev. 4 - CP-9 | NIST SP 800-53 Rev. 5 - CP-9 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:17.592000+00:00 | 2023-09-20 13:10:12.604000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - AC-6 | NIST SP 800-53 Rev. 5 - AC-6 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-11 20:51:32.610000+00:00 | 2023-09-20 13:10:52.949000+00:00 |
labels[2] | NIST SP 800-53 Rev. 4 - CM-7 | NIST SP 800-53 Rev. 5 - CM-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:17.759000+00:00 | 2023-09-20 13:11:12.773000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - AC-6 | NIST SP 800-53 Rev. 5 - AC-6 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:17.426000+00:00 | 2023-09-20 13:11:35.668000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - SC-18 | NIST SP 800-53 Rev. 5 - SC-18 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:21.915000+00:00 | 2023-09-20 13:12:04.727000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - CM-7 | NIST SP 800-53 Rev. 5 - CM-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:15.949000+00:00 | 2023-09-20 13:12:24.527000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - IA-9 | NIST SP 800-53 Rev. 5 - IA-9 |
Current version: 1.1
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-04-05 14:21:27.977000+00:00 | 2023-09-20 13:12:51.139000+00:00 |
labels[2] | NIST SP 800-53 Rev. 4 - CM-7 | NIST SP 800-53 Rev. 5 - CM-7 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:16.556000+00:00 | 2023-09-20 13:13:12.169000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
STIX Field | Old value | New Value |
---|---|---|
labels | NIST SP 800-53 Rev. 5 - SR-1 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:21.512000+00:00 | 2023-09-20 13:13:41.305000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[1] | NIST SP 800-53 Rev. 4 - SI-2 | NIST SP 800-53 Rev. 5 - SI-2 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:17.252000+00:00 | 2023-09-20 13:14:10.061000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[2] | NIST SP 800-53 Rev. 4 - AC-2 | NIST SP 800-53 Rev. 5 - AC-2 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:17.076000+00:00 | 2023-09-20 13:14:30.311000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[0] | NIST SP 800-53 Rev. 4 - AT-2 | NIST SP 800-53 Rev. 5 - AT-2 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-31 19:16:54.636000+00:00 | 2023-09-20 13:14:57.819000+00:00 |
STIX Field | Old value | New Value |
---|---|---|
labels | NIST SP 800-53 Rev. 5 - SI-10 |
STIX Field | Old value | New Value |
---|---|---|
labels | NIST SP 800-53 Rev. 4 - SI-10 |
Current version: 1.0
STIX Field | Old value | New Value |
---|---|---|
x_mitre_deprecated | False |
STIX Field | Old value | New Value |
---|---|---|
modified | 2023-03-30 20:55:16.897000+00:00 | 2023-09-20 13:15:23.350000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.1.0 |
labels[0] | NIST SP 800-53 Rev. 4 - RA-5 | NIST SP 800-53 Rev. 5 - RA-5 |